DNS Event ID 7063 - Forwarder non recursive

Discussion in 'DNS Server' started by Chris Herbert, Apr 14, 2004.

  1. Hello,

    I have 3 DNS servers in a domain, and each one is set up to use forwarding
    to 2 DNS servers in the parent (root) domain. Everything is working fine,
    but I am getting a repeated error message in Event Log on each of the 3 DNS
    servers. The Event ID is 7063 and says:

    "The DNS server is configured to forward to a non-recursive DNS
    server at [ip address]

    DNS servers in forwarders list MUST be configured to process
    recursive queries"

    Then it lists a couple of fixes. One being uncheck "disable recursion" which
    is already done, and the other being use a different forwarder, which doesnt
    really help at all.

    If anybody else has had this problem I'd be interested to know how they
    fixed it. A web search has gotten me nowhere.

    Thanks
     
    Chris Herbert, Apr 14, 2004
    #1
    1. Advertisements

  2. Chris,

    This can be a result of several items. DNS Cache pollution can sometime cause this type of behavior. If you are running a Windows 2000 Server then
    simply clear the cache and then in the advanced tab of the DNS Server in the MMC, select to "Secure cache against pollution". This is a default
    configuration in Server 2003.

    The best course of action will be to actually collect some data about this condition. If you enable Advanced Debug Logging for the DNS Server (on the
    Debug logging tab). This way you will be able to collect more detailed information regarding the actual query that is causing this event to be thrown.
    Search the log for "non-recursive" as the 7063 event will not be logged in this log.

    We can see if this event is the response to a query is malformed in some way. Try to find the query that is causing this event to be thrown.

    T.J. Campana [MSFT]
    Microsoft EPS Networking
     
    TJ Campana [MSFT], Apr 14, 2004
    #2
    1. Advertisements

  3. Thanks for the reply. Both machines are 2003 - upgraded from 2000. I had the
    problem when they were 2000 machines and I foolishly hoped that the upgrade
    would see the end of the problem. If anything it is worse.
    I will enable Advanced Debug Logging and let you know what I find.
    Thanks again,
    Chris

    --

     
    Chris Herbert, Apr 14, 2004
    #3
  4. CH> "The DNS server is configured to forward to a non-recursive
    CH> DNS server at [ip address]

    So ...

    Is the DNS server in fact configured to do this ?
    Is the DNS server listening on that IP address in fact configured to provide
    such proxy DNS service ?
    What did your test queries to that server show ?
     
    Jonathan de Boyne Pollard, Apr 15, 2004
    #4
  5. Ok, after a day or so of running the DNS server in Debugging mode, I can see
    that the problem is occuring when our Tumbleweed mail gateway (10.10.10.23)
    recieves a packet from the domain micronet.fr - a line like this appears
    before every error in the logs of the forwarding server:

    05:48:08 73C PACKET UDP Rcv 10.10.10.30 2980 R Q [0080 NOERROR]
    (8)micronet(2)fr(0)

    Follwed by:

    05:48:08 73C EVENT The DNS server is configured to forward to a
    non-recursive DNS server at 10.10.10.30.
    ......along with the rest of the text from the Event ID.

    There is no error in the DNS event logs of 10.10.10.30 at this specific
    time, although I am seeing a series of Event ID 5504 (The DNS server
    encountered an invalid domain name in a packet from (root-hints ip address,
    the packet has been rejected) Looking at the event data it seems that this
    is just related to invalid characters in a domain name, and I dont think
    this is related. Maybe I am wrong.

    What I dont really understand is how my mail gateway receiving mail from a
    domain micronet.fr is causing a DNS server to think the servers in its
    forwarders list are non-recursive, or what I can do about it.

    Any advice would be most welcome.
    --

    ----------------------------------------------------
    This mailbox protected from junk email by Matador
    from MailFrontier, Inc. http://info.mailfrontier.com

     
    Chris Herbert, Apr 16, 2004
    #5
  6. The DNS servers are all set up correctly. That is the weird thing. Also DNS
    name resolution is working fine on all servers (tested with nslookup). It is
    just this occasional error that is causing a problem.
     
