DNS: Forwarding server 8.8.8.8 should respond to DNS queries

Hi,

I have two DCs running WS2008 R2 with integrated DNS.  I have the google DNS servers setup as forwards on the DNS servers.

I have other servers getting DNS from these DCs.  On the servers, I can ping external addresses, and browse to web addresses without issue.

However, if I run the best practice analyser it gives the above issue.  Also if I run the tests on the DNS monitoring tab, I get a fail for recursive query.

The best practice analyser also gives errors about root hint servers not responding to NS queries.

It seems as though DNS is working, but presumably something is not right?

thanks
LVL 1
ITPOLAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ITPOLAuthor Commented:
dns test failure
0
Patrick BogersDatacenter platform engineer LindowsCommented:
Hi,

Not sure why you choose for 8.8.8.8 but wouldt it be better to use the DNS servers from your provider?
8.8.8.8 should be considered really more or less a kind of test DNS server.
0
ITPOLAuthor Commented:
Also, DCDiag gives me this;

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = POLDC1
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: BridgeHouse\POLDC1
      Starting test: Connectivity
         ......................... POLDC1 passed test Connectivity

Doing primary tests

   Testing server: BridgeHouse\POLDC1
      Starting test: Advertising
         ......................... POLDC1 passed test Advertising
      Starting test: FrsEvent
         ......................... POLDC1 passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... POLDC1 failed test DFSREvent
      Starting test: SysVolCheck
         ......................... POLDC1 passed test SysVolCheck
      Starting test: KccEvent
         ......................... POLDC1 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... POLDC1 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... POLDC1 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... POLDC1 passed test NCSecDesc
      Starting test: NetLogons
         ......................... POLDC1 passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... POLDC1 passed test ObjectsReplicated
      Starting test: Replications
         ......................... POLDC1 passed test Replications
      Starting test: RidManager
         ......................... POLDC1 passed test RidManager
      Starting test: Services
         ......................... POLDC1 passed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x000003F6
            Time Generated: 09/12/2013   12:26:05
            Event String:
            Name resolution for the name 10.20.168.192.in-addr.arpa timed out af
ter none of the configured DNS servers responded.
         A warning event occurred.  EventID: 0x00001695
            Time Generated: 09/12/2013   12:32:55
            Event String:
            Dynamic registration or deletion of one or more DNS records associat
ed with DNS domain 'xxx.xxx.com.' failed.  These records are use
d by other computers to locate this server as a domain controller (if the specif
ied domain is an Active Directory domain) or as an LDAP server (if the specified
 domain is an application partition).
         A warning event occurred.  EventID: 0x00001695
            Time Generated: 09/12/2013   12:32:56
            Event String:
            Dynamic registration or deletion of one or more DNS records associat
ed with DNS domain 'DomainDnsZones.xxx.xxx.com.' failed.  These
records are used by other computers to locate this server as a domain controller
 (if the specified domain is an Active Directory domain) or as an LDAP server (i
f the specified domain is an application partition).
         A warning event occurred.  EventID: 0x00001695
            Time Generated: 09/12/2013   12:32:56
            Event String:
            Dynamic registration or deletion of one or more DNS records associat
ed with DNS domain 'ForestDnsZones.xxx.xxx.com.' failed.  These
records are used by other computers to locate this server as a domain controller
 (if the specified domain is an Active Directory domain) or as an LDAP server (i
f the specified domain is an application partition).
         ......................... POLDC1 passed test SystemLog
      Starting test: VerifyReferences
         ......................... POLDC1 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : internal
      Starting test: CheckSDRefDom
         ......................... internal passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... internal passed test CrossRefValidation

   Running enterprise tests on : xxx.xxx.com
      Starting test: LocatorCheck
         ......................... xxx.xxx.com passed test
         LocatorCheck
      Starting test: Intersite
         ......................... xxx.xxx.com passed test
         Intersite

C:\Users\Administrator>

Open in new window

0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

ITPOLAuthor Commented:

Hi,

Not sure why you choose for 8.8.8.8 but wouldt it be better to use the DNS servers from your provider?
8.8.8.8 should be considered really more or less a kind of test DNS server.

Hi,

Yeah, I actually put in the ISP's DNS servers too, but got the same error.
0
Patrick BogersDatacenter platform engineer LindowsCommented:
Could you show us the part (unedited) ipconfig /all primairy and seondary DNS servers are mentioned ?
0
ITPOLAuthor Commented:
From DC1;

C:\Users\Administrator>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : POLDC1
   Primary Dns Suffix  . . . . . . . : xxx.xxx.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : xxx.xxx.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : HP NC107i PCIe Gigabit Server Adapter
   Physical Address. . . . . . . . . : D8-D3-85-D7-08-31
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::e4b8:8389:a1c8:117b%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.20.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.20.1
   DHCPv6 IAID . . . . . . . . . . . : 249090949
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-19-C0-0E-AC-D8-D3-85-D7-08-31

   DNS Servers . . . . . . . . . . . : ::1
                                       192.168.20.11
                                       192.168.20.10
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{545D5C29-771E-4EFD-8AF6-6DA39A5BB385}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

C:\Users\Administrator>

Open in new window

0
Patrick BogersDatacenter platform engineer LindowsCommented:
Best pratice does not give me any errors regarding the issue you are having.
There are some errors shown but i declare them as false negatives.

