DNS server does not resolve external queries.

I have 2 DNS servers for my internal network.  One is the main domain controller, running win2K.  It works fine.  The second is a 2003 server and is also a domain controller...  When I try to resolve internal addresses it works fine... external addresses always fail though... I've looked through the settings and can'tsee anything wrong...

Any ideas?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

what is the DNS on the 2003 server pointing to?
cymrichAuthor Commented:
by "pointing" do you mean "what is it set to under the forwarding tab"?  

If so, it is set to "all other DNS domains"... same as the one that is working.
Make sure your DNS forwarder is set correctly. Also, make sure there's is not rule on your firewall to blocking ping to go out.
Were you able to ping by IP externally?
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

cymrichAuthor Commented:
just turned on some logging... tried going to google.. this is what I came up with...

11:51:49 404 PACKET  UDP Snd    0ab2   Q [0000       NOERROR] (3)www(6)google(3)com(0)
11:51:50 404 PACKET  UDP Rcv    22d5   Q [0001   D   NOERROR] (3)www(6)google(3)com(0)
11:51:51 370 PACKET  UDP Rcv    22d5   Q [0001   D   NOERROR] (3)www(6)google(3)com(0)
11:51:52 7DC PACKET  UDP Snd     0ab2   Q [0000       NOERROR] (3)www(6)google(3)com(0)
11:51:53 404 PACKET  UDP Rcv    22d5   Q [0001   D   NOERROR] (3)www(6)google(3)com(0)
11:51:56 7DC PACKET  UDP Snd      0ab2   Q [0000       NOERROR] (3)www(6)google(3)com(0)
11:51:56 7DC PACKET  UDP Snd  0ab2   Q [0000       NOERROR] (3)www(6)google(3)com(0)
11:51:57 404 PACKET  UDP Rcv    22d5   Q [0001   D   NOERROR] (3)www(6)google(3)com(0)
11:52:00 7DC PACKET  UDP Snd  0ab2   Q [0000       NOERROR] (3)www(6)google(3)com(0)
11:52:00 7DC PACKET  UDP Snd     0ab2   Q [0000       NOERROR] (3)www(6)google(3)com(0)
11:52:04 7DC PACKET  UDP Snd    22d5 R Q [8281   DR SERVFAIL] (3)www(6)google(3)com(0)
cymrichAuthor Commented:
all ICMP is blocked at the firewall, incoming and outgoing, but DNS does not need that to work.  It did work fine for a long time, and I don't see anything in event viewer that tells me when it stopped working... the primary DNS server has worked fine the whole time so it was not noticable when the second one stopped working, and the only reason i found it was because I configured a WAP that would only allow 1 DNS server entry, and I put in both... it overwrote the first one entered with the 2nd.

Valentin NikolovSystem and Network AdministratorCommented:
it looklike  that

if you put forwarder - the IP of main domain controller (running win2K)

on the win 2003 domain controller

will work

cymrichAuthor Commented:
but wouldn't that just make it so it sends all the queries to the main domain controller and doesn't actually work itself?    I can see how that would indeed work, but I need it to work independently (it's supposed ot be a backup DNS in case the primary dies).
cymrichAuthor Commented:
I googled the error from the log and found a post about disabling EDNS... after installing the support tools so I could use the dnscmd command line utility, I ran "dnscmd /config /enableednsprobes 0".

This has fixed the issue...

Thanks for all the suggestions though everyone.
Valentin NikolovSystem and Network AdministratorCommented:
ok its better:)
PAQed with points refunded (500)

Community Support Moderator

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.