windows 2003 DNS issue

Posted on 2009-04-16
Last Modified: 2012-05-06

Just had an odd problem on our network with regard to DNS
Issue: could not resolve IP address for a few websites including experts-exchange and a few others.

On the DNS server: no forwaders are being used - only root hints
ran nslookup but it just timed out -  other websites worked fine
Cleared cache
Setup a forwader using our ISP address and all sites began resolving again.

I have now removed the forwarder cleared cache again and everything is resolving fine..... really weired .

I also checked our firewall and Our rules specify DNS server --------outgoing -----------allow port 53 to  ---------any

I also checked all root hints are up to date and server log errors (all fine)

Any help would be appreciated

Question by:pancho15
    LVL 59

    Expert Comment

    by:Darius Ghassem
    Usually Roots Hints are the problem. Setting up Forwarders is the most secure and gives you performance boost.

    Author Comment

    Thanks Dariusg

    Anyone else have any comments - I did read somewhere it's best to use root-hints??
    LVL 70

    Assisted Solution

    by:Chris Dent

    Root Hints should work perfectly, it is after all, how every DNS system that doesn't use Forwarders resolves queries recursively. Someone has to do it at the end of the day.

    It's difficult to find the cause of an error unless you can reproduce it now. It may have been a problem with the data in your cache. Do you happen to know if the DNS server was returning SERVFAIL? Or NXDOMAIN? Or something else?

    Turning on Vew / Advanced in these situations will show you the Cached Lookups folder. It's well worth seeing what's held in there for the domains you're attempting to query during a failure.

    Finally, it's also worth noting that both Positive and Negative results are cached. Negative Results are only cached for 5 minutes by default, but that can often lead to confusing results.

    LVL 25

    Accepted Solution

    More about root hints vs. forwarders:

    Root hints are basically pointers to the 13 root servers at the top of the DNS hierarchy.  Those servers store records referencing the authoritative servers for the various top-level DNS domains (.com, .net, .org, etc.).  If your DNS server is configured to use root hints instead of forwarders, when it receives a query for a zone for which it is not authoritative, it sends an iterative query to one of the root-hint servers, which returns a referral directing your DNS server to the appropriate top-level-domain DNS server.  Your server then sends the same iterative query to that server, which will return a referral for a DNS server authoritative for the domain.  Your server then queries that server, and so on until it receives a non-referral response.

    For example, say you queried your server for the address of  Assuming your server did not already have that address cached, your server would send an iterative query to one of the root servers asking for that address.  An iterative query says, in essence, "Give me this address or tell me where I might be able to find it."  The root server is not authoritative for the zone, so it doesn't know the address of, but it does know which servers are authoritative for the .com zone, so it sends back a referral that tells your server to ask one of them.  Your server sends another iterative query to the .com server.  Again, it's not authoritative for, but it knows who is, so it responds with another referral, this one directing your server to the DNS server.  Your server sends an iterative query to that server, and since it is authoritative for, it checks its database and finds a host record with an address for www.  It then sends that address back to your server, which caches it and sends it to the client.

    If your DNS server is configured to use forwarders, when it receives your query it sends a recursive query to one of the servers listed as forwarders.  Unlike an iterative query, a recursive query tells the server on the other end, "Give me this address.  I don't want to know where to find it; I want you to do that for me."  So the other server (typically an ISP server) is the one that queries the root server and walks the tree.  Once it has a response, it sends that response back to your server, which then sends it to the client.

    An advantage of using forwarders over root hints is that the other server does most of the dirty work of resolving queries for external domains.  Your server can be doing other things while waiting for a response.  Of course, getting a response typically doesn't take very long, so the performance increase is pretty trivial for the most part.

    A disadvantage of using forwarders is that you're pointing your server at other servers which are out of your control - you never know when one or more of them might go down, have its address changed, etc.  It's pretty safe to assume that the root servers will always be there.  (Of course, they were DoS'ed a few years back...)

    Author Closing Comment

    THanks for your help

    Featured Post

    PRTG Network Monitor: Intuitive Network Monitoring

    Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

    Join & Write a Comment

    Suggested Solutions

    this article is a guided solution for most of the common server issues in server hardware tasks we are facing in our routine job works. the topics in the following article covered are, 1) dell hardware raidlevel (Perc) 2) adding HDD 3) how t…
    Moving your enterprise fax infrastructure from in-house fax machines and servers to the cloud makes sense — from both an efficiency and productivity standpoint. But does migrating to a cloud fax solution mean you will no longer be able to send or re…
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    how to add IIS SMTP to handle application/Scanner relays into office 365.

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now