DNS Request Timed Out

I am running a small network with 1 AD Controller running DNS. I randomly and intermittently get the following:

DNS request timed out.
timeout was 2 seconds.

It has been working for 2-3 years perfectly well, and all the sudden this problem pops up through out the day. The DNS server is configured with 2 forwarders (my ISP's DNS), and it also has a reverse zone for the local subnet. I also added the connection suffix to the individual PCs. I've tried a number of things, but the problem just won't go away. Anyone have any ideas or troubleshooting steps I can do? There is nothing unusual in the event viewer, either.

Thanks for any input
TheBigDogAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

giltjrCommented:
That looks like a message from nslookup, which has a default timeout of 2 seconds.  This is NOT necessarly a problem.  nslookup is a problem determination tool and works differently than the dns resolver client.

nslookup goes to the 1st dns server in your list and sends one query.  If that dns server does not respond, you get the message.  It could be that your dns server did not know the answer, went to its forwarded, which did not know the answer, the forward (most likely one provided by your ISP) went through the roots lookup chain and this all took longer than two seconds.  A timeout on your side does not indicate a problem on your side, it could the that the authoritive server for that zone had a problem.

Your dns resolver client will typically have a longer timeout and send out requests to multiple dns servers.  Even then "host not found" error could be a problem outside of your control.  You are waiting for somebody else to give you an answer, just becuase you don't get it, does not mean its your problem.  

Think of it this way, if you call me on the phone and I don't answer, is there a problem with your phone?
0
TheBigDogAuthor Commented:
The problem is that is actually doesn't resolve and we get "page cannot be displayed" errors in the browsers.

At times we get the non-authoritative answers, which the dns does get resolved, but other times the message above with no rhyme or reason.
0
giltjrCommented:
The list of things that can cause this problem on your side is fairly short.

1) Your internet connection is busy and it is talking a long time to get the DNS request out and/or the response in.
2) Your internet connection is having problems and dropping packets.
3) Your DNS server is so busy it can handle the request right now.

Other than that, the problem is outside of your network and control.

The "non-authoritative" means that another dns server that is not the authrortive dns server for that zone has already done a lookup and cached the response.  This could be your dns server, or whatever you use for a forwarder.

One thing you could try is instead of using forwarders is to load the root hints file and bypass the forwarders.  The problem with this is that you are going down the chain of dns servers  yourself and not taking advantage of the possibility that your ISP DNS servers have already cached what you are looking for.
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

Jason WatkinsIT Project LeaderCommented:
Hello,

I would try removing the DNS suffix setting from an adapter and seeing if that fixes it. A.D. clients get their primary DNS suffix from their domain membership.

Also, try a new forwarder? OpenDNS 208.67.222.222, 208.67.220.220
0
TheBigDogAuthor Commented:
Firebar- Originally I didn't have those typed in, but the clients weren't registering themselves in the reverse zone. The problem did occur without them as well. I'll try your OpenDNS suggestion. Thanks!
0
Jason WatkinsIT Project LeaderCommented:
Also, perhaps clearing the local DNS cache on the client.

ipconfig /flushdns

(This should happen each time Windows restarts).

To force client registration in DNS, use; ipconfig /registerdns

To clear the server's DNS service cache, use; dnscmd /clearcache  
(That command is available from the WS03 ResKit tools)

Restarting the DNS service on the server also flushed the resolver cache.
0
TheBigDogAuthor Commented:
Firebar- All done, thanks!
0
giltjrCommented:
Are you having an AD issue?  Are the host names you are trying to resolve within your AD domain or are they all extnal?

If they are all external, then do NOT remove the DNS suffix on the adapter.  Doing this could cause other problems.

Also, clear the local cache (ipconfig /flushdns) will only help if a hosts IP address has changed and the local computer has cached a prior lookup.  But the dns cache is for the local machine only and the dns server does not use this cache to resovle names as part of its DNS server function.
0
TheBigDogAuthor Commented:
A little confused. There is some name resolution going on for internal names, like the exchange server, but most requests gets forwarded on. In the past I have never entered the DNS suffix and everything was good. I went ahead and removed all those from the clients. Doesn't seem to impact resolving, so guess its not need with my setup.

So I have done that and changed forwarders from Charters ISP to OpenDNS. Will update on Monday when I have some more users on to see if that has cured the issue.
0
giltjrCommented:
O.K.  If internal names are resolving fine, then you having or not having your domain name as a DNS suffix does not really matter.

