?
Solved

Windows 2003 dns won't resolve external

Posted on 2010-03-30
19
Medium Priority
?
1,295 Views
Last Modified: 2012-08-13
Hello,
Our Windows 2003 DNS server intermittently stops resolving external DNS for a period of time. It can resolve internal ip addresses fine. I have no forwarders setup, just root hints. I'm using a Cisco ASA 5510 as my router. Here's the error messege I get in the DNSLOG file, I do not receive any error messages in the event viewer.

20100330 14:32:22 858 PACKET  02A5E770 UDP Snd 10.0.0.2        0500 R Q [8281   DR SERVFAIL] MX    (7)factset(3)com(0)
20100330 14:32:17 858 PACKET  02A47BF0 UDP Snd 10.0.0.99       4397 R Q [8281   DR SERVFAIL] A     (5)tools(6)google(3)com(0)
20100330 14:32:11 858 PACKET  014FE810 UDP Snd 10.0.0.65       a171 R Q [8281   DR SERVFAIL] A     (3)csi(7)gstatic(3)com(0)

Any suggestions? Thanks in advance.
0
Comment
Question by:CMilne
  • 7
  • 4
  • 3
  • +2
19 Comments
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 29123195
Configuring forwarders to your isp's dns server will solve your problem and is a MUST IMO.
0
 
LVL 20

Expert Comment

by:RPPreacher
ID: 29123733
Agree with Mojotech.  Give the man a cigar.
0
 

Author Comment

by:CMilne
ID: 29124157
Thanks for your replies. What if I forward them to OpenDNS, will that do the same thing?
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
LVL 20

Expert Comment

by:RPPreacher
ID: 29124835
yes
0
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 29124914
They won't be as reliable or as exclusive due to them being "open" and they would probably take longer to respond but yes they are an option, but not the best option.

Thank's for the cigar preacher.
0
 
LVL 3

Expert Comment

by:rizla7
ID: 29125417
the problem with root hints is that they are very busy, sometimes under attack. in general, very unreliable. but there are enough of them online at any one time to guarantee that the root domains get propagated. that is the principle behind them.

1. use the dns server in your router as a forwarder (it is assigned it's dns server from your isp via dhcp) this method is faster than opendns because all the queuries are local and dont incur 20+ hops in each direction. at most 2-4 hops to your isp's dns server.

2. place a machine on the dmz to resolve external queuries. this is in fact the same as #1 above except it will work if your router does not have a dns server built-in.

3. setup your isp's DNS servers as forwards MANUALLY. this option is not recommended because since your internal DNS server does not acquire the dns servers of your isp automatically via DHCP, you have to enter them manually. if one of them goes down or the IP addresses change, you will stop resolving external domains.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 29127011
You can also configure your forwarding server to be your Router's internal IP, in most cases. That way if your ISP's DNS server's Ip address changes, you don't have to.
0
 

Author Comment

by:CMilne
ID: 29127039
I called my isp and inputted their dns ip's into the Windows 2003 DNS forwarder. It still seems to have this problem. About 15 minutes after making the change though, it started resolving again. I have another Windows 2008 DNS server, which this happens to also. It uses a Cisco 5505 as it's router. I keep having to change the Exchange servers DNS lookup from one Windows DNS to the other, depending on which one is working at the time. Again, i can resolve internal DNS entries.
0
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 29127472
You should have both your dns servers forwarding to your isp's then all clients look at your dns servers 1 as a primary the other as a secondary. once this is configured your pretty much set, you may want to start looking at other causes if the problem persists.

0
 

Author Comment

by:CMilne
ID: 29129975
Thanks, I've been talking with Cisco to see if it's a dns maximum length issue. Let me know if you have any other ideas, thanks.
0
 
LVL 3

Expert Comment

by:rizla7
ID: 29132733
you need to clarify what your setup is.

