[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 521
  • Last Modified:

What is wrong with my DNS Server?

Got a call from a customer today who reports exceptionally slow Internet and the inability to get to MOST sites. When they connect to the neighbors open wireless they have no problems. The DNS server (10.0.2.10) is assigned by the DHCP server (also 10.0.2.10), and the default gateway is 10.0.2.1 (a Cisco ASA connected to the Internet with a PPPoE DSL connection). The server is Windows 2003 Std R2. Its IP address is 10.0.2.10 /255.255.255.0 with a DGW of 10.0.2.1.

When I connect to the server I can see the DNS server listed as 127.0.0.1. I tried adding the opendns.com as forwarders, and that APPEARED to help intermittently, but there are still definite issues. I removed the forwarders at this time. When I do an nslookup it USUALLY times out, but sometimes returns correct information. Even just putting opendns numbers in for the DNS server doesnt seem to resolve the issue.

I can connect to the server without issues, but cannot do tracert or ping diagnostic tests because the Cisco is programmed to block them, inbound and outbound. i do not yet have access to change this.

This server is  a DC that is clearly not set up right (its on the 10.0.2.0 network, but AD Sites shows all 3 DCs in the domain as being in the same site, despite having different networks.) Strangely, there arent tons of errors in the event log like I would expect to see. While clearly wrong, I dont THINK thats the issue, as its been working for quite a while (it stopped working Monday)

The users also report other DNS related weirdness, including some users being able to access some sites but not others, and some users being able to access sites others cant access. There is no filtering solution in place, they are all on the same subnet, and there are no special rules in the firewall that could account for this.

When I run an nslookup on a site like microsoft.com, and set the debug mode on I get the output shown in the code section. SERVERDOMAIN is the customer's domain.

If I use microsoft.com. (with the period at the end) it seems to work perfectly. However, if I do a different domain (such as google.com) it fails, whether I append the . at the end or not.

Now, after using the . at the end it resolves correctly whether I put the . at the end or not.
Setting the timeout to 5 seconds didnt seem to resolve the issue. The network connection is business DSL, and shows plenty of available bandwidth.

HEADER:
opcode = QUERY, id = 9, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
 
QUESTIONS:
microsoft.com.SERVERDOMAIN.local, type = A, class = IN
AUTHORITY RECORDS:
SERVERDOMAIN.local
ttl = 3600 (1 hour)
primary name server
responsible mail addr
serial
refresh
retry
expire
default TTL
---------
DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
*** Request to localhost timed out

Open in new window

0
Eric_Price
Asked:
Eric_Price
  • 9
  • 7
  • 3
2 Solutions
 
Darius GhassemCommented:
For DNS in your TCP\IP settings you should have the IP address of the server not 127.0.0.1 address which can cause slowness. Also, settting up updated DNS Forwarders from your ISP is the correct way to setup external DNS resolution.
0
 
Eric_PriceAuthor Commented:
I tried it both ways. I was only reporting the way it was when I found it. Making the DNS server equal to the servers own IP address (10.0.2.10) and setting up forwarders from opendns.com SEEMED to marginally improve the rate of returns from nslookup commands, but definitely not well enough for me to call it "fixed".
0
 
Darius GhassemCommented:
I would use your ISP DNS servers which can be retrieved by calling them to get the most updated which should fix your problem.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
Eric_PriceAuthor Commented:
I tried qwest's DNS servers as well. No improvement.
0
 
Darius GhassemCommented:
Go into DNS and Clear your DNS cache.
0
 
Eric_PriceAuthor Commented:
Done. I also used ipconfig /flushdns. Neither helped.
0
 
Darius GhassemCommented:
Now I'm thinking it might be a hardware issue.
0
 
Eric_PriceAuthor Commented:
I've never had this kind of DNS trouble in a site this size. It isnt like they have anything particularly complicated going on. I almost suspect something in the Cisco, but I cant explain why it would be intermittent. Theres no indication of any hardware issues on the server or with the Internet connection. I maintained my connection to the network all last night, and the users report no issues with saving files on the server. I turned debug on, but didnt see anything obvious. That said, my only debug reading experience is from textbooks. Id be happy to post the logs if someone can decipher them.
0
 
Darius GhassemCommented:
I'm thinking Cisco because all the settings are setup correctly.
0
 
DrDave242Commented:
The problem is that your local DNS suffix is being appended to the query.  In the nslookup output you posted, it's querying the server for "microsoft.com.SERVERDOMAIN.local," which obviously doesn't exist.  The server is authoritative for SERVERDOMAIN.local, so it returns a "non-existent domain" (NXDOMAIN) response to that query.  This is typical behavior.  What isn't typical is that after receiving the NXDOMAIN response, the resolver doesn't repeat the query without the suffix appended.

