Windows 2003 DNS forwarder

Charles Blair · Nov 30, 2004

I have setup a DNS forwarder but I cannot get it to resolve.

Here is the debug output for a query to www.google.com

15:39:07 0E0 PACKET UDP Rcv 10.1.1.4 0007 Q [0001 D NOERROR]
(3)www(6)google(3)com(6)MYDOMAIN(3)COM(0)

15:39:07 0E0 PACKET UDP Snd 202.12.27.33 3838 Q [0000 NOERROR]
(3)www(6)google(3)com(6)MYDOMAIN(3)COM(0)

15:39:09 0E0 PACKET UDP Rcv 10.1.1.4 0008 Q [0001 D NOERROR]
(3)www(6)google(3)com(0)

15:39:09 0E0 PACKET UDP Snd 192.228.79.201 1840 Q [0000 NOERROR]
(3)www(6)google(3)com(0)

15:39:11 5A0 PACKET UDP Snd 192.228.79.201 3838 Q [0000 NOERROR]
(3)www(6)google(3)com(6)MYDOMAIN(3)COM(0)

15:39:13 5A0 PACKET UDP Snd 192.228.79.201 1840 Q [0000 NOERROR]
(3)www(6)google(3)com(0)

15:39:15 5A0 PACKET UDP Snd 192.228.79.201 3838 Q [0000 NOERROR]
(3)www(6)google(3)com(6)MYDOMAIN(3)COM(0)

15:39:15 5A0 PACKET UDP Snd 192.228.79.201 3838 Q [0000 NOERROR]
(3)www(6)google(3)com(6)MYDOMAIN(3)COM(0)

15:39:17 5A0 PACKET UDP Snd 192.228.79.201 1840 Q [0000 NOERROR]
(3)www(6)google(3)com(0)

15:39:17 5A0 PACKET UDP Snd 192.228.79.201 1840 Q [0000 NOERROR]
(3)www(6)google(3)com(0)

15:39:19 5A0 PACKET UDP Snd 192.228.79.201 3838 Q [0000 NOERROR]
(3)www(6)google(3)com(6)MYDOMAIN(3)COM(0)

15:39:19 5A0 PACKET UDP Snd 202.12.27.33 3838 Q [0000 NOERROR]
(3)www(6)google(3)com(6)MYDOMAIN(3)COM(0)

15:39:21 5A0 PACKET UDP Snd 202.12.27.33 1840 Q [0000 NOERROR]
(3)www(6)google(3)com(0)

15:39:21 5A0 PACKET UDP Snd 202.12.27.33 1840 Q [0000 NOERROR]
(3)www(6)google(3)com(0)

15:39:23 5A0 PACKET UDP Snd 10.1.1.4 0007 R Q [8281 DR SERVFAIL]
(3)www(6)google(3)com(6)MYDOMAIN(3)COM(0)

15:39:25 5A0 PACKET UDP Snd 10.1.1.4 0008 R Q [8281 DR SERVFAIL]
(3)www(6)google(3)com(0)

It tries to go out through several root servers but no data is returned from
the query.

The DNS server is setup with all defaults.

The server NIC is visible on the network and setup with a gateway that our
Windows 2000 DNS forwarders use with no issues.

Any help is greatly appreciated.

TIA

Charles

Deji Akomolafe · Nov 30, 2004

dnscmd /enableednsprobes 0

restart dns. try again

--

Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

Charles Blair said:
I have setup a DNS forwarder but I cannot get it to resolve.

Here is the debug output for a query to www.google.com

15:39:07 0E0 PACKET UDP Rcv 10.1.1.4 0007 Q [0001 D NOERROR]
(3)www(6)google(3)com(6)MYDOMAIN(3)COM(0)

15:39:07 0E0 PACKET UDP Snd 202.12.27.33 3838 Q [0000 NOERROR]
(3)www(6)google(3)com(6)MYDOMAIN(3)COM(0)

15:39:09 0E0 PACKET UDP Rcv 10.1.1.4 0008 Q [0001 D NOERROR]
(3)www(6)google(3)com(0)