    Chris Herbert, Apr 16, 2004
    #6
  7. Here is the entire error from the log

    05:48:08 73C PACKET UDP Rcv 10.10.10.30 2980 R Q [0080 NOERROR]
    (8)micronet(2)fr(0)
    05:48:08 73C EVENT The DNS server is configured to forward to a
    non-recursive DNS server at 10.10.10.30.

    DNS servers in forwarders list MUST be configured to process recursive
    queries.
    Either
    1) fix the forwarder (10.10.10.30) to allow recursion
    - connect to it with DNS Manager
    - bring up server properties
    - open "Advanced" tab
    - uncheck "Disable Recursion"
    - click OK
    OR
    2) remove this forwarder from this servers forwarders list
    - DNS Manager
    - bring up server properties
    - open "Forwarders" tab
    - remove (10.10.10.30) from list of forwarders
    - click OK
    05:48:08 73C PACKET UDP Snd 10.10.10.23 abd8 R Q [0080 NOERROR]
    (8)micronet(2)fr(0)
    05:48:08 73C PACKET UDP Rcv 10.10.10.23 abd8 Q [0001 D NOERROR]
    (8)micronet(2)fr(0)
    05:48:08 73C PACKET UDP Snd 10.10.10.30 018a Q [0001 D NOERROR]
    (8)micronet(2)fr(0)


    --

    ----------------------------------------------------
    This mailbox protected from junk email by Matador
    from MailFrontier, Inc. http://info.mailfrontier.com

     
    Chris Herbert, Apr 16, 2004
    #7
  8. In
    You have verified that Disable Recursion is not checked on the 10.10.10.30?
    Does 10.10.10.30 have a forwarder?
    What is its forwarder?

    The 5504 may be caused by a machine that has either an invalid character in
    its name or there may be a machine that has a name in the Domain suffix
    search list or connection specific suffix that has a single-label name. It
    could also be a congested link.




    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ============================
    --
    When responding to posts, please "Reply to Group" via your
    newsreader so that others may learn and benefit from your issue.
    To respond directly to me remove the nospam. from my email.
    ==========================================
    http://www.lonestaramerica.com/
    ==========================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ==========================================
    Keep a back up of your OE settings and folders with
    OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ==========================================
     
    Kevin D. Goodknecht [MVP], Apr 16, 2004
    #8
  9. Disable recursion is not checked on 10.10.10.30, and it does not have a
    forwarder.

    I also have the same problem on the other root machine 10.10.10.31, which is
    configured the exact same way.
    --

    ----------------------------------------------------
    This mailbox protected from junk email by Matador
    from MailFrontier, Inc. http://info.mailfrontier.com

     
    Chris Herbert, Apr 16, 2004
    #9
  10. In
    Can you run a query (any query) against this server using Netdig or dig?
    You can also use nslookup if you have the set d2 option i.e.
    nslookup
    set d2


    post the results

    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ============================
    --
    When responding to posts, please "Reply to Group" via your
    newsreader so that others may learn and benefit from your issue.
    To respond directly to me remove the nospam. from my email.
    ==========================================
    http://www.lonestaramerica.com/
    ==========================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ==========================================
    Keep a back up of your OE settings and folders with
    OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ==========================================
     
    Kevin D. Goodknecht [MVP], Apr 16, 2004
    #10
  11. Ok - here is the result from the nslookup. Thanks for the help....

