Link to home
Start Free TrialLog in
Avatar of cargex
cargex

asked on

What is preventing my DNS Server from contacting the Google DNS Server as a forwarder intermittently?

Hi Guys,
I have a Windows domain, and my 2 domain controllers are Windows Server 2012 R2, with DNS running on both servers to resolve for the local domain and with my ISP DNS server as forwarder.

This has been working fine for at least 3 years and yesterday I found out that the ISP forwarders are not answering my DNS calls, I can ping to the IP of the ISP DNS Server but they just don’t resolve DNS calls.

Last night I added Google and OpenDNS to the forwarders of my DNS Server, restarted the server and it was working fine, back to normal again. But today the issue came back.

That last bit of information tells me that it is not a firewall configuration issue as this happens intermittently. Last night it was working fine, and today it is happening again. I have control over the firewall and nothing changed in the firewall.

Also intermittently in the Forwarders tab the "Server FQDN" comes up as "unable to resolve", this is unable to resolve the forwarder IP? very weird.

If I run in the server the following command I get the errors below …

C:\nslookup
Default Server:  mydcserver.mydomain.local
Address:  THIS.IP.IS.CORRECT

www.google.com
Server:  mydcserver.mydomain.local
Address:  THIS.IP.IS.CORRECT

Non-authoritative answer:
DNS request timed out.
    timeout was 2 seconds.
Name:    www.google.com
Address:  172.217.9.4

www.bing.com
Server:  mydcserver.mydomain.local
Address:  THIS.IP.IS.CORRECT

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to mydcserver.mydomain.local timed-out

My question:
Any ideas as to what might be causing this?
Avatar of Wayne88
Wayne88
Flag of Canada image

How did you determine that your DNS Server was prevented from contacting the Google DNS Server as a forwarder?  Were you able to PING 8.8.8.8 or 8.8.4.4 when it failed?
Avatar of cargex
cargex

ASKER

Yes, I can ping 8.8.8.8 from my DNS Server.

C:\>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=1ms TTL=56
Reply from 8.8.8.8: bytes=32 time=1ms TTL=56
Reply from 8.8.8.8: bytes=32 time=1ms TTL=56
Reply from 8.8.8.8: bytes=32 time=1ms TTL=56

Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms

C:\>

Question:
Can changes in Active Directory Sites and Services cause an issue like this with DNS?
"Can changes in Active Directory Sites and Services cause an issue like this with DNS?"

I am not aware of that.  DNS is separate.  Were you having problem with DNS forwarding while you were pinging the Google DNS?
Avatar of cargex

ASKER

Hi Wayne88,
Yes pretty much the issue is there now.

I just found something that could shed some light on the issue.

Please take a look at the nslookup below.
This is taken directly from my DNS Server.

But If I do the same from any other client connected to the network it just works fine.

C:\>nslookup - 8.8.8.8
DNS request timed out.
    timeout was 2 seconds.
Default Server:  UnKnown
Address:  8.8.8.8

www.google.com
Server:  UnKnown
Address:  8.8.8.8

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
Name:    www.google.com
Address:  2607:f8b0:4000:812::2004

>
You mentioned that you have two DNS servers.  Let's check this directly on each DNS server.  Can you ping the Google DNS server from each server.  I almost willing to bet one is fine and the other is not and it's the workstations that's connecting to the one that's not are the ones having issues.  Just a hunch.  Let's test.

How are the two DNS servers use and interact with one another?
Avatar of cargex

ASKER

The 2 DNS Servers are also DCs and they are in the same LAN.

Second DNS Server showing the same issues, but it is 100% clear to me now that it happens intermittently. If I ask for the same domain enough times eventually the server comes up with the correct answer.


C:\>nslookup
Default Server:  mydc.domain.local
Address:  THIS.IS.THE.CORRECT.IP

www.bing.com
Server:  mydc.domain.local
Address:  THIS.IS.THE.CORRECT.IP

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to mydc.domain.local timed-out
www.bing.com
Server:  mydc.domain.local
Address:  THIS.IS.THE.CORRECT.IP

Non-authoritative answer:
DNS request timed out.
    timeout was 2 seconds.
Name:    a-0001.a-msedge.net
Addresses:  204.79.197.200
          13.107.21.200
Aliases:  www.bing.com
          www-bing-com.a-0001.a-msedge.net

www.bing.com
Server:  mydc.domain.local
Address:  THIS.IS.THE.CORRECT.IP

Non-authoritative answer:
DNS request timed out.
    timeout was 2 seconds.
Name:    a-0001.a-msedge.net
Addresses:  13.107.21.200
          204.79.197.200
Aliases:  www.bing.com
          www-bing-com.a-0001.a-msedge.net

>
I see, just to confirm that ping is fine but nslookup would fail whe this happens correct?