2 domain controllers also running dns? or otherwise?

if this is the case. then setup like so:

DC 1:
primary dns server: this server's ip. (NOT 127.0.0.1)
secondary dns server: the other server's ip.
if you have more dns servers add them in the dns server tab in advanced.
also, at the end of the server list add 127.0.0.1, so it is the last server, not the primary.
allow zone transfers to your forward, _msdcs, and reverse lookup zones to the other name servers in your domain. make sure the other DNS servers in your local domain are showing up as NS records, etc.
make sure there are no erroneous records in DNS pointing to an incorrect server.
make sure 'register this conenctions address in DNS' and 'use this conections DNS suffix in DNS registration' are selected, and input your domain suffix in the DNS suffix box.
setup a forwarder to be the internal IP address of your router. your router obtains your isp's dns servers automatically. you SHOULD NEVER set them manually on your local dns servers. this leads only to problems.

DC 2:
same setup except primary DNS server and secondary are opposite.
make sure zone transfers are enabled on bother servers and that the name servers tab is populated.
make sure both of your domain controllers are now replicating in a timely fashion (within 5 minutes)
make sure your forwarder is your router set on both dns servers.
make sure your router is obtaining your isp's dns server by using DHCP.
0
 

Author Comment

by:CMilne
ID: 29346132
Thanks rizla7. We do have 2 DC's running DNS. Currently I have DC1's forwarder going to 2 of our isp's dns servers. DC2's I have being forwarded to OpenDNS. Both setup differently to see if one is causing the problem. After looking at the DNS debug logs, I'm getting SERVFAIL messeges more than I thought. They come in bunches. I did make a couple changes which you specified above, so I'll see if those have any effect. Cisco is now looking at the dns and router logs to see if they can find any problems. I'll let you know what they find.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 29873575
guys, I think this is a networking issue:

To confirm, DCdiag will pick up any DNS discrepancies I can think of:

Please perform a 'DCdiag /test:dns' at the command prompt and post any errors. If no errors, that confirms it being a networking issue or your DNS server's preffered DNS server goes to the inside and one to the outside. To determine this, an IPconfig /all will help us out tramendously.

_______________________________________________

Now, the networking issue I want to concentrate on is a problem with the Duplex settings between cisco devices. Cisco has a quirk in it that your duplex setting have to be the EXACT same as other cisco devices. If not, you can recieve intermittent connectivity.

Example: if your switch is set for 100Mb /full duplex and you have a router set to automatic, then you could experience intermittent comms for about 15 minutes.

OR if you have two L2 connections to a cisco device, you may loose one because of spanning tree.

OR, you may have a multihomed DC.

Please advise.
0
 

Author Comment

by:CMilne
ID: 30022745
Hi CheifIT, thanks for your reply. I ran the dcdiag /test:dns and this is what it came up with:

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: @@@@@@@@@@@@
      Starting test: Connectivity
         ......................... @@@@@@@@ passed test Connectivity

Doing primary tests

   Testing server: @@@@@@@@@@@@@@

DNS Tests are running and not hung. Please wait a few minutes...

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : corp

   Running enterprise tests on : @@@@@@@@@@@@@@@@
      Starting test: DNS
         Test results for domain controllers:

            DC: @@@@@@@@@@@@@@@@@@@@@@@@@@@
            Domain: @@@@@@@@@@@@@@@@@@@@@


               TEST: Forwarders/Root hints (Forw)
                  Error: Root hints list has invalid root hint server: a.root-servers.net. (198.41.0.4)
                  Error: Root hints list has invalid root hint server: b.root-servers.net. (192.228.79.201)
                  Error: Root hints list has invalid root hint server: c.root-servers.net. (192.33.4.12)
                  Error: Root hints list has invalid root hint server: d.root-servers.net. (128.8.10.90)
                  Error: Root hints list has invalid root hint server: e.root-servers.net. (192.203.230.10)
                  Error: Root hints list has invalid root hint server: f.root-servers.net. (192.5.5.241)
                  Error: Root hints list has invalid root hint server: g.root-servers.net. (192.112.36.4)
                  Error: Root hints list has invalid root hint server: h.root-servers.net. (128.63.2.53)
                  Error: Root hints list has invalid root hint server: i.root-servers.net. (192.36.148.17)
                  Error: Root hints list has invalid root hint server: j.root-servers.net. (192.58.128.30)
                  Error: Root hints list has invalid root hint server: m.root-servers.net. (202.12.27.33)

