Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

DNS and nslookup question

Posted on 2011-05-04
50
Medium Priority
?
1,634 Views
Last Modified: 2012-05-11
Hello,

I think I am having a DNS issue…

I am running windows server 2003.  It is a web server and it is also running DNS.

I was having problems sending smtp email through various applications so I decided to use nslookup.  Here is the behavior I am getting:

If I:
Nslookup [the fqdn of the smtp server]
It returns:
Server: localhost
Address: 127.0.0.1
*** localhost can't find [the fqdn of the smtp server] : Non-existent domain

If I:
Nslookup [the fqdn of the smtp server] [the fqdn of the company's primary name server]
It returns:
Exactly what it should return

Now, If I go to the DNS console on my server and look at the properties of my server's forward lookup zone – and go to the name server's tab – the fqdn and ip of [the company's primary name server] is there.  By default it listed the server's own fqdn and IP and I added the company's name server.  Also, if you look at the local network connection properties of my server and go to the dns tab I only list 127.0.0.1 as the dns server.

The way I thought this worked was that if my server cannot resolve a fqdn it would use the name servers listed on the name server tab of your forward lookup zone.  But based on those nslookup results above it seems that the company name server can resolve  [the fqdn of the smtp server], but my server is failing to resolve it and is not then going out to the company's name server for the resolution.

Not sure what I am doing wrong here…
0
Comment
Question by:santaspores1
  • 30
  • 16
  • 4
50 Comments
 
LVL 27

Expert Comment

by:DrDave242
ID: 35691108
Is there a forwarder on your DNS server pointing to the company's name server?
0
 

Author Comment

by:santaspores1
ID: 35691211
Here is what it looks like:

If I open the dns management console I see
[the name of my server]
     -- Forward Lookup Zones
          ----a folder for _msdcs.[the fqdn of my server]
          ---- a folder named [the fqdn of my server]

If you go to the properties of the folder named  [the fqdn of my server] under Forward lookup zones, and you look at the name server tab - you will see an entry for the company name server. Also, if you just click on the Forward lookup zone named my fqdn you will see a NS record for the company name server.  

Am I supposed to have a seperate forward lookup zone for the company's name server?  I thought it should just be listed in the name server tab of the forward lookup zone named [my server's fqdn]
0
 
LVL 27

Assisted Solution

by:DrDave242
DrDave242 earned 600 total points
ID: 35691339
I'm assuming the SMTP server does not reside in your domain, since your own DNS server does not have a host record for it.  (If this assumption is incorrect, let me know.)  Since your DNS server does not host the forward lookup zone for the SMTP server's domain, it must go elsewhere to resolve that query.  This process of going elsewhere is accomplished either through forwarders (not the same as forward lookup zones) or root hints, either of which will tell the server where to send your query in the hope of getting an authoritative answer.  Without getting into a discussion about the advantages and disadvantages of each method (which are thoroughly discussed here at EE and elsewhere), I'll say that creating a forwarder on your server will likely provide quick resolution to this issue.

In order to create the forwarder, open the DNS console on your server, right-click the server's name, and select Properties.  In the Forwarders tab, make sure "All other DNS domains" is selected in the upper field and type the IP address of the company's name server in the address field, then click Add.  Click OK to close the properties window, then check to see if nslookup is able to resolve the SMTP server's FQDN on your server.  (Note: you can also create conditional forwarders in the same location, which tell your server to forward queries for specific domains to specific servers.)

Regarding the name server records on your DNS server, you should only add an NS record for the company's name server if that server is authoritative for the zone - if it also hosts that same forward lookup zone, in other words.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:santaspores1
ID: 35691442
DrDave242:

Thanks - that is useful information.  The mail server is not in my server's domain.  Unfortunately, if I look at the forwarders tab I already have an entry for "All other DNS domains" and the IP showing below is that of my company's name server.

I manually added the company's name server to the name servers tab of my forward lookup zone - maybe I should remove that?
0
 
LVL 27

Expert Comment

by:DrDave242
ID: 35691469
I recommend removing it, yes.
0
 

Author Comment

by:santaspores1
ID: 35691470
Note that my server is actually the only server in its domain.  
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 35691904
Hmm.. I might have mis-read, but:

Your mail server name is mail.YourDomain.com, and your internal DNS server has a Forward Lookup Zone called YourDomain.com?