If this is the case let's start fresh.   Can you try flushing the dns "ipconfig /flushdns" from the command line first?  The test again.

Failing that then stop the dnscaching "net stop dnscache" ... also from a cmd window.  Now try again the nslookup again.
Avatar of cargex

ASKER

Hi Wayne88,
Yes, all this is happening while the ping to the DNS Forwarder Server is working fine all the time.

I'm leaving the office now, but I will come back tomorrow and we will continue.

Thanks for all your help.
Anytime Cargex, please try the suggestions above tomorrow and have a good evening.
Why use forwarders at all?  I have always just let my Windows DNS servers do recursive lookups and resolve everything themselves. All they need to be able to see is at least one root server somewhere. That way, you get results "straight from the horse mouth, and are not reliant on how other people saw fit to configure DNS.
Avatar of cargex

ASKER

Hi Guys,
This is interesting. As per Mal's comment I just removed the forwarders and the DNS Configuration is now using the root hints (or so it says) and the results are the same, namely:

C:\>nslookup
Default Server:  mydcserver.mydomain.local
Address:  THIS.IP.IS.CORRECT

www.bing.com
Server:  mydcserver.mydomain.local
Address:  THIS.IP.IS.CORRECT

DNS request timed out.
    timeout was 2 seconds.
*** Request to mydcserver.mydomain.local timed-out

www.yahoo.com
Server:  mydcserver.mydomain.local
Address:  THIS.IP.IS.CORRECT

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to mydcserver.mydomain.local timed-out
>
Hello, can you try flushing the dns "ipconfig /flushdns" from the command line first?  Then test again.

Failing that then stop the dnscaching "net stop dnscache" ... also from a cmd window.  Now try again the nslookup again.
Avatar of cargex

ASKER

Hi Wayne88,
I just ran the commands you requested and the same results, please see below:

C:\>ipconfig /flushdns

Windows IP Configuration
Successfully flushed the DNS Resolver Cache.

C:\>net stop dnscache
The DNS Client service is stopping.
The DNS Client service was stopped successfully.

C:\>net start dnscache
The requested service has already been started.
More help is available by typing NET HELPMSG 2182.

C:\>nslookup
Default Server:  mydcserver.mydomain.local
Address:  THIS.IP.IS.CORRECT

www.bing.com
Server:  mydcserver.mydomain.local
Address:  THIS.IP.IS.CORRECT

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to mydcserver.mydomain.local timed-out

www.yahoo.com
Server:  mydcserver.mydomain.local
Address:  THIS.IP.IS.CORRECT

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to mydcserver.mydomain.local timed-out
>
ASKER CERTIFIED SOLUTION
Avatar of Wayne88
Wayne88
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of cargex

ASKER

Hey Wayne88,
I disabled the DNS Client service an hour ago, and it seems like you are correct.
All of the queries are working now.

So the questions now are:
Can I just leave the DNS Client service disabled?
Is this just a symptom to a greater issue?
Can the DNS Client service be fixed?
Hi Cargex, I wouldn't disable the DNSCACHE service permanently as it can cause issues in your domain system.  When you manually flush the DNS it should have cleared the cached but for one reason or another the cache was refilled with problematic info when you restarted the service.  At least now you know exactly where the problem is.  I would look into the way your DNS server is configured.  Sorry I can't be more specific because it can be anything in the configuration.

"The DNS Client service (dnscache) caches Domain Name System (DNS) names and registers the full computer name for this computer. If the service is stopped, DNS names will continue to be resolved. However, the results of DNS name queries will not be cached and the computer's name will not be registered. If the service is disabled, any services that explicitly depend on it will fail to start."

Here is a good article on DNS questions.  You may find your answers here:  https://support.microsoft.com/en-us/help/291382/frequently-asked-questions-about-windows-2000-dns-and-windows-server-2003-dns
Avatar of cargex

ASKER

I just turned back on and Automatic the DNS Client service and the DNS Service is still working just fine.
What do you make of this?
It's too early to say.  I would leave it and try again tomorrow or next work day then see if the problem persist but I am not a big fan of turning off DNS services that's suppose to be on by default.  The problem is with your DNS related configuration.

Having said that, I did find an argument in regards to DNS client service providing you use alternative.  Have a look:

http://support.simpledns.com/kb/a61/disabling-the-windows-dns-client-service.aspx

Do you use your ISP DNS as your 1st external forwarder by the way?
Avatar of cargex

ASKER

I was but since this happened I changed it to google (8.8.8.8) but at the time I did that change nothing happened.
Avatar of cargex

ASKER

Thank you Wayne88 for all your help, it is greatly appreciated.
You're welcome Cargex.  Glad to help.  Have a good weekend!