DNS and nslookup question

Hello,

I think I am having a DNS issue…

I am running windows server 2003.  It is a web server and it is also running DNS.

I was having problems sending smtp email through various applications so I decided to use nslookup.  Here is the behavior I am getting:

If I:
Nslookup [the fqdn of the smtp server]
It returns:
Server: localhost
Address: 127.0.0.1
*** localhost can't find [the fqdn of the smtp server] : Non-existent domain

If I:
Nslookup [the fqdn of the smtp server] [the fqdn of the company's primary name server]
It returns:
Exactly what it should return

Now, If I go to the DNS console on my server and look at the properties of my server's forward lookup zone – and go to the name server's tab – the fqdn and ip of [the company's primary name server] is there.  By default it listed the server's own fqdn and IP and I added the company's name server.  Also, if you look at the local network connection properties of my server and go to the dns tab I only list 127.0.0.1 as the dns server.

The way I thought this worked was that if my server cannot resolve a fqdn it would use the name servers listed on the name server tab of your forward lookup zone.  But based on those nslookup results above it seems that the company name server can resolve  [the fqdn of the smtp server], but my server is failing to resolve it and is not then going out to the company's name server for the resolution.

Not sure what I am doing wrong here…
santaspores1Asked:
Who is Participating?
 
Chris DentPowerShell DeveloperCommented:
> It is Myserver.MyDomain.CompanyDomain.com.  It is running DSN.  It has a forward lookup
> zone named MyDomain.CompanyDomain.com

That's fine. Does not conflict with CompanyDomain.com at all so we can ignore anything to do with the internal Forward Lookup Zones.

> is not currently on the name server's tab

Good. It does not need to be, nor is there any benefit in it being there.

> at the top and the IP address for nameserver.CompanyDomain.com at the bottom / But it should be able to resolve everything.

Questionable configuration, implied security issue, but not on your side. Like you say, it's not under your control, so...

> and this shouldn't concern me?

It should. Where are you running that command from? Your server? Or your workstation? Suggests a problem with network-access, that is, it suggests you cannot send to UDP port 53 from the system running nslookup in this instance.

> and I do have a reverse lookup zone as well.

Good, but won't have any impact here.

Chris
0
 
DrDave242Commented:
Is there a forwarder on your DNS server pointing to the company's name server?
0
 
santaspores1Author Commented:
Here is what it looks like:

If I open the dns management console I see
[the name of my server]
     -- Forward Lookup Zones
          ----a folder for _msdcs.[the fqdn of my server]
          ---- a folder named [the fqdn of my server]

If you go to the properties of the folder named  [the fqdn of my server] under Forward lookup zones, and you look at the name server tab - you will see an entry for the company name server. Also, if you just click on the Forward lookup zone named my fqdn you will see a NS record for the company name server.  

Am I supposed to have a seperate forward lookup zone for the company's name server?  I thought it should just be listed in the name server tab of the forward lookup zone named [my server's fqdn]
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
DrDave242Commented:
I'm assuming the SMTP server does not reside in your domain, since your own DNS server does not have a host record for it.  (If this assumption is incorrect, let me know.)  Since your DNS server does not host the forward lookup zone for the SMTP server's domain, it must go elsewhere to resolve that query.  This process of going elsewhere is accomplished either through forwarders (not the same as forward lookup zones) or root hints, either of which will tell the server where to send your query in the hope of getting an authoritative answer.  Without getting into a discussion about the advantages and disadvantages of each method (which are thoroughly discussed here at EE and elsewhere), I'll say that creating a forwarder on your server will likely provide quick resolution to this issue.

In order to create the forwarder, open the DNS console on your server, right-click the server's name, and select Properties.  In the Forwarders tab, make sure "All other DNS domains" is selected in the upper field and type the IP address of the company's name server in the address field, then click Add.  Click OK to close the properties window, then check to see if nslookup is able to resolve the SMTP server's FQDN on your server.  (Note: you can also create conditional forwarders in the same location, which tell your server to forward queries for specific domains to specific servers.)

Regarding the name server records on your DNS server, you should only add an NS record for the company's name server if that server is authoritative for the zone - if it also hosts that same forward lookup zone, in other words.
0
 
santaspores1Author Commented:
DrDave242:

Thanks - that is useful information.  The mail server is not in my server's domain.  Unfortunately, if I look at the forwarders tab I already have an entry for "All other DNS domains" and the IP showing below is that of my company's name server.

I manually added the company's name server to the name servers tab of my forward lookup zone - maybe I should remove that?
0
 
DrDave242Commented:
I recommend removing it, yes.
0
 
santaspores1Author Commented:
Note that my server is actually the only server in its domain.  
0
 
Chris DentPowerShell DeveloperCommented:
Hmm.. I might have mis-read, but:

Your mail server name is mail.YourDomain.com, and your internal DNS server has a Forward Lookup Zone called YourDomain.com?

