windows 2003 DNS issue


Just had an odd problem on our network with regard to DNS
Issue: could not resolve IP address for a few websites including experts-exchange and a few others.

On the DNS server: no forwaders are being used - only root hints
ran nslookup but it just timed out -  other websites worked fine
Cleared cache
Setup a forwader using our ISP address and all sites began resolving again.

I have now removed the forwarder cleared cache again and everything is resolving fine..... really weired .

I also checked our firewall and Our rules specify DNS server --------outgoing -----------allow port 53 to  ---------any

I also checked all root hints are up to date and server log errors (all fine)

Any help would be appreciated

Who is Participating?
DrDave242Connect With a Mentor Commented:
More about root hints vs. forwarders:

Root hints are basically pointers to the 13 root servers at the top of the DNS hierarchy.  Those servers store records referencing the authoritative servers for the various top-level DNS domains (.com, .net, .org, etc.).  If your DNS server is configured to use root hints instead of forwarders, when it receives a query for a zone for which it is not authoritative, it sends an iterative query to one of the root-hint servers, which returns a referral directing your DNS server to the appropriate top-level-domain DNS server.  Your server then sends the same iterative query to that server, which will return a referral for a DNS server authoritative for the domain.  Your server then queries that server, and so on until it receives a non-referral response.

For example, say you queried your server for the address of  Assuming your server did not already have that address cached, your server would send an iterative query to one of the root servers asking for that address.  An iterative query says, in essence, "Give me this address or tell me where I might be able to find it."  The root server is not authoritative for the zone, so it doesn't know the address of, but it does know which servers are authoritative for the .com zone, so it sends back a referral that tells your server to ask one of them.  Your server sends another iterative query to the .com server.  Again, it's not authoritative for, but it knows who is, so it responds with another referral, this one directing your server to the DNS server.  Your server sends an iterative query to that server, and since it is authoritative for, it checks its database and finds a host record with an address for www.  It then sends that address back to your server, which caches it and sends it to the client.

If your DNS server is configured to use forwarders, when it receives your query it sends a recursive query to one of the servers listed as forwarders.  Unlike an iterative query, a recursive query tells the server on the other end, "Give me this address.  I don't want to know where to find it; I want you to do that for me."  So the other server (typically an ISP server) is the one that queries the root server and walks the tree.  Once it has a response, it sends that response back to your server, which then sends it to the client.

An advantage of using forwarders over root hints is that the other server does most of the dirty work of resolving queries for external domains.  Your server can be doing other things while waiting for a response.  Of course, getting a response typically doesn't take very long, so the performance increase is pretty trivial for the most part.

A disadvantage of using forwarders is that you're pointing your server at other servers which are out of your control - you never know when one or more of them might go down, have its address changed, etc.  It's pretty safe to assume that the root servers will always be there.  (Of course, they were DoS'ed a few years back...)
Darius GhassemCommented:
Usually Roots Hints are the problem. Setting up Forwarders is the most secure and gives you performance boost.
pancho15Author Commented:
Thanks Dariusg

Anyone else have any comments - I did read somewhere it's best to use root-hints??
Chris DentConnect With a Mentor PowerShell DeveloperCommented:

Root Hints should work perfectly, it is after all, how every DNS system that doesn't use Forwarders resolves queries recursively. Someone has to do it at the end of the day.

It's difficult to find the cause of an error unless you can reproduce it now. It may have been a problem with the data in your cache. Do you happen to know if the DNS server was returning SERVFAIL? Or NXDOMAIN? Or something else?

Turning on Vew / Advanced in these situations will show you the Cached Lookups folder. It's well worth seeing what's held in there for the domains you're attempting to query during a failure.

Finally, it's also worth noting that both Positive and Negative results are cached. Negative Results are only cached for 5 minutes by default, but that can often lead to confusing results.

pancho15Author Commented:
THanks for your help
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.