If so, DNS will *not* head off anywhere else to find the address. Why would it? It owns the zone, it knows everything about it. This applies regardless of how you change the Name Server entries or what you do with the forwarders.

And if that's all true, you need to manually add a Host (A) record to the private version of your zone for your mail server.

Chris
0
 

Author Comment

by:santaspores1
ID: 35691966
I went to the forward lookup zone named [my server's domain].  I wen to the name servers tab.  I
deleted the company's name server - now it only shows itself (my server's fqdn).

I right-clicked my server name in dns and selected "clearcache" and then "update server data files"

Here is what nslookup now does:
If I type:
nslookup [the fqdn of my mail server]
I get
server: localholst
Address: 127.0.0.1
Non-authoritative answer:
Name: [shows the fqdn of my mail server]
Address: [shows the ip address of my mail server]

If I type:
nslookup [the fqdn of my mail server] [the fqdn of my company's name server]
I get
server: [the fqdn of my company's name server]
Address: [the IP of my company's name server]
DNS request timed out

I don't understand these results.  The first nslookup (no server specified) should not say non-authoritative I think.  And the second nslookup (using the company name server) should work perfectly and isn't.  
0
 

Author Comment

by:santaspores1
ID: 35692005
my mail server is at:
smptserver.x.com

my web server running dns services is at:
myserver.y.x.com
0
 

Author Comment

by:santaspores1
ID: 35692015
oh, and the company name server is
nameserver.x.com
0
 
LVL 27

Expert Comment

by:DrDave242
ID: 35692026
The first result is correct: your server is not authoritative for the SMTP server's domain, so it had to go elsewhere to find the answer, which is thus presented as "non-authoritative."  You'll get that for any query for a domain that your server doesn't host.

Now, the second result is odd.  Do you consistently get timeouts when querying that server?  Maybe that one was just a fluke.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 35692031

> should not say non-authoritative I think

"It depends".

If you use a Forwarder then all responses you get will be Non-Authoritative. Otherwise if the answer is cached it will show non-authoritative.

Can you change how you're obscuring these names please? I understand the need to hide identity, but [ ... ] doesn't really do much to illustrate differences. By all means use mail.public.example, and something.private.example, or something equally obscure, but make it consistent and make it look sort of like real names please? I ask because there's no way for us to know how these relate:

[my server's domain]
[the fqdn of my mail server]
[the fqdn of my company's name server]

And without knowing that, we can't form reasonable hypotheses about the behaviour you're seeing here.

Cheers,

Chris
0
 

Author Comment

by:santaspores1
ID: 35692047
The only forward lookup zones I have are:
_msdcs.y.x.com
myserver.y.x.com
There is no forward lookup zone named x.com
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 35692054
hah cross posted a bit.

x.com is also "my server's domain" and therefore the name of the existing Forward Lookup Zone?

When you deleted the NS record for nameserver.x.com it will have (probably) removed the A record for that host. If that's gone you'll get a timeout in nslookup because it has no means of finding the IP for the host you want to throw the query at.

Chris
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 35692089
Okay, and again :)

So to make sure it's clear. You have:

1. Internal DNS server which has a Forward lookup zone for y.x.com
2. External DNS server which has a Forward lookup zone for x.com
3. You need smtpserver.x.com to resolve (which it does now?)
4. You need ns1.x.com to resolve and respond to queries?

As long as your Internal DNS server doesn't host x.com, and only has a child of x.com, it should use whatever public name resolution mechanism you tell it (whether that's the default, Root Hints, or Forwarders).

Do you have Forwarders configured at the moment?

Chris
0
 

Author Comment

by:santaspores1
ID: 35692110
Sorry:

The web server that is running DNS and on which I am running nslookup commands:
Myserver.MyDomain.CompanyDomain.com

The smtp mail server I am trying to reach is:
smtpserver.CompanyDomain.com

The company's name server is:
nameserver.CompanyDomain.com

I have a forward lookup zone named MyDomain.CompanyDomain.com but I don't have one for CompanyDomain.com

I have nameserver.CompanyDomain.com as a forwarder.