If so, DNS will *not* head off anywhere else to find the address. Why would it? It owns the zone, it knows everything about it. This applies regardless of how you change the Name Server entries or what you do with the forwarders.

And if that's all true, you need to manually add a Host (A) record to the private version of your zone for your mail server.

Chris
0
 
santaspores1Author Commented:
I went to the forward lookup zone named [my server's domain].  I wen to the name servers tab.  I
deleted the company's name server - now it only shows itself (my server's fqdn).

I right-clicked my server name in dns and selected "clearcache" and then "update server data files"

Here is what nslookup now does:
If I type:
nslookup [the fqdn of my mail server]
I get
server: localholst
Address: 127.0.0.1
Non-authoritative answer:
Name: [shows the fqdn of my mail server]
Address: [shows the ip address of my mail server]

If I type:
nslookup [the fqdn of my mail server] [the fqdn of my company's name server]
I get
server: [the fqdn of my company's name server]
Address: [the IP of my company's name server]
DNS request timed out

I don't understand these results.  The first nslookup (no server specified) should not say non-authoritative I think.  And the second nslookup (using the company name server) should work perfectly and isn't.  
0
 
santaspores1Author Commented:
my mail server is at:
smptserver.x.com

my web server running dns services is at:
myserver.y.x.com
0
 
santaspores1Author Commented:
oh, and the company name server is
nameserver.x.com
0
 
DrDave242Commented:
The first result is correct: your server is not authoritative for the SMTP server's domain, so it had to go elsewhere to find the answer, which is thus presented as "non-authoritative."  You'll get that for any query for a domain that your server doesn't host.

Now, the second result is odd.  Do you consistently get timeouts when querying that server?  Maybe that one was just a fluke.
0
 
Chris DentPowerShell DeveloperCommented:

> should not say non-authoritative I think

"It depends".

If you use a Forwarder then all responses you get will be Non-Authoritative. Otherwise if the answer is cached it will show non-authoritative.

Can you change how you're obscuring these names please? I understand the need to hide identity, but [ ... ] doesn't really do much to illustrate differences. By all means use mail.public.example, and something.private.example, or something equally obscure, but make it consistent and make it look sort of like real names please? I ask because there's no way for us to know how these relate:

[my server's domain]
[the fqdn of my mail server]
[the fqdn of my company's name server]

And without knowing that, we can't form reasonable hypotheses about the behaviour you're seeing here.

Cheers,

Chris
0
 
santaspores1Author Commented:
The only forward lookup zones I have are:
_msdcs.y.x.com
myserver.y.x.com
There is no forward lookup zone named x.com
0
 
Chris DentPowerShell DeveloperCommented:
hah cross posted a bit.

x.com is also "my server's domain" and therefore the name of the existing Forward Lookup Zone?

When you deleted the NS record for nameserver.x.com it will have (probably) removed the A record for that host. If that's gone you'll get a timeout in nslookup because it has no means of finding the IP for the host you want to throw the query at.

Chris
0
 
Chris DentPowerShell DeveloperCommented:
Okay, and again :)

So to make sure it's clear. You have:

1. Internal DNS server which has a Forward lookup zone for y.x.com
2. External DNS server which has a Forward lookup zone for x.com
3. You need smtpserver.x.com to resolve (which it does now?)
4. You need ns1.x.com to resolve and respond to queries?

As long as your Internal DNS server doesn't host x.com, and only has a child of x.com, it should use whatever public name resolution mechanism you tell it (whether that's the default, Root Hints, or Forwarders).

Do you have Forwarders configured at the moment?

Chris
0
 
santaspores1Author Commented:
Sorry:

The web server that is running DNS and on which I am running nslookup commands:
Myserver.MyDomain.CompanyDomain.com

The smtp mail server I am trying to reach is:
smtpserver.CompanyDomain.com

The company's name server is:
nameserver.CompanyDomain.com

I have a forward lookup zone named MyDomain.CompanyDomain.com but I don't have one for CompanyDomain.com

I have nameserver.CompanyDomain.com as a forwarder.

The forward lookup zone named MyDomain.CompanyDomain.com use to have  nameserver.CompanyDomain listed on the name server's tab, but I have just removed it based on comments above.

Note that my server is the only server on MyDomain.CompanyDomain.com
0
 
Chris DentPowerShell DeveloperCommented:
Cool, that's fine, makes sense.

Can you run:

nslookup smtpserver.companydomain.com <IP Of nameserver.companydomain.com>

That removes the additional complication of resolving nameserver back to an IP before nslookup can do stuff. If that times-out then it suggests your Forwarder won't work either.

Regarding the Forwarder (nameserver.CompanyDomain.com). Your public name server responds to recursive requests? That is, it will happily tell you an IP for www.google.com and so on? It's unusual, and inadvisable configuration, hence the question.

