[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 213
  • Last Modified:

windows 2003 DNS issue

Hi,

Just had an odd problem on our network with regard to DNS
Issue: could not resolve IP address for a few websites including experts-exchange  messagelabs.com and a few others.

On the DNS server: no forwaders are being used - only root hints
ran nslookup but it just timed out -  other websites worked fine
Cleared cache
Setup a forwader using our ISP address and all sites began resolving again.

I have now removed the forwarder cleared cache again and everything is resolving fine..... really weired .

I also checked our firewall and Our rules specify DNS server --------outgoing -----------allow port 53 to  ---------any

I also checked all root hints are up to date and server log errors (all fine)

Any help would be appreciated


0
pancho15
Asked:
pancho15
2 Solutions
 
Darius GhassemCommented:
Usually Roots Hints are the problem. Setting up Forwarders is the most secure and gives you performance boost.
0
 
pancho15Author Commented:
Thanks Dariusg

Anyone else have any comments - I did read somewhere it's best to use root-hints??
0
 
Chris DentPowerShell DeveloperCommented:

Root Hints should work perfectly, it is after all, how every DNS system that doesn't use Forwarders resolves queries recursively. Someone has to do it at the end of the day.

It's difficult to find the cause of an error unless you can reproduce it now. It may have been a problem with the data in your cache. Do you happen to know if the DNS server was returning SERVFAIL? Or NXDOMAIN? Or something else?

Turning on Vew / Advanced in these situations will show you the Cached Lookups folder. It's well worth seeing what's held in there for the domains you're attempting to query during a failure.

Finally, it's also worth noting that both Positive and Negative results are cached. Negative Results are only cached for 5 minutes by default, but that can often lead to confusing results.

Chris
0
 
DrDave242Commented:
More about root hints vs. forwarders:

Root hints are basically pointers to the 13 root servers at the top of the DNS hierarchy.  Those servers store records referencing the authoritative servers for the various top-level DNS domains (.com, .net, .org, etc.).  If your DNS server is configured to use root hints instead of forwarders, when it receives a query for a zone for which it is not authoritative, it sends an iterative query to one of the root-hint servers, which returns a referral directing your DNS server to the appropriate top-level-domain DNS server.  Your server then sends the same iterative query to that server, which will return a referral for a DNS server authoritative for the domain.  Your server then queries that server, and so on until it receives a non-referral response.

For example, say you queried your server for the address of www.google.com.  Assuming your server did not already have that address cached, your server would send an iterative query to one of the root servers asking for that address.  An iterative query says, in essence, "Give me this address or tell me where I might be able to find it."  The root server is not authoritative for the google.com zone, so it doesn't know the address of www.google.com, but it does know which servers are authoritative for the .com zone, so it sends back a referral that tells your server to ask one of them.  Your server sends another iterative query to the .com server.  Again, it's not authoritative for google.com, but it knows who is, so it responds with another referral, this one directing your server to the google.com DNS server.  Your server sends an iterative query to that server, and since it is authoritative for google.com, it checks its database and finds a host record with an address for www.  It then sends that address back to your server, which caches it and sends it to the client.

If your DNS server is configured to use forwarders, when it receives your query it sends a recursive query to one of the servers listed as forwarders.  Unlike an iterative query, a recursive query tells the server on the other end, "Give me this address.  I don't want to know where to find it; I want you to do that for me."  So the other server (typically an ISP server) is the one that queries the root server and walks the tree.  Once it has a response, it sends that response back to your server, which then sends it to the client.

An advantage of using forwarders over root hints is that the other server does most of the dirty work of resolving queries for external domains.  Your server can be doing other things while waiting for a response.  Of course, getting a response typically doesn't take very long, so the performance increase is pretty trivial for the most part.

A disadvantage of using forwarders is that you're pointing your server at other servers which are out of your control - you never know when one or more of them might go down, have its address changed, etc.  It's pretty safe to assume that the root servers will always be there.  (Of course, they were DoS'ed a few years back...)
0
 
pancho15Author Commented:
THanks for your help
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now