The forward lookup zone named MyDomain.CompanyDomain.com use to have  nameserver.CompanyDomain listed on the name server's tab, but I have just removed it based on comments above.

Note that my server is the only server on MyDomain.CompanyDomain.com
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 35692145
Cool, that's fine, makes sense.

Can you run:

nslookup smtpserver.companydomain.com <IP Of nameserver.companydomain.com>

That removes the additional complication of resolving nameserver back to an IP before nslookup can do stuff. If that times-out then it suggests your Forwarder won't work either.

Regarding the Forwarder (nameserver.CompanyDomain.com). Your public name server responds to recursive requests? That is, it will happily tell you an IP for www.google.com and so on? It's unusual, and inadvisable configuration, hence the question.

Chris
0
 

Author Comment

by:santaspores1
ID: 35692212
Chris:

I have a server that I control.  It is Myserver.MyDomain.CompanyDomain.com.  It is running DSN.  It has a forward lookup zone named MyDomain.CompanyDomain.com.  The company's name server (nameserver.CompanyDomain.com) is not currently on the name server's tab of the forward lookup zone.  If I click on the top of my dns tree and click properties, and go to the forwarders tab I see "All other DNS domains" at the top and the IP address for nameserver.CompanyDomain.com at the bottom

nameserver.CompanyDomain.com is not under my control.  But it should be able to resolve everything.

I need to resolve smtpserver.CompanyDomain.com.  I would like my server (Myserver.MyDomain.CompanyDomain.com) to forward requests to nameserver.CompanyDomain.com which should be able to resolve everything

So... after removing nameserver.CompanyDomain.com from the name server tab of my forward lookup zone,

If I type nslookup smtpserver.CompanyDomain.com
it resolves properly (and should show non-authoritative)

But If I type  nslookup smtpserver.CompanyDomain.com nameserver.CompanyDomain.com it does not work (and this shouldn't concern me?)

0
 

Author Comment

by:santaspores1
ID: 35692230
If I run:
nslookup smtpserver.CompanyDomain.com <IP Of nameserver.companydomain.com>
I get
DNS request timed out
*** can't find server name for address....

and I do have a reverse lookup zone as well.
0
 
LVL 71

Accepted Solution

by:
Chris Dent earned 1400 total points
ID: 35692289
> It is Myserver.MyDomain.CompanyDomain.com.  It is running DSN.  It has a forward lookup
> zone named MyDomain.CompanyDomain.com

That's fine. Does not conflict with CompanyDomain.com at all so we can ignore anything to do with the internal Forward Lookup Zones.

> is not currently on the name server's tab

Good. It does not need to be, nor is there any benefit in it being there.

> at the top and the IP address for nameserver.CompanyDomain.com at the bottom / But it should be able to resolve everything.

Questionable configuration, implied security issue, but not on your side. Like you say, it's not under your control, so...

> and this shouldn't concern me?

It should. Where are you running that command from? Your server? Or your workstation? Suggests a problem with network-access, that is, it suggests you cannot send to UDP port 53 from the system running nslookup in this instance.

> and I do have a reverse lookup zone as well.

Good, but won't have any impact here.

Chris
0
 

Author Comment

by:santaspores1
ID: 35693046
Chris,

Thank you for the several clarifications there.  This is great.  I am running the nslookup commands from the server.  They work just fine when I run the same commands from my workstation.  Note that my workstation does not use Myserver.MyDomain.CompanyDomain.com as it's name server - it uses nameserver.CompanyDomain.com.

This server in question (Myserver.MyDomain.CompanyDomain.com) is in a DMZ. The firewall allows it to send on port 25 (for the smtp email)... but I guess it needs to be able to send UDP port 53 as well for nslookup to work correctly?

I still seem to be having trouble communicating with the smtp server...
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 35693086
> but I guess it needs to be able to send UDP port 53 as well for nslookup to work correctly?