15:39:09 0E0 PACKET UDP Snd 192.228.79.201 1840 Q [0000 NOERROR]
(3)www(6)google(3)com(0)

15:39:11 5A0 PACKET UDP Snd 192.228.79.201 3838 Q [0000 NOERROR]
(3)www(6)google(3)com(6)MYDOMAIN(3)COM(0)

15:39:13 5A0 PACKET UDP Snd 192.228.79.201 1840 Q [0000 NOERROR]
(3)www(6)google(3)com(0)

15:39:15 5A0 PACKET UDP Snd 192.228.79.201 3838 Q [0000 NOERROR]
(3)www(6)google(3)com(6)MYDOMAIN(3)COM(0)

15:39:15 5A0 PACKET UDP Snd 192.228.79.201 3838 Q [0000 NOERROR]
(3)www(6)google(3)com(6)MYDOMAIN(3)COM(0)

15:39:17 5A0 PACKET UDP Snd 192.228.79.201 1840 Q [0000 NOERROR]
(3)www(6)google(3)com(0)

15:39:17 5A0 PACKET UDP Snd 192.228.79.201 1840 Q [0000 NOERROR]
(3)www(6)google(3)com(0)

15:39:19 5A0 PACKET UDP Snd 192.228.79.201 3838 Q [0000 NOERROR]
(3)www(6)google(3)com(6)MYDOMAIN(3)COM(0)

15:39:19 5A0 PACKET UDP Snd 202.12.27.33 3838 Q [0000 NOERROR]
(3)www(6)google(3)com(6)MYDOMAIN(3)COM(0)

15:39:21 5A0 PACKET UDP Snd 202.12.27.33 1840 Q [0000 NOERROR]

(3)www(6)google(3)com(0)

15:39:21 5A0 PACKET UDP Snd 202.12.27.33 1840 Q [0000 NOERROR]
(3)www(6)google(3)com(0)

15:39:23 5A0 PACKET UDP Snd 10.1.1.4 0007 R Q [8281 DR SERVFAIL]
(3)www(6)google(3)com(6)MYDOMAIN(3)COM(0)

15:39:25 5A0 PACKET UDP Snd 10.1.1.4 0008 R Q [8281 DR SERVFAIL]
(3)www(6)google(3)com(0)

It tries to go out through several root servers but no data is returned from
the query.

The DNS server is setup with all defaults.

The server NIC is visible on the network and setup with a gateway that our
Windows 2000 DNS forwarders use with no issues.

Any help is greatly appreciated.

TIA

Charles

Charles Blair · Nov 30, 2004

/enablednsprobes is not a valid command line switch for dnscmd

I can browse from the server, so I know I have internet connectivity.

There is no filter or firewall that is blocking this server.

All my Windows 2000 DNS forwarders are functioning with no issues.

Any other ideas?

Thanks.

Charles

Deji Akomolafe said:
dnscmd /enableednsprobes 0

restart dns. try again

--

Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

Charles Blair said:

I have setup a DNS forwarder but I cannot get it to resolve.

Here is the debug output for a query to www.google.com

15:39:07 0E0 PACKET UDP Rcv 10.1.1.4 0007 Q [0001 D NOERROR]
(3)www(6)google(3)com(6)MYDOMAIN(3)COM(0)

15:39:07 0E0 PACKET UDP Snd 202.12.27.33 3838 Q [0000 NOERROR]
(3)www(6)google(3)com(6)MYDOMAIN(3)COM(0)

15:39:09 0E0 PACKET UDP Rcv 10.1.1.4 0008 Q [0001 D NOERROR]
(3)www(6)google(3)com(0)

15:39:09 0E0 PACKET UDP Snd 192.228.79.201 1840 Q [0000 NOERROR]
(3)www(6)google(3)com(0)

15:39:11 5A0 PACKET UDP Snd 192.228.79.201 3838 Q [0000 NOERROR]
(3)www(6)google(3)com(6)MYDOMAIN(3)COM(0)

15:39:13 5A0 PACKET UDP Snd 192.228.79.201 1840 Q [0000 NOERROR]
(3)www(6)google(3)com(0)