If it is only external names, then everything I posted earlier comes into play.  Changing to different forwards may help, but only if the forwarders you were using were too busy.  However, it is perfectly normal to have issues resolving names every now and then.

It is normally a good practice to have your IP domain name coded as a DNS suffix.  
0
The--CaptainCommented:
"However, it is perfectly normal to have issues resolving names every now and then"

Really?  This doesn't happen to me unless someone broke something somewhere.  I run a local DNS server (bind) with root hints, not forwarders, which brings me to my suggestion:

Have you tried using root hints (asking the root servers directly) rather than forwarders?  Might use slightly more bandwidth, but not much, and you get 13 (maybe more, it's been a long time singe I updated my root servers file ;-) servers improving your reliability (actually many more - wikipedia search "anycast").  

If you still get intermittent failures, then I'd break out the sniffers (and then likely yell at your ISP), which reminds me - have you verified (as giltjr mentions) that this is a DNS outage and not a more general loss of internet connectivity?  If so, how?

Cheers,
-Jon
0
TheBigDogAuthor Commented:
The--Captain- I have contacted my ISP, Charter. They say the have no problems. Of course, they always say that. Incidentally, I have the exact same DNS server on my home computers via Charter, and haven't had a problem once. Way different config.. but no resolution problems. (no servers, etc)

The idea that maybe I'm having connectivity issues is worth exploring. I have tried pinging the local dns server while it doesn't respond to my queries, and that was successful.

The root hints.. It appears my DNS server is populated with some... are those the servers you are referring to? Do I simply delete our the forwarders and hope for the best?

I think I'll wait until work tomorrow, to see if anything we have done this far has helped. If not, plan c,d,e or f, whatever I'm on, will be root hints.
0
TheBigDogAuthor Commented:
Bad news.. Problem still exists. Deleted forwarders, problem actually became worse if you can believe it just using root hints. Does resolve names periodically, but fails more often. I'm updating my drivers and NIC firmware just to make sure everything is up to date.

I don't think I'm having connectivity issues because I've been debugging remotely, and the connection has never dropped or lagged, so it appears to me the connection has been "live" the whole time.

Any more ideas?
0
TheBigDogAuthor Commented:
Turned on DNS file logging. See a lot of these DR SERVFAIL, for example:

[8281   DR SERVFAIL] A     (5)armmf(5)adobe(3)com(0)
0
giltjrCommented:
Do you know what your link utilization is?

0
TheBigDogAuthor Commented:
Frankly, I'm not sure what that is.. where can I find?
0
giltjrCommented:
You would need to have something in place to monitor and measure it.

What is your link speed?
0
TheBigDogAuthor Commented:
Gigabit
0
The--CaptainCommented:
Can you try using hping2 ( http://sourceforge.net/projects/sectools ) to trace the connection to the remote DNS forwarders with UDP packets on port 53 during a DNS outage?  It should look similar to a traceroute...

I used this command line (although it's an older unix version of hping2):

hping2 -n -2 -p 53 -T <your DNS forwarder IP>

You might also want to temporarily change your config to use only a single forwarder, so you can rule our intermittent failure of only one (but not both) forwarders.  

Also, if the outages last long enough you might be able to gain some useful information by issuing similar DNS requests manually against the forwarders, and then against a root server and on down the chain of authority via dig or nslookup (assuming windows nslookup isn't broken/limited as windows traceroute...  I'm a unix guy, and wouldn't really know).

Finally, try changing one of your workstations to use the forwarders directly (rather than resolving against the AD server), and perhaps also try setting another workstation to resolve against 4.2.2.2 and 4.2.2.3 in order to rule out any problems with the AD server and Charter's forwarders.

I didn't realize you were using Charter - ouch.  I'm guessing it's their problem, just from what I've heard of Charter.

Cheers,
-Jon
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
TheBigDogAuthor Commented:
This enabled me to track down the real problem:  Symantec Endpoint Protection. Not sure if the firewall policy was corrupt, but I deleted the policy and created a new one. It appears I no longer have the DNS failures. Thanks for everybodys considerable time and effort here.
0
giltjrCommented:
See The--Captain has taken care of you.  One thing though I doubt very much you Internet connetion is gigabit.  More than likely you LAN is, but not you Internet.
0
TheBigDogAuthor Commented:
Yes I obviously do not have gigabit WAN! Dare to dream. Thanks for your help!
0
The--CaptainCommented:
Wow!  A Charter user had a problem that was not related to Charter - I'm making a note for posterity ;-)

Glad to help,
-Jon
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.