• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 497
  • Last Modified:

DNS request steps and problem to resolve only one external dns hostname

I'm really struggling to find out why this happens.

DNS server: two local windows 2003 SP 2 DNS servers(FS1 and FS2)
each workstations configured to use FS1 as primary DNS server, FS2 as secondary DNS server.

I have problem to nslookup one specific hostname which is 'service101-us.mimecast.com'.

When I nslookup the hostname from the two DNS server consoles, it resolves with no problem.

But when I nslookup from any workstation, it fails. I run nslookup to FS2 to bypass the primary DNS server by typing 'nslookup - FS2', then nslookup, it successfully resolves.

So the problem seems to be the FS1, somehow it can't resolves the specific hostname. It happens daily, so I have to restart DNS service on FS1. then the problem goes away.

Does anyone know why FS1 can't resolve only one specific external DNS hostname until restarting dns service??
0
crcsupport
Asked:
crcsupport
  • 13
  • 7
  • 2
9 Solutions
 
crcsupportAuthor Commented:
> service101-us.mimecast.com
Server:  FS1.mydomain.local
Address:  192.xxx.xxx.xxx

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to FS1.mydomain.local timed-out
>
0
 
Mike RoeCommented:
do you have any forwarders setup on FS1
0
 
crcsupportAuthor Commented:
No forwarders, only root hint
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
gt2847cSr. Security ConsultantCommented:
When the problem occurs on FS1, try this:

nslookup
> server fs1.mydomain.local
> set debug
> service101-us.mimecast.com

Capture the data, then switch to fs2:

> server fs2.mydomain.local
> service101-us.mimecast.com

Compare the two outputs and see if they are both attempting to resolve in the same way.  One other thing you can try is to see if the cache on fs1 is getting corrupted.  In the DNS tool you can have it flush the cache.  When the problem crops up, confirm it with the nslookup against fs1, flush the cache, then test it again and see if it resolves.
0
 
Mike RoeCommented:
put in a forwarder and see if the issue is resolved
0
 
crcsupportAuthor Commented:
Thanks. since I restarted DNS, it works again. I'll wait  a day or two and when problem occurs, I'll try options you guys suggested. It happens again in less than two days usually.
I'll keep this thread open till then.
0
 
gt2847cSr. Security ConsultantCommented:
One thing to try...  Go ahead and capture the nslookup debug details from FS1 while it works, then run it again when it fails and see if anything jumps out at you.
0
 
crcsupportAuthor Commented:
That's good idea, gt2847c. I'll do that
0
 
crcsupportAuthor Commented:
Following is the nslookup debug output while it works.

> set debug
> service101-us.mimecast.com
Server:  fs1.mydomain.local
Address:  192.xxx.xxx.xxx

------------
Got answer:
    HEADER:
        opcode = QUERY, id = 6, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        service101-us.mimecast.com.MYDOMAIN.LOCAL, type = A, class = IN
    AUTHORITY RECORDS:
    ->  mydomain.local
        ttl = 3600 (1 hour)
        primary name server = fs1.mydomain.local
        responsible mail addr = hostmaster
        serial  = 11665
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 900 (15 mins)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 7, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        service101-us.mimecast.com.MYDOMAIN.LOCAL, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  mydomain.local
        ttl = 3600 (1 hour)
        primary name server = fs1.mydomain.local
        responsible mail addr = hostmaster
        serial  = 11665
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 900 (15 mins)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 8, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        service101-us.mimecast.com, type = A, class = IN
    ANSWERS:
    ->  service101-us.mimecast.com
        internet address = 207.211.31.80
        ttl = 288 (4 mins 48 secs)

------------
Non-authoritative answer:
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 9, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        service101-us.mimecast.com, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  mimecast.com
        ttl = 86388 (23 hours 59 mins 48 secs)
        primary name server = dns01.mimecast.com
        responsible mail addr = root.mimecast.com
        serial  = 111540
        refresh = 10800 (3 hours)
        retry   = 900 (15 mins)
        expire  = 604800 (7 days)
        default TTL = 86400 (1 day)

