Link to home
Start Free TrialLog in
Avatar of santaspores1
santaspores1Flag for United States of America

asked on

DNS and nslookup question

Hello,

I think I am having a DNS issue…

I am running windows server 2003.  It is a web server and it is also running DNS.

I was having problems sending smtp email through various applications so I decided to use nslookup.  Here is the behavior I am getting:

If I:
Nslookup [the fqdn of the smtp server]
It returns:
Server: localhost
Address: 127.0.0.1
*** localhost can't find [the fqdn of the smtp server] : Non-existent domain

If I:
Nslookup [the fqdn of the smtp server] [the fqdn of the company's primary name server]
It returns:
Exactly what it should return

Now, If I go to the DNS console on my server and look at the properties of my server's forward lookup zone – and go to the name server's tab – the fqdn and ip of [the company's primary name server] is there.  By default it listed the server's own fqdn and IP and I added the company's name server.  Also, if you look at the local network connection properties of my server and go to the dns tab I only list 127.0.0.1 as the dns server.

The way I thought this worked was that if my server cannot resolve a fqdn it would use the name servers listed on the name server tab of your forward lookup zone.  But based on those nslookup results above it seems that the company name server can resolve  [the fqdn of the smtp server], but my server is failing to resolve it and is not then going out to the company's name server for the resolution.

Not sure what I am doing wrong here…
Avatar of DrDave242
DrDave242
Flag of United States of America image

Is there a forwarder on your DNS server pointing to the company's name server?
Avatar of santaspores1

ASKER

Here is what it looks like:

If I open the dns management console I see
[the name of my server]
     -- Forward Lookup Zones
          ----a folder for _msdcs.[the fqdn of my server]
          ---- a folder named [the fqdn of my server]

If you go to the properties of the folder named  [the fqdn of my server] under Forward lookup zones, and you look at the name server tab - you will see an entry for the company name server. Also, if you just click on the Forward lookup zone named my fqdn you will see a NS record for the company name server.  

Am I supposed to have a seperate forward lookup zone for the company's name server?  I thought it should just be listed in the name server tab of the forward lookup zone named [my server's fqdn]
SOLUTION
Avatar of DrDave242
DrDave242
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
DrDave242:

Thanks - that is useful information.  The mail server is not in my server's domain.  Unfortunately, if I look at the forwarders tab I already have an entry for "All other DNS domains" and the IP showing below is that of my company's name server.

I manually added the company's name server to the name servers tab of my forward lookup zone - maybe I should remove that?
I recommend removing it, yes.
Note that my server is actually the only server in its domain.  
Hmm.. I might have mis-read, but:

Your mail server name is mail.YourDomain.com, and your internal DNS server has a Forward Lookup Zone called YourDomain.com?

If so, DNS will *not* head off anywhere else to find the address. Why would it? It owns the zone, it knows everything about it. This applies regardless of how you change the Name Server entries or what you do with the forwarders.

And if that's all true, you need to manually add a Host (A) record to the private version of your zone for your mail server.

Chris
I went to the forward lookup zone named [my server's domain].  I wen to the name servers tab.  I
deleted the company's name server - now it only shows itself (my server's fqdn).

I right-clicked my server name in dns and selected "clearcache" and then "update server data files"

Here is what nslookup now does:
If I type:
nslookup [the fqdn of my mail server]
I get
server: localholst
Address: 127.0.0.1
Non-authoritative answer:
Name: [shows the fqdn of my mail server]
Address: [shows the ip address of my mail server]

If I type:
nslookup [the fqdn of my mail server] [the fqdn of my company's name server]
I get
server: [the fqdn of my company's name server]
Address: [the IP of my company's name server]
DNS request timed out

I don't understand these results.  The first nslookup (no server specified) should not say non-authoritative I think.  And the second nslookup (using the company name server) should work perfectly and isn't.  
my mail server is at:
smptserver.x.com

my web server running dns services is at:
myserver.y.x.com
oh, and the company name server is
nameserver.x.com
The first result is correct: your server is not authoritative for the SMTP server's domain, so it had to go elsewhere to find the answer, which is thus presented as "non-authoritative."  You'll get that for any query for a domain that your server doesn't host.

Now, the second result is odd.  Do you consistently get timeouts when querying that server?  Maybe that one was just a fluke.

> should not say non-authoritative I think

"It depends".

If you use a Forwarder then all responses you get will be Non-Authoritative. Otherwise if the answer is cached it will show non-authoritative.

Can you change how you're obscuring these names please? I understand the need to hide identity, but [ ... ] doesn't really do much to illustrate differences. By all means use mail.public.example, and something.private.example, or something equally obscure, but make it consistent and make it look sort of like real names please? I ask because there's no way for us to know how these relate:

[my server's domain]
[the fqdn of my mail server]
[the fqdn of my company's name server]

And without knowing that, we can't form reasonable hypotheses about the behaviour you're seeing here.

Cheers,

Chris
The only forward lookup zones I have are:
_msdcs.y.x.com
myserver.y.x.com
There is no forward lookup zone named x.com
hah cross posted a bit.

x.com is also "my server's domain" and therefore the name of the existing Forward Lookup Zone?

