DNS server chain breakdown

Posted on 2011-05-05
Medium Priority
Last Modified: 2012-05-11
Hi, I'd like to connect with someone who understands DNS better than I do!

I'm administering a SBS 2011 server. It has some websites on it, and it serves a small domain. SBS controls a wireless router, and I have made some DNS entries so that I can browse locally hosted sites. Currently everything is working fine, except for a little DNS problem. I can browse intranet and internet sites fine, but when I try to get to one particular site, it can't display the page. The page is for the ISP in this case, so it is wrecking a user's access to their webmail.

So this is odd, no? General internet browsing is ok, but not for the main page of the Internet Service Provider. In this case the ISP is shaw.ca.

Once I tried to reset the modem and router, by power cycle, and this restored access to shaw.ca - but recently I reset it and it still can't access that site. I'm thinking that something I've done has altered DNS lookup such that it can't find shaw.ca.

It would be great if I could work with an expert to learn about DNS in this applied way: using tests to see that DNS queries are being properly answered. I'd like to review the sequence of DNS servers, that are used to get to a page.

About a decade ago, I learned to use tracert, so here's my initial info:

tracert to locally hosted site: shows one hop to local NIC's ip address.
tracert to shaw.ca: replies "unable to resolve target system name shaw.ca
tracert to cnn.com first resolves to a specific IP address, and then returns a series of hops, starting with the domain router, then the ISP default gateway, then a series of 5 ip addresses, and then it goes to Request timed out.

I see a similar sequence with other well known sites which I can also browse to.

So, anyone willing to work with me in a trouble shooting format, to learn the cause of the failure to resolve the address for shaw.ca?

Question by:JeReLo
  • 2

Accepted Solution

kdgoodknecht earned 2000 total points
ID: 35703204
This is likely a EDNS or DNSSEC issue.
First try this commend on the DNS server to disable EDNS. DNSSEC requires EDNS so by turning off EDNS, it effectively turns off DNSSEC.
dnscmd server /Config /EnableEDnsProbes 0

EDNS is a mechanism that allows UDP packets over 512 Bytes for DNS responses, some firewalls block UDP packets that exceed 512 Bytes.

Author Comment

ID: 35711000
Your knowledge was very helpful in this case. I am now able to browse the site. Thanks.

It's a matter of interest however, that the 512 byte limit is within the firewall. By running this command, I have made DNS work within that limit, and "no longer advertise ednso capabilities" according to microsoft.

So, would the other option be possible or preferable? I mean, could one configure the firewall to accomodate the extended dns capabilities? In this case the firewall is windows firewall.

Are there any impacts of loosing extended dns capabilities, as was done in that command?

Author Closing Comment

ID: 35716128
More context for the change was requested. No engagement after 3 days, so closed question.

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question