Chris
0
 
santaspores1Author Commented:
Chris:

I have a server that I control.  It is Myserver.MyDomain.CompanyDomain.com.  It is running DSN.  It has a forward lookup zone named MyDomain.CompanyDomain.com.  The company's name server (nameserver.CompanyDomain.com) is not currently on the name server's tab of the forward lookup zone.  If I click on the top of my dns tree and click properties, and go to the forwarders tab I see "All other DNS domains" at the top and the IP address for nameserver.CompanyDomain.com at the bottom

nameserver.CompanyDomain.com is not under my control.  But it should be able to resolve everything.

I need to resolve smtpserver.CompanyDomain.com.  I would like my server (Myserver.MyDomain.CompanyDomain.com) to forward requests to nameserver.CompanyDomain.com which should be able to resolve everything

So... after removing nameserver.CompanyDomain.com from the name server tab of my forward lookup zone,

If I type nslookup smtpserver.CompanyDomain.com
it resolves properly (and should show non-authoritative)

But If I type  nslookup smtpserver.CompanyDomain.com nameserver.CompanyDomain.com it does not work (and this shouldn't concern me?)

0
 
santaspores1Author Commented:
If I run:
nslookup smtpserver.CompanyDomain.com <IP Of nameserver.companydomain.com>
I get
DNS request timed out
*** can't find server name for address....

and I do have a reverse lookup zone as well.
0
 
santaspores1Author Commented:
Chris,

Thank you for the several clarifications there.  This is great.  I am running the nslookup commands from the server.  They work just fine when I run the same commands from my workstation.  Note that my workstation does not use Myserver.MyDomain.CompanyDomain.com as it's name server - it uses nameserver.CompanyDomain.com.

This server in question (Myserver.MyDomain.CompanyDomain.com) is in a DMZ. The firewall allows it to send on port 25 (for the smtp email)... but I guess it needs to be able to send UDP port 53 as well for nslookup to work correctly?

I still seem to be having trouble communicating with the smtp server...
0
 
Chris DentPowerShell DeveloperCommented:
> but I guess it needs to be able to send UDP port 53 as well for nslookup to work correctly?

Correct. Just outbound though, not inbound (just in case :)).

> Note that my workstation does not use Myserver.MyDomain.CompanyDomain.com as it's name server -
> it uses nameserver.CompanyDomain.com.

That's fine, as long as you issue the command with the servername on the end it will be directed. That is, it doesn't matter what you have in IPConfig, the request will be sent to the specified server.

You get a non-authoritative answer for your mail server name with an IP, right? Are you able to telnet to port 25 on that server now?

Chris
0
 
santaspores1Author Commented:
From the server if I
nslookup smtpserver.CompanyDomain.com <ip address of the company's name server>
It says
Server: <shows the fqdn of the company's name server>
Address: repeats the address
But then it says
DNS request timed out

Which is expected... because it seems that I do not have port 53 outbound open.

Actually I could send an email msg through telnet before.  I will try again in a moment.  I have other apps on the server that should be generating smtp emails and are not...
0
 
santaspores1Author Commented:
hmmm from the server I

Telnet
set localecho
o <the domain that the smtp server is on> 25

I got a connection to... could not open connection to the host.
0
 
Chris DentPowerShell DeveloperCommented:
I suspect if you open up 53 it'll spring to life. Lets see, for that to be the case, I'd expect this command to return "doesn't exist" or similar:

nslookup smtpserver.CompanyDomain.com

Omitting the IP from the end sends that request to the DNS server configured in TCP/IP settings.

It's also worth checking out:

ping smtpserver.CompanyDomain.com

NsLookup is great, but it completely bypasses the DNS Client (resolver), that means it ignores the Hosts file, it ignores WINS, and so on. In some cases that difference is critical. Imagine someone put an entry for smtpserver.CompanyDomain.com into Hosts, and the IP is now wrong. NsLookup would tell you one thing, ping another.

Chris
0
 
santaspores1Author Commented:
telnet
setlocalecho
open <fqdn of the smtp server>
connection failed.

which is odd - this was actually working before.  This absolutely sucks.
0
 
santaspores1Author Commented:
and now typing nslookup smtpserver.CompanyDomain.com
(without specifying a server) is timing out... and it was working an hour ago!
0
 
santaspores1Author Commented:
oh it actuallsaid
DNS request timed out
but then gave a Non-authoritative answer which was correct.
0
 
santaspores1Author Commented:
and I re-issued the command and it did NOT time out... it just gave the correct non-authoritative anwer.
0
 
santaspores1Author Commented:
Note that the local connection tcp/ip properties on the server do not specify any WINS servers and LMHOSTS is not enabled.
0
 
santaspores1Author Commented:
ping -a smtpserver.CompanyDomain.com
sshows:
pinging smtpserver.CompanyDomain.com [and it shows the correct ip address for that]\Request timed out.
0
 
santaspores1Author Commented:
telnet should be allowing me to connect... that is again signs of a problem.
0
 
Chris DentPowerShell DeveloperCommented:
It's having trouble resolving it, it suggests that you're getting a timeout talking to the Forwarder, that it's falling back to Root Hints.

