• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 419
  • Last Modified:

Urgent TCPIP knowledge required please

Sorry for the title of this topic but I'm under a lot of pressure to sort this quickly.

Could anyone explain how the DNS works in a small domain environment please? I have a situation where the presence of a Windows based DNS server is causing a slow ping to the internet. Even though a workstation might rely on the server for the DNS, removing the network connection from the server makes everything normal. I'm guessing the workstation doesn't require the server once it's resolved the IP address but I'm puzzled as to why the presence of the server makes things slow.

There is no apparent unusual network traffic which you might otherwise associate with these symptoms.

Is it feasible to suggest that a faulty DNS server service might cause this to happen?
  • 4
  • 2
  • 2
  • +3
1 Solution
Chris DentPowerShell DeveloperCommented:
Good morning,

DNS requirements for an Active Directory domain are fairly simple:

1. All clients must be able to reliably resolve names for the AD domain name in DNS
2. The DNS server must support service records (MS DNS does)

The first is perhaps the most critical, and it means that you should not, under any circumstances, feed clients DNS servers that know nothing about your AD domain (for example, your ISPs DNS servers).

Your Internal DNS server will be able to resolve public names on its own by default (using Root Hints), although using Forwarders (typically to ISPs DNS servers) is a popular choice.

On to Ping. What do you mean by slow ping? Because DNS cannot directly impact Ping, although it can cause a delay before Ping really gets going if you ping a name rather than IP.

what is the status of Antivirus on the DNS server ? updating to latest definition ?

Also see

* Check the events for any hint
* http://technet.microsoft.com/en-us/library/cc787724%28WS.10%29.aspx
* Check your DNS forwarder for unwanted entries ..
* Observe the nslookup timing

Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Flush the DNS on the server
ipconfig /flushdns

It is probablt a fowarder.
Make sure that they are the same as your ISP.
Can also chuck in which is googles public dns
edz_pgtAuthor Commented:
Many thanks for all of your replies.

It seems that the notification emails have gone astray so I was unaware of your comments until a couple of minutes ago. Hence my delayed reply - sorry guys.

It now seems that DNS may have been a red herring. After a lot of investigation I've managed to narrow this down a lot. I've found that stopping the SMTP service brings the ping results back to normal.

To answer a previous question, I had been pinging www.google.com and getting replies at around 300ms - 600ms. Stop the SMTP service and these replies take around 50ms - 60ms.

So, my question I suppose is now related to email.

I've checked the queue, bad mail & pickup directories and they are empty. The UCEarchive folder has about 10 emails in it which appear quite normal.

Any ideas?

edz_pgtAuthor Commented:
A bit more information:

1. Stopping the default SMTP in Exchange stops the ping problem.
2. Disabling all inbound NAT ports at the router has no effect.
3. Disabling outbound mail in Exchange has no effect.

So, it appears to be smtp related but I can't see anything to explain it in the Exchange queues.

Not sure if this is relevant, but there's a lot of port 445 netbios activity on the network. Never really looked into this before so I'm not sure what levels of 445 traffic to expect.
>Could anyone explain how the DNS works in a small domain environment please?

1. The client contacts AD DNs server (ADDNS01) with a recursive query for www.google.com. The server must now return
either the answer or an error message.

2. ADDNS01 checks its cache and zones for the answer, but does not find it, so it contacts a server authoritative
for the Internet (that is, a root server ) with an iterative query for www.google.com.

3. The DNS server at the root of the Internet does not know the answer, so it responds with a referral to a DNS server
authoritative for the .com domain.

600ms of RTT latency

4. ADDNS01 contacts a DNS server authoritative for the .com domain with an iterative query for www.google.com.

5. The DNS server authoritative for the .com domain does not know the exact answer, so it responds with a referral
to a server authoritative for the google.com. domain.

Additional 600ms of latency

6. ADDNS01 contacts the DNS server authoritative for the google.com. domain with an iterative query for www.google.com.

7. The DNS server authoritative for the google.com. domain does know the answer. It responds with the requested IP address.

Again, an additional 600ms of latency on the query time, with a total of 1.8 seconds for the entire query to complete from
a client prespective

8. ADDNS01 responds to the client query with the IP address for www.google.com.


Stopping SMTP does appear to be the culprit; however by disabling outbound email and the NAT policy indicates that possibly internal client are filling up the SMTP queue causing congestion on the Ethernet link. I find  it hard to believe that SMTP traffic internally could be causing congestion on your internal network. Do you have the capability to log into the Ethernet switch and check the statistics of the switchport that the Exchange server is connected to. You could also install wireshark
on the Exchange server to analyze the packets and parse through the data to give you a better understanding what is going on from a packet level.

edz_pgtAuthor Commented:
Thanks Billy.

While testing this afternoon the traffic suddenly stopped of it's own accord. The only thing I noticed was that the apparently empty outbound smtp queues had vanished.

All is still quiet but I suspect the issue may return on Monday when the office staff are back at work.

Is there a simple guide to running wireshark? I've read a lot of people suggesting it's good but it seems really complicated at first glance.
>Is there a simple guide to running wireshark? I've read a lot of people suggesting it's good but it seems really complicated at first glance.

There is a guide, but parsing through all the data will be a bit intimidating; If you are not very knowledge in TCP/IP, then your best bet is to run a packet capture and ask the Experts here at the exchange to assist.

Rob WilliamsCommented:
You can filter traffic with Wireshark after you make the capture. Based on your comments I would filter out all but SMTP. I would also check to make sure your server is not exposed to being an open relay.
Or use the Microsoft on-line test tool:
edz_pgtAuthor Commented:
Just for the record....

The problem was due to a 15MB email being continuously rejected by Yahoo.com and being continuously resent.

The message wasn't visible in the queue until I blocked port 25 outbound on the router. Once I could see it, I could then delete and problem solved.

Thanks everyone.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 2
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now