Correct. Just outbound though, not inbound (just in case :)).

> Note that my workstation does not use Myserver.MyDomain.CompanyDomain.com as it's name server -
> it uses nameserver.CompanyDomain.com.

That's fine, as long as you issue the command with the servername on the end it will be directed. That is, it doesn't matter what you have in IPConfig, the request will be sent to the specified server.

You get a non-authoritative answer for your mail server name with an IP, right? Are you able to telnet to port 25 on that server now?

Chris
0
 

Author Comment

by:santaspores1
ID: 35693205
From the server if I
nslookup smtpserver.CompanyDomain.com <ip address of the company's name server>
It says
Server: <shows the fqdn of the company's name server>
Address: repeats the address
But then it says
DNS request timed out

Which is expected... because it seems that I do not have port 53 outbound open.

Actually I could send an email msg through telnet before.  I will try again in a moment.  I have other apps on the server that should be generating smtp emails and are not...
0
 

Author Comment

by:santaspores1
ID: 35693234
hmmm from the server I

Telnet
set localecho
o <the domain that the smtp server is on> 25

I got a connection to... could not open connection to the host.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 35693261
I suspect if you open up 53 it'll spring to life. Lets see, for that to be the case, I'd expect this command to return "doesn't exist" or similar:

nslookup smtpserver.CompanyDomain.com

Omitting the IP from the end sends that request to the DNS server configured in TCP/IP settings.

It's also worth checking out:

ping smtpserver.CompanyDomain.com

NsLookup is great, but it completely bypasses the DNS Client (resolver), that means it ignores the Hosts file, it ignores WINS, and so on. In some cases that difference is critical. Imagine someone put an entry for smtpserver.CompanyDomain.com into Hosts, and the IP is now wrong. NsLookup would tell you one thing, ping another.

Chris
0
 

Author Comment

by:santaspores1
ID: 35693264
telnet
setlocalecho
open <fqdn of the smtp server>
connection failed.

which is odd - this was actually working before.  This absolutely sucks.
0
 

Author Comment

by:santaspores1
ID: 35693282
and now typing nslookup smtpserver.CompanyDomain.com
(without specifying a server) is timing out... and it was working an hour ago!
0
 

Author Comment

by:santaspores1
ID: 35693292
oh it actuallsaid
DNS request timed out
but then gave a Non-authoritative answer which was correct.
0
 

Author Comment

by:santaspores1
ID: 35693302
and I re-issued the command and it did NOT time out... it just gave the correct non-authoritative anwer.
0
 

Author Comment

by:santaspores1
ID: 35693317
Note that the local connection tcp/ip properties on the server do not specify any WINS servers and LMHOSTS is not enabled.
0
 

Author Comment

by:santaspores1
ID: 35693338
ping -a smtpserver.CompanyDomain.com
sshows:
pinging smtpserver.CompanyDomain.com [and it shows the correct ip address for that]\Request timed out.
0
 

Author Comment

by:santaspores1
ID: 35693348
telnet should be allowing me to connect... that is again signs of a problem.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 35693353
It's having trouble resolving it, it suggests that you're getting a timeout talking to the Forwarder, that it's falling back to Root Hints.

That is, you start NsLookup and it sends the request, the request times out, but shortly afterwards the response arrives at the server. The response gets cached and next time you run nslookup you get that back, with the non-authoritative flag.

It's quite easy to see how that can happen, DNS uses UDP, UDP is blissfully unaware of whether or not a remote system has received a particular request (let alone whether or not it has responded). It waits a bit, then if nothing is found it times out. But again, because it's blissfully unaware, if the response turns up it'll go "okay, sure, I'll pop it in the cache".

If you manage to fix the network access you should find that delay goes away, and your first request (after the cache has been cleared) will be without "non-authoritative".

Chris
0
 

Author Comment

by:santaspores1
ID: 35693356
and telnet should not care about port 53.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 35693362
Don't forget that this one:
telnet
setlocalecho
open <fqdn of the smtp server>
connection failed.

Open in new window

Is a connection to TCP/23, the Telnet Port, not a connection to 25. You must explicitly tell it to connect to 25.