Flush the DNS cache on the client and the server, then open nslookup on the client again and type "set d2" instead of "set debug," which will give even more verbose information.  Run a query for an external domain again and post the full output here.  (You can blank out any addresses you don't want revealed.)
0
 
Eric_PriceAuthor Commented:
OK - Current configuration
Network Connection DNS Server - 10.0.2.10 (server itself)
DNS Forwarders on DNS Server - Qwest (205.171.9.242 and 205.171.14.195)

"clear cache" command issued from dnsmgmt
ipconfig /flushdns issued from command prompt
nslookup
set d2
microsoft.com query returns

microsoft.com
Server:  pdc-b.pdclogic.local
Address:  10.0.2.10

------------
SendRequest(), len 46
    HEADER:
        opcode = QUERY, id = 4, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        microsoft.com.PDCLogic.local, type = A, class = IN

------------
------------
Got answer (112 bytes):
    HEADER:
        opcode = QUERY, id = 4, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        microsoft.com.PDCLogic.local, type = A, class = IN
    AUTHORITY RECORDS:
    ->  pdclogic.local
        type = SOA, class = IN, dlen = 40
        ttl = 3600 (1 hour)
        primary name server = pdc-b.pdclogic.local
        responsible mail addr = hostmaster
        serial  = 2062
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)

------------
------------
SendRequest(), len 31
    HEADER:
        opcode = QUERY, id = 5, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        microsoft.com, type = A, class = IN

------------
DNS request timed out.
    timeout was 2 seconds.
timeout (2 secs)
SendRequest failed
*** Request to pdc-b.pdclogic.local timed-out
>
0
 
Darius GhassemCommented:
Do you have a * record in DNS?
0
 
Eric_PriceAuthor Commented:
Im not sure what that means. One thing I DID notice (after missing it yesterday) is that unlike every other AD DNS server Ive ever looked at the _msdcs.PDCLogic.local folder (with all the information on the gc, pdc, dc, domains, etc) is located directly underneath Forward Lookup Zones, instead of under the PDCLogic.local domain, like you would normally find it. Dont know how it was moved and dont see any way to move it back.
0
 
Darius GhassemCommented:
That is why I asked for a screen shot. What you can do is delete that msdcs folder and the domain.com. The issue is that your msdcs folder has been delegated. Once you have them delete then you recreate the domain.com.
0
 
Darius GhassemCommented:
Sorry I didn't ask for a screen shot which I thought I did but that was another post that had the same title as yours.
0
 
DrDave242Commented:
The placement of the _msdcs folder is not the problem.  It's normal for it to show up as a delegation in Server 2003 and 2008.  (In 2000, it was shown as a folder under the domain forward lookup zone, but its functionality is the same in both cases.)  From the nslookup output you posted above, we can see that the resolver (the client) does in fact send the second request after the server returns the initial NXDOMAIN response, but the server fails to respond to it.  That's quite odd.  Does anything get logged in the server's event logs (primarily the System or DNS logs) around the time the request is sent?
0
 
Eric_PriceAuthor Commented:
No, nothing. Moreover, just adding an open dns server in an xp laptop thats on the network also fails. I have just gotten access to the Cisco, and Im hoping its configuration will shed some light. Whats odd is that it SEEMS to SOMETIMES be working, and sometimes not. As we all know, those are the WORST kind of problem to solve. lol

I will follow up when I have some more information.
0
 
Darius GhassemCommented:
The delegated msdcs folder does causes issues in 2008. If you search the posts here you will see once you delete the two zones and recreate them so the msdcs folder will fall under the domain.com folder you shouldn't see these errors anymore.
0
 
DrDave242Commented:
If queries sent directly to external DNS servers are intermittently failing as well, there may very well be a connectivity issue somewhere on the network.  Do you know if queries to the internal DNS server for internal addresses ever fail?  The router obviously doesn't come into play in that case, so if they're failing as well, maybe there's a bad switch somewhere or something of that sort.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 9
  • 7
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now