When you deleted the NS record for nameserver.x.com it will have (probably) removed the A record for that host. If that's gone you'll get a timeout in nslookup because it has no means of finding the IP for the host you want to throw the query at.

Chris
Okay, and again :)

So to make sure it's clear. You have:

1. Internal DNS server which has a Forward lookup zone for y.x.com
2. External DNS server which has a Forward lookup zone for x.com
3. You need smtpserver.x.com to resolve (which it does now?)
4. You need ns1.x.com to resolve and respond to queries?

As long as your Internal DNS server doesn't host x.com, and only has a child of x.com, it should use whatever public name resolution mechanism you tell it (whether that's the default, Root Hints, or Forwarders).

Do you have Forwarders configured at the moment?

Chris
Sorry:

The web server that is running DNS and on which I am running nslookup commands:
Myserver.MyDomain.CompanyDomain.com

The smtp mail server I am trying to reach is:
smtpserver.CompanyDomain.com

The company's name server is:
nameserver.CompanyDomain.com

I have a forward lookup zone named MyDomain.CompanyDomain.com but I don't have one for CompanyDomain.com

I have nameserver.CompanyDomain.com as a forwarder.

The forward lookup zone named MyDomain.CompanyDomain.com use to have  nameserver.CompanyDomain listed on the name server's tab, but I have just removed it based on comments above.

Note that my server is the only server on MyDomain.CompanyDomain.com
Cool, that's fine, makes sense.

Can you run:

nslookup smtpserver.companydomain.com <IP Of nameserver.companydomain.com>

That removes the additional complication of resolving nameserver back to an IP before nslookup can do stuff. If that times-out then it suggests your Forwarder won't work either.

Regarding the Forwarder (nameserver.CompanyDomain.com). Your public name server responds to recursive requests? That is, it will happily tell you an IP for www.google.com and so on? It's unusual, and inadvisable configuration, hence the question.

Chris
Chris:

I have a server that I control.  It is Myserver.MyDomain.CompanyDomain.com.  It is running DSN.  It has a forward lookup zone named MyDomain.CompanyDomain.com.  The company's name server (nameserver.CompanyDomain.com) is not currently on the name server's tab of the forward lookup zone.  If I click on the top of my dns tree and click properties, and go to the forwarders tab I see "All other DNS domains" at the top and the IP address for nameserver.CompanyDomain.com at the bottom

nameserver.CompanyDomain.com is not under my control.  But it should be able to resolve everything.

I need to resolve smtpserver.CompanyDomain.com.  I would like my server (Myserver.MyDomain.CompanyDomain.com) to forward requests to nameserver.CompanyDomain.com which should be able to resolve everything

So... after removing nameserver.CompanyDomain.com from the name server tab of my forward lookup zone,

If I type nslookup smtpserver.CompanyDomain.com
it resolves properly (and should show non-authoritative)

But If I type  nslookup smtpserver.CompanyDomain.com nameserver.CompanyDomain.com it does not work (and this shouldn't concern me?)

If I run:
nslookup smtpserver.CompanyDomain.com <IP Of nameserver.companydomain.com>
I get
DNS request timed out
*** can't find server name for address....

and I do have a reverse lookup zone as well.
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Chris,

Thank you for the several clarifications there.  This is great.  I am running the nslookup commands from the server.  They work just fine when I run the same commands from my workstation.  Note that my workstation does not use Myserver.MyDomain.CompanyDomain.com as it's name server - it uses nameserver.CompanyDomain.com.

This server in question (Myserver.MyDomain.CompanyDomain.com) is in a DMZ. The firewall allows it to send on port 25 (for the smtp email)... but I guess it needs to be able to send UDP port 53 as well for nslookup to work correctly?

I still seem to be having trouble communicating with the smtp server...
> but I guess it needs to be able to send UDP port 53 as well for nslookup to work correctly?

Correct. Just outbound though, not inbound (just in case :)).

> Note that my workstation does not use Myserver.MyDomain.CompanyDomain.com as it's name server -
> it uses nameserver.CompanyDomain.com.

That's fine, as long as you issue the command with the servername on the end it will be directed. That is, it doesn't matter what you have in IPConfig, the request will be sent to the specified server.

You get a non-authoritative answer for your mail server name with an IP, right? Are you able to telnet to port 25 on that server now?

Chris
From the server if I
nslookup smtpserver.CompanyDomain.com <ip address of the company's name server>
It says
Server: <shows the fqdn of the company's name server>
Address: repeats the address
But then it says
DNS request timed out

Which is expected... because it seems that I do not have port 53 outbound open.

Actually I could send an email msg through telnet before.  I will try again in a moment.  I have other apps on the server that should be generating smtp emails and are not...
hmmm from the server I

Telnet
set localecho
o <the domain that the smtp server is on> 25

I got a connection to... could not open connection to the host.
I suspect if you open up 53 it'll spring to life. Lets see, for that to be the case, I'd expect this command to return "doesn't exist" or similar:

nslookup smtpserver.CompanyDomain.com

Omitting the IP from the end sends that request to the DNS server configured in TCP/IP settings.