Could you show us the error or warning?
0
Daniel HelgenbergerCommented:
Can you put the output of:
nslookup -debug <random.public.fqdn>

Open in new window

here? I think if this comes up clean you can safely ignore the monitor waring. If you see errors, then I think it might not Google's public DNS at all. I have these as forwarders in all my AD DNS servers and the monitoring runs with no errors.

8.8.8.8 should be considered really more or less a kind of test DNS server.
Patricksr1972, your reason for saying so would be quite interesting for me!
8.8.8.8 and 8.8.4.4 point to the load balancers of Google's public DNS. Since these are in truth not a SOA for any domain (and never will be by design). I think of them as perfect forwarders since they will only forward themself. They are also pingable and - as most of the things operated by Google - near perfectly reliable. The DNS servers from my ISPs are not nearly as fast and available.
https://developers.google.com/speed/public-dns/docs/intro
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Patrick BogersDatacenter platform engineer LindowsCommented:
Hi Helge,

For me, being European, i have (for example) a small problem with NSA-sensative related servers.
Should the USA be aware of all our DNS queries while located in Europe? (yeah yeah i know, we also use Google search engines)

Near perfectly reliable doesnt count for me, DNS is important so in case it is not 'perfectly reliable' where load balancers can die, who am i going to call for support?

Else i do support your input by saying if nslookup debug shows up clean there is probably nothing much to worry about because the posters shown info seems correct.
0
ITPOLAuthor Commented:
Here's the error screen.   Ignore the first one, I changed the config afterwards to include it (I think it specifically looks for 127.0.0.1)

Best Practice
0
ITPOLAuthor Commented:
Here's the NS Lookup output;

C:\Users\Administrator>nslookup -debug <random.public.fqdn>
The syntax of the command is incorrect.

C:\Users\Administrator>nslookup -debug twitter.com
DNS request timed out.
    timeout was 2 seconds.
timeout (2 secs)
Server:  UnKnown
Address:  ::1

------------
Got answer:
    HEADER:
        opcode = QUERY, id = 2, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        twitter.com.xxx.xxx.com, type = A, class = IN
    AUTHORITY RECORDS:
    ->  xxx.xxx.com
        ttl = 3600 (1 hour)
        primary name server = poldc1.xxx.xxx.com
        responsible mail addr = hostmaster.xxx.xxx.com
        serial  = 80
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 3, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        twitter.com.xxx.xxx.com, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  xxx.xxx.com
        ttl = 3600 (1 hour)
        primary name server = poldc1.xxx.xxx.com
        responsible mail addr = hostmaster.xxx.xxx.com
        serial  = 80
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 4, rcode = NXDOMAIN
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        twitter.com.xxx.com, type = A, class = IN
    AUTHORITY RECORDS:
    ->  xxx.com
        ttl = 900 (15 mins)
        primary name server = ns67.1and1.co.uk
        responsible mail addr = hostmaster.1and1.co.uk
        serial  = 2011092701
        refresh = 28800 (8 hours)
        retry   = 7200 (2 hours)
        expire  = 604800 (7 days)
        default TTL = 86400 (1 day)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 5, rcode = NXDOMAIN
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        twitter.com.xxx.com, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  xxx.com
        ttl = 900 (15 mins)
        primary name server = ns67.1and1.co.uk
        responsible mail addr = hostmaster.1and1.co.uk
        serial  = 2011092701
        refresh = 28800 (8 hours)
        retry   = 7200 (2 hours)
        expire  = 604800 (7 days)
        default TTL = 86400 (1 day)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 6, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 3,  authority records = 0,  additional = 0

    QUESTIONS:
        twitter.com, type = A, class = IN
    ANSWERS:
    ->  twitter.com
        internet address = 199.16.156.198
        ttl = 2 (2 secs)
    ->  twitter.com
        internet address = 199.16.156.230
        ttl = 2 (2 secs)
    ->  twitter.com
        internet address = 199.16.156.102
        ttl = 2 (2 secs)

------------
Non-authoritative answer:
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 7, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        twitter.com, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  twitter.com
        ttl = 3 (3 secs)
        primary name server = ns1.p26.dynect.net
        responsible mail addr = zone-admin.dyndns.com
        serial  = 2007115729
        refresh = 3600 (1 hour)
        retry   = 600 (10 mins)
        expire  = 604800 (7 days)
        default TTL = 60 (1 min)

------------
Name:    twitter.com
Addresses:  199.16.156.198
          199.16.156.230
          199.16.156.102


C:\Users\Administrator>

Open in new window

0
Patrick BogersDatacenter platform engineer LindowsCommented:
Thanks for the complete info, the top line error is in my config as well even there is the loopback adress specified (so false negative)

Didi you try Helge's suggestion?   nslookup -debug www.google.com

AH! you did, looking sweet so i would say ignore the best pratice analysers output.
0
Daniel HelgenbergerCommented:
I second Patricksr1972. Ignore it for now but keep an eye out for users reporing lookup problems.
0
ITPOLAuthor Commented:
will do thanks for your help...
0
ITPOLAuthor Commented:
Thanks again
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.