Solved

WIndows Server 2008 + DNS Issue

Posted on 2009-05-14
21
351 Views
Last Modified: 2012-05-07
I have a test 2008 box setup running active directory and DNS.  When I run a query against DNS from my workstation (not part of the 2008 domain) the request times out.

I've done my best to research the issue and I found that it might be related to IPv6, so I unchecked IPv6 on the server adapters and also made the registry entry to disable IPv6.  Furthermore I've gone into DNS and deleted out any IPv6 references...still when I query DNS I get a timeout.

When I query DNS from the server itself, it responds appropriately.  It seems like the query from my machine isn't authorized but the same thing happened when I joined a laptop to the domain to test.

Any insight is appreciated.
0
Comment
Question by:miswhoi
  • 11
  • 10
21 Comments
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Windows Firewall? You'll need some holes for DNS if there aren't already.

There's no filtering within (MS) DNS itself based on the client.

Chris
0
 
LVL 1

Author Comment

by:miswhoi
Comment Utility
Chris-Dent,

Thank you for the idea but unfortunately "Your computer is not protected: turn on Windows Firewall"
Windows Firewall is off.  Windows Firewall is not using the recommended settings to protect your computer.

No love.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

That's on the server? Can't remember if it warns you about it being off there, never turned it off :)

You should find that TCP Port 53 is listening as well, which means you should be able to do "telnet <server> 53" from the client and get a blank screen as a response (rather than a time-out message).

Chris
0
 
LVL 1

Author Comment

by:miswhoi
Comment Utility
Chris,

When I telnet <server> 53 I DO get a black screen without a logon prompt.  The firewall IS disabled on the server but it does not respond to queries via nslookup.  A little frustrating.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Okay, cool, the blank screen at least indicates that you can talk to the server. Not the right protocol, but I'd be surprised to find blocks on UDP if TCP is allowed.

What query are you throwing at it? Just a random web site name? e.g. nslookup www.google.com.

Are you able to query it from a system that is a member of the domain? Or is it not that far on yet?

It'd be worth running:

netstat -anb | FindStr :53

Just to make sure it's got a UDP port bound to the interface you're talking to.

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Sorry missed this bit

> but the same thing happened when I joined a laptop to the domain to test.

So ignore the question about a member of the domain.

Chris
0
 
LVL 1

Author Comment

by:miswhoi
Comment Utility
name of the system is cahu07-00.  If I type:
c:\>nslookup
Default server: myprimary_server
address: xxx.xxx.xxx.xxx

>Server cahu07-00
Default Server: cahu07-00
address: <correct address>

>cahu07-00 (itself)

DNS request timed out.
Timeout was 2 seconds.

>www.google.com
DNS request timed out.
Timeout was 2 seconds

>Another server on "test" domain
same response.

I'm perplexed on this.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Turn on debug see what it's asking the server.

nslookup
server cahu07-00
set debug
cahu07-00

I guess the client is configured with a DNS suffix for the AD domain since you managed to connect to the server by name alone?

nslookup for www.google.com works from the server itself?

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

I have to pop out, I'll be back in a few hours if you're still having problem (not ignoring you :)).

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

One last comment ;)

It's always fun to blame AV software for any odd behaviour. If you have any on the server I recommend ripping it off while this is being tested.

Chris
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 1

Author Comment

by:miswhoi
Comment Utility
from server itself:
C:\Users\administrator.TESTADMIN>nslookup
Default Server:  cahu07-00.testadmin.mydomain.biz
Address:  xxx.xxx.xxx.xxx

> www.google.com
Server:  cahu07-00.testadmin.mydomain.biz
Address:  xxx.xxx.xxx.xxx

Non-authoritative answer: (expected as I have conditional forwarders).
Name:    www.l.google.com
Addresses:  209.85.133.147
          209.85.133.99
          209.85.133.104
Aliases:  www.google.com
(note: server can resolve itself and other test machines on said test domain)

FROM MY PC
> set debug
> cahu07-00
Server:  cahu07-00
Address:  xxx.xxx.xxx.xxx

DNS request timed out.
    timeout was 2 seconds.
timeout (2 secs)
*** Request to cahu07-00  timed-out

and just for the record, there isn't any problems with my workstation so far as I can tell because queries to my primary and other DNS servers work fine.  This cahu07-00 is actually on the same network as I am on so latency shouldn't be any kind of issue whatsoever.  Pings to Cahu07-00 response with time <1ms consistently.