               TEST: Dynamic update (Dyn)
                  Warning: Dynamic update is enabled on the zone but not secure @@@@@@@@@@@@@

         Summary of test results for DNS servers used by the above domain controllers:

            DNS server: 128.63.2.53 (h.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53

            DNS server: 128.8.10.90 (d.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90

            DNS server: 192.112.36.4 (g.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.112.36.4

            DNS server: 192.203.230.10 (e.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.203.230.10

            DNS server: 192.228.79.201 (b.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.228.79.201

            DNS server: 192.33.4.12 (c.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.33.4.12

            DNS server: 192.36.148.17 (i.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.36.148.17

            DNS server: 192.5.5.241 (f.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.5.5.241

            DNS server: 192.58.128.30 (j.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.58.128.30

            DNS server: 198.41.0.4 (a.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4

            DNS server: 202.12.27.33 (m.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 202.12.27.33

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
               ________________________________________________________________
            Domain: @@@@@@@@@@@@@@@@@@@
               @@@@@@@@@@@@@@               PASS PASS FAIL PASS WARN PASS n/a

         ......................... @@@@@@@@@@@ failed test DNS



I've re-installed DNS on this server with no success.

Below is the ipconfig /all

O:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : @@@@@@@
   Primary Dns Suffix  . . . . . . . : @@@@@@@@@@@@@@@@
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : @@@@@@@@@@@@@@@@
                                       @@@@@@@@@@@@@

Ethernet adapter Local Area Connection 15:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TEAM : Team #1
   Physical Address. . . . . . . . . : 00-1B-21-4E-81-99
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.100.0.100
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :

Ethernet adapter Local Area Connection 14:

   Connection-specific DNS Suffix  . : @@@@@@@@@@@@@@@@
   Description . . . . . . . . . . . : TEAM : Team #0
   Physical Address. . . . . . . . . : 00-13-72-4D-52-A0
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 10.0.0.202
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.0.1
   DNS Servers . . . . . . . . . . . : 10.0.0.202
                                       10.0.0.211
                                       127.0.0.1
   Primary WINS Server . . . . . . . : 10.0.0.211
   Secondary WINS Server . . . . . . : 127.0.0.1

Thanks for your help.
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 30024275
Remove 127.0.0.1 as a DNS server and use the real IP address.

Go to the command prompt and type,

DCdiag /fix:DNS

Now, for external queries>>It appears you are having a prob with root hints servers. Suggest you use DNS forwarders. Enable Recursive lookups, and you can put your router IP as a DNS forwarder, (((IF))) your ISP provides you with a Dynamic IP address to the outside nic of your router. If so, they will also dynamically assing you DNS servers to forward queries to.
0
 
LVL 3

Expert Comment

by:rizla7
ID: 30193008
i think you are missing the point of DNS.

the idea of the DNS tree is so that you can cache dns queries as close to the client as possible.

using openDNS = fail in that regard.

use your router to forward or setup a dns server on your dmz/permiter/front end as one.
0
 

Author Comment

by:CMilne
ID: 32336292
Hello,
Still have no solution to this problem
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 32692151
I think you have your teaming configured incorrectly. I do believe they should be the same IP address before you team them up.

Recommedations is, if you have less that 250 clients, USE ONE NIC and forget the teaming.

0
 

Accepted Solution

by:
CMilne earned 0 total points
ID: 32993077
Thanks for all your help, but this problem hasn't been resolved. I've just created another DNS box to rectify the problem.
0

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This installment of Make It Better gives Media Temple customers the latest news, plugins, and tutorials to make their VPS hosting experience that much smoother.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

599 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question