------------
Name:    service101-us.mimecast.com
Address:  207.211.31.80

>
0
 
gt2847cSr. Security ConsultantCommented:
As you got a non-authoritative answer, this was pulled from cache.
0
 
crcsupportAuthor Commented:
Isn't is normal to have non-authoritative answer? Our AD integrated DNS server keeps DNS records of our internal domain only. Any request needs to go out to root hints to find which will return non-authoritative answer.
0
 
gt2847cSr. Security ConsultantCommented:
That's correct, I was just pointing out that your FS1 had already cached the entry when you ran your debug test.  If there is no cached entry, a query will force FS1 to recursively resolve the address and (the first time) you'll get an authoritative answer.  Thereafter until the TTL expires for the cached entry, you'll get the non-authoritative cached response.
0
 
crcsupportAuthor Commented:
Umm... That may explain the problem because it happens daily at some point. After I restart the DNS server, I manually resolve the hostname using nslookup. The  exchange server I'm having problem with DNS resolution to the hostname never contacts DNS server or outgoing email doesn't kick in to resolve the recipient mail server hostname (service101-us.mimecast.com).

The initial problem was because the recipient mail server locks out our outgoing mail to it. I found it's because they run grey listing at their spam filter. With further research, there's some glitch between exchange server older than 2010 and grey listing.

I thought I fixed the problem modifying registry key 'GlitchRetry' in exchange server, but it seems like it still has problem on DNS side.

I like to test quickly by flushing the DNS cache, but to be safe, I'll let you tomorrow. :)
0
 
crcsupportAuthor Commented:
Again, 3 emails were stuck in our exchange server. NSlookup to the recipient mail server was timing out. This time, I cleared cache in DNS server FS1, then I forced connection in exchange server, emails went through.

I read online article about email being stuck in cache preventing proper DNS service.

Tomorrow, I'll see if clearing the cache helped for long run.
0
 
gt2847cSr. Security ConsultantCommented:
One other item to try before clearing the DNS server cache...  The local machine also caches DNS entries...  On the exchange server, try (at cmd prompt) "ipconfig /flushdns" and see if that makes any difference...
0
 
crcsupportAuthor Commented:
I did ipconfig /flushdns on exchange server, it didn't help.
I checked this morning again, the problems till exists. So stale record in DNS server's cache doesn't seem to be the culprit.
I added Google DNS 8.8.8.8 as a forwarder and see what happens tomorrow.
0
 
crcsupportAuthor Commented:
If this doesn't work, the last option that I have may be add manual record for mimecast in host file. I spoke to mimecast support, they seem as they haven't noticed this problem. I don't think I'm the only one having such problem.
0
 
crcsupportAuthor Commented:
Maybe others using exchange 2003 to send emails to mimecast and others expecting to receive emails from exhcnage 2003 sender don't really care about when the emails go through. But our client who uses mimecast email service calls us if they don't receive emails in 10 minutes after we sent. The stuck emails in queue go through usually after 40 minutes.
0
 
gt2847cSr. Security ConsultantCommented:
Did you run an NSLOOKUP with debug when it was failing?  If so, did anything show an error or a failed lookup?
0
 
gt2847cSr. Security ConsultantCommented:
Another item, have you checked the exchange logs to see if there were any errors listed?
0
 
crcsupportAuthor Commented:
I don't see any error on exchange log, it just shows normal process for the stuck email in queue.
1019,1020,1031,.1033,1034.

It doesn't show why it got stuck in queue and stay as active.

I forgot about running debug for DNS when I saw the problem.
I added forwarder, so will wait until Monday morning if email gets stuck again and this time I should not forget to run it.
0
 
crcsupportAuthor Commented:
It looks like it was resolved. I didn't see the email stuck for 3 days. I found a news that Mimecast had DNS server problem around mid May, but it was in UK. I don't know if it somehow affected our DNS server's resolution without forwarder.

Thank you all!!!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

  • 13
  • 7
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now