It's also worth checking out:

ping smtpserver.CompanyDomain.com

NsLookup is great, but it completely bypasses the DNS Client (resolver), that means it ignores the Hosts file, it ignores WINS, and so on. In some cases that difference is critical. Imagine someone put an entry for smtpserver.CompanyDomain.com into Hosts, and the IP is now wrong. NsLookup would tell you one thing, ping another.

Chris
telnet
setlocalecho
open <fqdn of the smtp server>
connection failed.

which is odd - this was actually working before.  This absolutely sucks.
and now typing nslookup smtpserver.CompanyDomain.com
(without specifying a server) is timing out... and it was working an hour ago!
oh it actuallsaid
DNS request timed out
but then gave a Non-authoritative answer which was correct.
and I re-issued the command and it did NOT time out... it just gave the correct non-authoritative anwer.
Note that the local connection tcp/ip properties on the server do not specify any WINS servers and LMHOSTS is not enabled.
ping -a smtpserver.CompanyDomain.com
sshows:
pinging smtpserver.CompanyDomain.com [and it shows the correct ip address for that]\Request timed out.
telnet should be allowing me to connect... that is again signs of a problem.
It's having trouble resolving it, it suggests that you're getting a timeout talking to the Forwarder, that it's falling back to Root Hints.

That is, you start NsLookup and it sends the request, the request times out, but shortly afterwards the response arrives at the server. The response gets cached and next time you run nslookup you get that back, with the non-authoritative flag.

It's quite easy to see how that can happen, DNS uses UDP, UDP is blissfully unaware of whether or not a remote system has received a particular request (let alone whether or not it has responded). It waits a bit, then if nothing is found it times out. But again, because it's blissfully unaware, if the response turns up it'll go "okay, sure, I'll pop it in the cache".

If you manage to fix the network access you should find that delay goes away, and your first request (after the cache has been cleared) will be without "non-authoritative".

Chris
and telnet should not care about port 53.
Don't forget that this one:
telnet
setlocalecho
open <fqdn of the smtp server>
connection failed.

Open in new window

Is a connection to TCP/23, the Telnet Port, not a connection to 25. You must explicitly tell it to connect to 25.

Chris
But shouldn't I be able to telnet and open smtpserver.CompanyDomain.com - I don't need port 53 open to do that do I?
> and telnet should not care about port 53.

Only if you use the IP, not the name.

Hmm one more for you.

The server itself will cache DNS responses (in addition to the DNS server doing it). In the case of a negative response it will cache that for 5 minutes. If in doubt, run "ipconfig /flushdns" and try again.

You can always see the content of the local cache with "ipconfig /displaydns".

Chris
telnet
set setlocalecho
open <ip address of the smtp server> 25
tells me it "could not open connectio to the host on port 25... connection failed.
Hmm that can't be DNS, I'm afraid that would need both the remote server and your local firewall testing.

Ping (ICMP) is closed, right?

Chris
ipconfig /flushdns

I did that and re-tried everything.  No change.  Still couldn't get a connection with the collowing:
telnet
set localecho
open smtp1.usouthal.edu 25
yes - ping is closed I believe.

And thanks again for all of this help.  Though I am still stuck I DO appreciate this.
Anything you can check on the Firewall at all? DNS won't be messing around with access to the service if you can actually get the IP back, or when you use the IP along with the telnet command.

Chris
Chris,

Not personally.  But I can make a request.  I have already put in a request to open outbound udp 53... but it will probably take a day or two just to get a reply.  Other than opening everything is there a short-list of what ports you think might be relevant here?
Only what's necessary. I'd have:

SMTP (TCP/25) Outbound
DNS (TCP/53) Outbound
DNS (UDP/53) Outbound

The TCP version for DNS is only used if UDP overflows (when the response is too big for UDP), I tend to allow it, even if it's rare to see it used.

Chris
This has been more help than I am entitled to expect.  I am going to go ahead and close this dialogue now and award the points.  I will still come back and post the results of freeing up udp/53 however.  Thank you guys so much for taking the time and explaining all of this tom me.  It is incredibly valuable!
For some reason, it isn't allowing me to award point to multiple comments.  I clicked Accept multiple solutions, but only the comment I select has an "enter point amount" box present.  Didn't seem to work in IE either... and I have done this before.
Duh.  I got it.  Thanks for all of the help!!!

You're welcome :)

Chris
Just an update

As per Chris' suggestions I opened outbound UDP/53.  Now (again just as he figured) both nslookup commands (with and without a server specified) work and work the first time (no cache required).

Thanks man, you rock.

My connection to the mail server is still having problems however.
telnet
set localecho
open smtpserver.CompanyDomain.com 25
still gives me "could not open connection to the host"
The same thing happens if I use the ip of the mail server
Either they failed to open up 25, or the mail server really isn't listening. Are you able to check the mail server?

Chris