DNS Resolution Failing on Certain Domains

Posted on 2011-05-05
Last Modified: 2012-05-11
Unable to resolve some rather well known web sites (e.g. and this is rather amusing given the facts below.   Those that aren’t resolving is very limited thus far (only a handful).

We use Microsoft’s DNS service on a Windows Server 2008 R2 machine with Active Directory.  So to try and fix this, I first checked the DNS event log and didn’t see anything out of the ordinary.  I then tried simply restarting the DNS service without any improvement.  I then fired up nslookup on the AD/DNS machine and couldn’t resolve TigerDirect (TD) (request timed out).   I did this with a trace running on my Cisco PIX firewall and it showed a response coming back from a name server with a Format Error.  What’s interesting is that the query displayed by nslookup has no “additional record” part of the query.  However, the PIX trace shows an additional OPT-EDNS0 option added record.  It appears that the PIX is inserting this?!?!  And is this the reason the query is failing?  If I bypass my internal name server on nslookup and point to some external server, I can get TD to resolve and there’s no added record to the query in the PIX trace.

I then turned on DNS tracing and the event log said pretty much what nslookup said (no added record to the query).  However, it showed the query response as ServFail and it also had event codes 5504 in the event log (invalid domain name in the DNS packet was returned).  

What I also noticed is that the name servers being consulted were not the ones in the root list.  And what’s “amusing” (actually frustrating and bewildering) is that the name servers being consulted belong to an IP range owned by TigerDirect.  So why aren’t my root servers being consulted or has my DNS been hijacked or polluted? (or is my DNS understanding skewed?)
Question by:ejefferson213
    LVL 33

    Expert Comment

    Is there a proxy server involved somewhere?  Specifically: Is there domain name filtering going on somewhere?

    Author Comment

    Thanks for the rapid response.  

    No proxy is in use or has ever been used and no domain filtering.
    LVL 33

    Expert Comment

    There's no evidence of poisoning?  You don't have a (fake) zone configured for Tiger Direct?
    LVL 70

    Accepted Solution

    > However, the PIX trace shows an additional OPT-EDNS0 option added record

    Outbound query? If so, your server will be adding it (EDNS is enabled by default).

    > So why aren’t my root servers being consulted

    They are, to get information about .com, but the root servers know nothing about the content of .com, and nothing at all about As long as you use Root Hints you'll end up querying individual name servers for individual domains. If you don't want that behaviour, use Forwarders.

    The most likely problem is that the response packet is too large and your PIX is dropping it (DNS packet inspection). Two ways you can test / prove that:

    1. Disable EDNS:

    dnscmd /Config /EnableEDnsProbes 0

    2. Modify your PIX to allow larger packets:

    You can either do this using the FixUp command (PIX IOS version 6.3.2 and below):

    fixup protocol dns maximum-length 4096

    Or by modifying the inspection policy on later versions:

    policy-map type inspect dns preset_dns_map
      message-length maximum 4096

    The value I've used here, 4096, is a reasonable one in a post-DNSSEC time.


    Author Closing Comment

    That was it!!! As soon as I disabled edns as you suggested, the problem disappeared.  BTW, I had previously set my firewall to accept larger packets (actually at 4096 as you suggested).  

    I'll look into and the fowarders vs root hints a bit more.

    Thanks so much for your help!!!!!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Suggested Solutions

    This article explains how a domain name may be inadvertently appended to all DNS queries. This exhibits as described below. (CODE)And / Or: (CODE) Cause This issue can occur in either of these two scenarios. EITHER 1. A Primary DNS S…
    BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (, affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now