That is, you start NsLookup and it sends the request, the request times out, but shortly afterwards the response arrives at the server. The response gets cached and next time you run nslookup you get that back, with the non-authoritative flag.

It's quite easy to see how that can happen, DNS uses UDP, UDP is blissfully unaware of whether or not a remote system has received a particular request (let alone whether or not it has responded). It waits a bit, then if nothing is found it times out. But again, because it's blissfully unaware, if the response turns up it'll go "okay, sure, I'll pop it in the cache".

If you manage to fix the network access you should find that delay goes away, and your first request (after the cache has been cleared) will be without "non-authoritative".

Chris
0
 
santaspores1Author Commented:
and telnet should not care about port 53.
0
 
Chris DentPowerShell DeveloperCommented:
Don't forget that this one:
telnet
setlocalecho
open <fqdn of the smtp server>
connection failed.

Open in new window

Is a connection to TCP/23, the Telnet Port, not a connection to 25. You must explicitly tell it to connect to 25.

Chris
0
 
santaspores1Author Commented:
But shouldn't I be able to telnet and open smtpserver.CompanyDomain.com - I don't need port 53 open to do that do I?
0
 
Chris DentPowerShell DeveloperCommented:
> and telnet should not care about port 53.

Only if you use the IP, not the name.

Hmm one more for you.

The server itself will cache DNS responses (in addition to the DNS server doing it). In the case of a negative response it will cache that for 5 minutes. If in doubt, run "ipconfig /flushdns" and try again.

You can always see the content of the local cache with "ipconfig /displaydns".

Chris
0
 
santaspores1Author Commented:
telnet
set setlocalecho
open <ip address of the smtp server> 25
tells me it "could not open connectio to the host on port 25... connection failed.
0
 
Chris DentPowerShell DeveloperCommented:
Hmm that can't be DNS, I'm afraid that would need both the remote server and your local firewall testing.

Ping (ICMP) is closed, right?

Chris
0
 
santaspores1Author Commented:
ipconfig /flushdns

I did that and re-tried everything.  No change.  Still couldn't get a connection with the collowing:
telnet
set localecho
open smtp1.usouthal.edu 25
0
 
santaspores1Author Commented:
yes - ping is closed I believe.

And thanks again for all of this help.  Though I am still stuck I DO appreciate this.
0
 
Chris DentPowerShell DeveloperCommented:
Anything you can check on the Firewall at all? DNS won't be messing around with access to the service if you can actually get the IP back, or when you use the IP along with the telnet command.

Chris
0
 
santaspores1Author Commented:
Chris,

Not personally.  But I can make a request.  I have already put in a request to open outbound udp 53... but it will probably take a day or two just to get a reply.  Other than opening everything is there a short-list of what ports you think might be relevant here?
0
 
Chris DentPowerShell DeveloperCommented:
Only what's necessary. I'd have:

SMTP (TCP/25) Outbound
DNS (TCP/53) Outbound
DNS (UDP/53) Outbound

The TCP version for DNS is only used if UDP overflows (when the response is too big for UDP), I tend to allow it, even if it's rare to see it used.

Chris
0
 
santaspores1Author Commented:
This has been more help than I am entitled to expect.  I am going to go ahead and close this dialogue now and award the points.  I will still come back and post the results of freeing up udp/53 however.  Thank you guys so much for taking the time and explaining all of this tom me.  It is incredibly valuable!
0
 
santaspores1Author Commented:
For some reason, it isn't allowing me to award point to multiple comments.  I clicked Accept multiple solutions, but only the comment I select has an "enter point amount" box present.  Didn't seem to work in IE either... and I have done this before.
0
 
santaspores1Author Commented:
Duh.  I got it.  Thanks for all of the help!!!
0
 
Chris DentPowerShell DeveloperCommented:

You're welcome :)

Chris
0
 
santaspores1Author Commented:
Just an update

As per Chris' suggestions I opened outbound UDP/53.  Now (again just as he figured) both nslookup commands (with and without a server specified) work and work the first time (no cache required).

Thanks man, you rock.

My connection to the mail server is still having problems however.
telnet
set localecho
open smtpserver.CompanyDomain.com 25
still gives me "could not open connection to the host"
The same thing happens if I use the ip of the mail server
0
 
Chris DentPowerShell DeveloperCommented:
Either they failed to open up 25, or the mail server really isn't listening. Are you able to check the mail server?

Chris
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.