15:39:15 5A0 PACKET UDP Snd 192.228.79.201 3838 Q [0000 NOERROR]
(3)www(6)google(3)com(6)MYDOMAIN(3)COM(0)

15:39:15 5A0 PACKET UDP Snd 192.228.79.201 3838 Q [0000 NOERROR]
(3)www(6)google(3)com(6)MYDOMAIN(3)COM(0)

15:39:17 5A0 PACKET UDP Snd 192.228.79.201 1840 Q [0000 NOERROR]
(3)www(6)google(3)com(0)

15:39:17 5A0 PACKET UDP Snd 192.228.79.201 1840 Q [0000 NOERROR]
(3)www(6)google(3)com(0)

15:39:19 5A0 PACKET UDP Snd 192.228.79.201 3838 Q [0000 NOERROR]
(3)www(6)google(3)com(6)MYDOMAIN(3)COM(0)

15:39:19 5A0 PACKET UDP Snd 202.12.27.33 3838 Q [0000 NOERROR]
(3)www(6)google(3)com(6)MYDOMAIN(3)COM(0)

15:39:21 5A0 PACKET UDP Snd 202.12.27.33 1840 Q [0000

Click to expand...

NOERROR]

(3)www(6)google(3)com(0)

15:39:21 5A0 PACKET UDP Snd 202.12.27.33 1840 Q [0000 NOERROR]
(3)www(6)google(3)com(0)

15:39:23 5A0 PACKET UDP Snd 10.1.1.4 0007 R Q [8281 DR SERVFAIL]
(3)www(6)google(3)com(6)MYDOMAIN(3)COM(0)

15:39:25 5A0 PACKET UDP Snd 10.1.1.4 0008 R Q [8281 DR SERVFAIL]
(3)www(6)google(3)com(0)

It tries to go out through several root servers but no data is returned from
the query.

The DNS server is setup with all defaults.

The server NIC is visible on the network and setup with a gateway that our
Windows 2000 DNS forwarders use with no issues.

Any help is greatly appreciated.

TIA

Charles

Click to expand...

Kevin D. Goodknecht Sr. [MVP] · Nov 30, 2004

In

Charles Blair said:
/enablednsprobes is not a valid command line switch for
dnscmd

I can browse from the server, so I know I have internet
connectivity.

There is no filter or firewall that is blocking this
server.

All my Windows 2000 DNS forwarders are functioning with
no issues.

Any other ideas?

So you don't have a Pix firewall?

Charles Blair · Nov 30, 2004

Yes ... I have a PIX firewall, which with this information, I did a search
on google and found the resolution to the problem.

Also, the dnscmd command is /Config /EnableEDnsProbes 0 which is what threw
me off on the previous post.

Everything is working great now.

Thanks for your help Kevin and Dèjì.

Charles

Kevin D. Goodknecht Sr. [MVP] · Nov 30, 2004

In

Charles Blair said:
Yes ... I have a PIX firewall, which with this
information, I did a search on google and found the
resolution to the problem.

Also, the dnscmd command is /Config /EnableEDnsProbes 0
which is what threw me off on the previous post.

Everything is working great now.

You should have fixed the Pix to allow UDP packets up to the MTU of the
link, that was the proper fix. Disabling EDNS is only a workaround to the
real fix. Your DNS server is more efficient if it can use EDNS because when
it has to use UDP packets of 512 bytes some packets will be truncated and
data lost. It will then have to make the query again using TCP which
requires more overhead to set up the connection.

Deji Akomolafe · Dec 1, 2004

What you said is mostly correct, Kevin. However, there are still a lot of
routers out there that do not understand EDNS, so letting your DNS talk EDNS
is a sure way to ensure that it will not be able to talk to many other
devices out there. I just find it easier to slow down and let the rest catch
up a little

--

Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

Deji Akomolafe · Dec 1, 2004

My bad, Charles. I typed that in a hurry. I should learn not to do that
"often"

--

Sincerely,

Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

Windows 2003 DNS forwarder

Charles Blair

Deji Akomolafe

Charles Blair

Kevin D. Goodknecht Sr. [MVP]

Charles Blair

Kevin D. Goodknecht Sr. [MVP]

Deji Akomolafe

Deji Akomolafe