DNS Resolution Failing on Certain Domains
Posted on 2011-05-05
Unable to resolve some rather well known web sites (e.g. tigerdirect.com) and this is rather amusing given the facts below. Those that aren’t resolving is very limited thus far (only a handful).
We use Microsoft’s DNS service on a Windows Server 2008 R2 machine with Active Directory. So to try and fix this, I first checked the DNS event log and didn’t see anything out of the ordinary. I then tried simply restarting the DNS service without any improvement. I then fired up nslookup on the AD/DNS machine and couldn’t resolve TigerDirect (TD) (request timed out). I did this with a trace running on my Cisco PIX firewall and it showed a response coming back from a name server with a Format Error. What’s interesting is that the query displayed by nslookup has no “additional record” part of the query. However, the PIX trace shows an additional OPT-EDNS0 option added record. It appears that the PIX is inserting this?!?! And is this the reason the query is failing? If I bypass my internal name server on nslookup and point to some external server, I can get TD to resolve and there’s no added record to the query in the PIX trace.
I then turned on DNS tracing and the event log said pretty much what nslookup said (no added record to the query). However, it showed the query response as ServFail and it also had event codes 5504 in the event log (invalid domain name in the DNS packet was returned).
What I also noticed is that the name servers being consulted were not the ones in the root list. And what’s “amusing” (actually frustrating and bewildering) is that the name servers being consulted belong to an IP range owned by TigerDirect. So why aren’t my root servers being consulted or has my DNS been hijacked or polluted? (or is my DNS understanding skewed?)