Chris
0
 

Author Comment

by:santaspores1
ID: 35693385
But shouldn't I be able to telnet and open smtpserver.CompanyDomain.com - I don't need port 53 open to do that do I?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 35693388
> and telnet should not care about port 53.

Only if you use the IP, not the name.

Hmm one more for you.

The server itself will cache DNS responses (in addition to the DNS server doing it). In the case of a negative response it will cache that for 5 minutes. If in doubt, run "ipconfig /flushdns" and try again.

You can always see the content of the local cache with "ipconfig /displaydns".

Chris
0
 

Author Comment

by:santaspores1
ID: 35693481
telnet
set setlocalecho
open <ip address of the smtp server> 25
tells me it "could not open connectio to the host on port 25... connection failed.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 35693490
Hmm that can't be DNS, I'm afraid that would need both the remote server and your local firewall testing.

Ping (ICMP) is closed, right?

Chris
0
 

Author Comment

by:santaspores1
ID: 35693508
ipconfig /flushdns

I did that and re-tried everything.  No change.  Still couldn't get a connection with the collowing:
telnet
set localecho
open smtp1.usouthal.edu 25
0
 

Author Comment

by:santaspores1
ID: 35693518
yes - ping is closed I believe.

And thanks again for all of this help.  Though I am still stuck I DO appreciate this.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 35694347
Anything you can check on the Firewall at all? DNS won't be messing around with access to the service if you can actually get the IP back, or when you use the IP along with the telnet command.

Chris
0
 

Author Comment

by:santaspores1
ID: 35697297
Chris,

Not personally.  But I can make a request.  I have already put in a request to open outbound udp 53... but it will probably take a day or two just to get a reply.  Other than opening everything is there a short-list of what ports you think might be relevant here?
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 35697409
Only what's necessary. I'd have:

SMTP (TCP/25) Outbound
DNS (TCP/53) Outbound
DNS (UDP/53) Outbound

The TCP version for DNS is only used if UDP overflows (when the response is too big for UDP), I tend to allow it, even if it's rare to see it used.

Chris
0
 

Author Comment

by:santaspores1
ID: 35697976
This has been more help than I am entitled to expect.  I am going to go ahead and close this dialogue now and award the points.  I will still come back and post the results of freeing up udp/53 however.  Thank you guys so much for taking the time and explaining all of this tom me.  It is incredibly valuable!
0
 

Author Comment

by:santaspores1
ID: 35698053
For some reason, it isn't allowing me to award point to multiple comments.  I clicked Accept multiple solutions, but only the comment I select has an "enter point amount" box present.  Didn't seem to work in IE either... and I have done this before.
0
 

Author Comment

by:santaspores1
ID: 35698072
Duh.  I got it.  Thanks for all of the help!!!
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 35698140

You're welcome :)

Chris
0
 

Author Comment

by:santaspores1
ID: 35699218
Just an update

As per Chris' suggestions I opened outbound UDP/53.  Now (again just as he figured) both nslookup commands (with and without a server specified) work and work the first time (no cache required).

Thanks man, you rock.

My connection to the mail server is still having problems however.
telnet
set localecho
open smtpserver.CompanyDomain.com 25
still gives me "could not open connection to the host"
The same thing happens if I use the ip of the mail server
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 35699376
Either they failed to open up 25, or the mail server really isn't listening. Are you able to check the mail server?

Chris
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have a multi-homed DNS setup in windows, you can have issues with connectivity to the server that hosts the DNS services (or even member servers of your domain if this same DNS server is a DC). This is because windows registers all of its IPs…
I will assume you are running a non-server version of some sort of Windows throughout this article. There are many flavors of Windows since Windows Server 2000 - 2008, XP Home & Pro, Vista Home & Pro, and Windows 7 Starter, Home, Pro, Ultimate, etc.…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
As many of you are aware about Scanpst.exe utility which is owned by Microsoft itself to repair inaccessible or damaged PST files, but the question is do you really think Scanpst.exe is capable to repair all sorts of PST related corruption issues?

578 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question