Take your time Chris.  Any ideas are appreciated.  I didn't want to make my original post too long but initially I setup a Windows 2008 core box and this was occuring with the core machine, so I promoted another machine and demoted the core box so I had a gui to troubleshoot with.  Whatever the issue is it has continued on to another machine.  I've actually wiped out everything in group policy on the box to ensure it wasn't something stupid that MS added that is causing this...still not sure what the problem is.


0
 
LVL 1

Author Comment

by:miswhoi
Comment Utility
Unless I did something wrong with the debug command all it seemed to do was spit out one extra line:
*** Request to cahu07-00 timed out.

Also, no AV running on server in question.  

0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

How about on the client?

Otherwise I suspect it'll be time to crack out the packet sniffers to see what's happening to the requests / responses.

For example, it's entirely possible the server is receiving the request, but the client isn't getting the reply back even if the server is sending it out.

Chris
0
 
LVL 1

Author Comment

by:miswhoi
Comment Utility
Chris,
The client is running Windows XP, it does have AV installed but does NOT have any problems querying other DNS servers.  It may be worthwhile to note that I stood up DNS on the test domain on a Windows 2003 machine and can query that without problems, for some reason the 2008 boxes running DNS do not want to play ball...it really makes very little sense to me.

The humorous thing is, the test environment is primarily intended ot test out the functonality of Exchange 2007 and I figured I'd stand up Server 2008 at the same time just to bang on it a little...and then this happens.  I'm almost at the point where I'm going to scrap everything and rebuild on 2003 to avoid this crap...because whatever the problem is, it exists on 2 different 2008 machines in pretty much default configurations.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

It's quite odd, I've never had that particular problem with DNS on 2008. Different hardware for the two 2008 servers?

I would definitely be popping out WireShark to have a look at what the client and server are talking about :)

Chris
0
 
LVL 1

Author Comment

by:miswhoi
Comment Utility
Chris,
I ran wireshark on both the client and the server.  I'm able to ping the server and see the requests on both sides, however name queries don't appear to hit the server at all...no record of them reaching cahu07-00...which is odd because I'm RDP'd into the machine, ping works...really strange to say the least.

0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Yeah, it is. No Firewalls / Routers between client and server?

You see the request leaving the client I guess?

Chris
0
 
LVL 1

Author Comment

by:miswhoi
Comment Utility
Chris,

I just ran another test and while this still doesn't make total sense to me, I'm leaning toward it being a network infrastructure issue.  

WAN----->building switch----->test environment switch---->many servers

Being that I see the queries leaving the client but not arriving at the server, despite pings and RDP connections being successful, I decided to take a laptop down to the test environment and patch directly into the switch.  queries work flawlessly.

The oddball thing about this is I could have sworn that when I first encountered this problem I stood up DNS on a 2003 server and queries worked fine, it was the 2008 boxes that have refused to play in this configuration.

I'm not sure if I should close this ticket out or continue to report back my findings.
0
 
LVL 1

Author Comment

by:miswhoi
Comment Utility
I lied.  If I had 2003 running DNS I don't now and if it was ever working, it's not now from outside the switch.  Switch configuration issue for sure...but what exactly?  who knows.
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Any monitoring or logging available on it?

Does the server have more than one NIC?

Chris
0
 
LVL 1

Accepted Solution

by:
miswhoi earned 0 total points
Comment Utility
Chris,

Problem identified and solved.  The network team enabled DNS spoofing filters on the main switch which prevents DNS queries from traversing the main switch UNLESS the DNS servers have been identified as legitimate by the networking team.

"Sorry I didn't get back to you yesterday. I got your message, started looking and then got redirected by some other interrupt.

I this the problem is indeed the spoofing filters I put on. Is the address of the DNS server you are testing with XXX.XXX.XXX.XXX. ? I will need to add this to the filters on your switch
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I have been working as System Administrators since 2003. I recently started working as a FreeLancer and was amazed to find out that very few people are taking full advantage of their Windows Server Machines. Microsoft Windows Server comes with so…
To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now