We help IT Professionals succeed at work.

DNS everything looks ok but get: Query resused

MPimentel
MPimentel asked
on
Ok guys, here is the story:
I have installed 6 network so far, 6 different Forests therefore domains. In all cases DNS runn on the same machine as Active Directory. One server in 5 cases and three in the 6th case (two DC's and a member). When I query DNS prior to installing AD using ls -d mydomain.com i get result for the query, query by type? no problem. The I run AD installation and DCPROMO detects the DNS server (don't forget: in the same machine) and install smoothly, no errors whatsoever. Clients log in, resolve using DNS, everything fine. BUT! I go to DNS manager, try the lying monitoring tab and the tests pass. when I type NSLOOKUP this is what I get:

> ls -d mydomain.org
[myserver.mydomain.org]
*** Can't list domain mydomain: Query refused
>

Asked everyone I know, teachers @ MCSE class, microsoft white never find pages and I can not get it to work. However I know clients are resolving using DNS. other queries pass, forwarding to ISP DNS is ok. This is in all of these networks, so it must be me. If you need the sequence of steps that I follow to install DNS and AD, let me know.
Thank you very much
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Is the IP address of the machine you are running nslookup from listed as an IP address that zone transfer is allowed to? If not you will be able to do individual record lookups but not ls which is in effect a zone file transfer.

Under the properties of each zone file on the zone transfer tab. You can even stop LS working on the server itself if you tick the "only to the following servers" and don't enter your own IP address.
CERTIFIED EXPERT
Top Expert 2007

Commented:
Are there any events in the event log that may pertain to this ?

Post the errors / warnings here.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
If I'm right there ought to be warning event 6004, The DNS server recieived a zone transfer request from <ip address> for a non-existant or non-authorative zone <domainnmae>

This is as it should be, you shouldn't allow just anything to grab a full copy of the zone.

Author

Commented:
SysExpert:
Since day 1 the only DNS event viewer messages are information of zone version written.

AndYalder:
Comment 1: Allow Zone transfers is cleared because there is only one DNS server on this network.
Comment 2: Same answer as SysExpert.

When I check "All IP Addresses" for the server to listen on DSN request on all interfaces I get the warning of your second comment, but there is no need to listen in all ip addresses because there is only one DNS server, the network is less than 50 and I use the other nic for other purposes.

Thank you very much guys, please comment.

CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
If "allow zone transfers" is cleared then the LS command under NSLOOKUP will fail. All the other nslookup commands will work but LS will not. Thought I already said that.

How do you think nslookup performs the LS command? does it request the A record for www.domain.con and then request www1.domain.com and then www2.domain.com and guess all the other possible hostnames that are on your network??? No, it requests a zone transfer but you have the checkbox cleared.

Tick the checkbox to allow transfer, then only these hosts and enter the servers IP address(es) as the only allowed host. Then LS will work from the server.

If the server is dual homed then I don't think there is any way to define which interface DNS thinks the query is coming in on so you probably would have to allow DNS requests on both interfaces.

Once you have done the experiment and got your list you can set it to deny zone transfers again.

Commented:
I have the same problem, allow transfers to any server is checked. the ls -d domain.org works if you run it on the server, but if you run it on the workstation it does not work. Another strange thing, running the self test on the server gets "PASS" but when I run the selftest from my remote workstation I get "FAIL".

Author

Commented:
This comment in fact solved the problem of NSLOOKUP displaying query refused, but I am sure that I do not need to set allow zone transfers just for the nslookup to work because i have only one dns server on this network. Thanks for your comments and sorry for the delay.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
>>>

This comment in fact solved the problem of NSLOOKUP displaying query refused, but I am sure that I do
not need to set allow zone transfers just for the nslookup to work because i have only one dns server
on this network. Thanks for your comments and sorry for the delay.

<<<

I'll try to explain it one more time...

The nslookup.exe diagnostic tool that comes with the operating system is very clever. It has the ability to look up individual DNS records just like your browser can find a website, no permissions are required to locate an individual public webserver or I couldn't get to devx.experts-exchange.com .

The same nslookup tool is also able to list out the full list of hosts in your domain but it does not do it by requesting all the possible names from aaaa.domain.com up to zzzz.domain.com since this brute force querying could take hours, instead it asks for the full contents of the zone-file for that domain from your server via a tcp connection.  Your server has the checkbox set to refuse this transfer of the zone file.

It's only a diagnostic tool and the fact that it fails does not mean your server is set up wrong.

Commented:
Ghouse:

I was having the same problem, but the actual issue was with the reverse lookup zone corresponding to my DNS server subnet. It was secondary zone, i deleted and recreated the primary, active directory integrated zone. Everything started working fine.

Commented:
Please forward to me.... joeg