    Default Server: nydc1.newyork.networkroot.com
    Address: 10.10.10.41
    Server: nydc1.newyork.networkroot.com
    Address: 10.10.10.41
    ------------
    SendRequest(), len 56
    HEADER:
    opcode = QUERY, id = 2, rcode = NOERROR
    header flags: query, want recursion
    questions = 1, answers = 0, authority records = 0, additional = 0
    QUESTIONS:
    www.google.com.newyork.networkroot.com, type = A, class = IN
    ------------
    ------------
    Got answer (135 bytes):
    HEADER:
    opcode = QUERY, id = 2, rcode = NXDOMAIN
    header flags: response, auth. answer, want recursion, recursion
    avail.
    questions = 1, answers = 0, authority records = 1, additional = 0
    QUESTIONS:
    www.google.com.newyork.networkroot.com, type = A, class = IN
    AUTHORITY RECORDS:
    -> newyork.networkroot.com
    type = SOA, class = IN, dlen = 44
    ttl = 3600 (1 hour)
    primary name server = nydc1.newyork.networkroot.com
    responsible mail addr = administrator.newyork.networkroot.com
    serial = 880
    refresh = 900 (15 mins)
    retry = 600 (10 mins)
    expire = 86400 (1 day)
    default TTL = 3600 (1 hour)
    ------------
    ------------
    SendRequest(), len 48
    HEADER:
    opcode = QUERY, id = 3, rcode = NOERROR
    header flags: query, want recursion
    questions = 1, answers = 0, authority records = 0, additional = 0
    QUESTIONS:
    www.google.com.networkroot.com, type = A, class = IN
    ------------
    ------------
    Got answer (110 bytes):
    HEADER:
    opcode = QUERY, id = 3, rcode = NXDOMAIN
    header flags: response, auth. answer, want recursion, recursion
    avail.
    questions = 1, answers = 0, authority records = 1, additional = 0
    QUESTIONS:
    www.google.com.networkroot.com, type = A, class = IN
    AUTHORITY RECORDS:
    -> networkroot.com
    type = SOA, class = IN, dlen = 35
    ttl = 3600 (1 hour)
    primary name server = root1.networkroot.com
    responsible mail addr = admin
    serial = 255
    refresh = 900 (15 mins)
    retry = 600 (10 mins)
    expire = 86400 (1 day)
    default TTL = 3600 (1 hour)
    ------------
    ------------
    SendRequest(), len 32
    HEADER:
    opcode = QUERY, id = 4, rcode = NOERROR
    header flags: query, want recursion
    questions = 1, answers = 0, authority records = 0, additional = 0
    QUESTIONS:
    www.google.com, type = A, class = IN
    ------------
    ------------
    Got answer (115 bytes):
    HEADER:
    opcode = QUERY, id = 4, rcode = NOERROR
    header flags: response, want recursion, recursion avail.
    questions = 1, answers = 4, authority records = 0, additional = 0
    QUESTIONS:
    www.google.com, type = A, class = IN
    ANSWERS:
    -> www.google.com
    type = CNAME, class = IN, dlen = 23
    canonical name = www.google.akadns.net
    ttl = 1067 (17 mins 47 secs)
    -> www.google.akadns.net
    type = A, class = IN, dlen = 4
    internet address = 216.239.39.99
    ttl = 219 (3 mins 39 secs)
    -> www.google.akadns.net
    type = A, class = IN, dlen = 4
    internet address = 216.239.39.104
    ttl = 219 (3 mins 39 secs)
    -> www.google.akadns.net
    type = A, class = IN, dlen = 4
    internet address = 216.239.39.147
    ttl = 219 (3 mins 39 secs)
    ------------
    Non-authoritative answer:
    Name: www.google.akadns.net
    Addresses: 216.239.39.99, 216.239.39.104, 216.239.39.147
    Aliases: www.google.com
     
    Chris Herbert, Apr 16, 2004
    #11
  12. In
    Actually I need to see the output from 10.10.10.30, since it is the one that
    is showing non-recursive.



    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ============================
    --
    When responding to posts, please "Reply to Group" via your
    newsreader so that others may learn and benefit from your issue.
    To respond directly to me remove the nospam. from my email.
    ==========================================
    http://www.lonestaramerica.com/
    ==========================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ==========================================
    Keep a back up of your OE settings and folders with
    OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ==========================================
     
    Kevin D. Goodknecht [MVP], Apr 16, 2004
    #12
  13. OK, here goes.

    Default Server: root1.networkroot.com
    Address: 10.10.10.30
    Server: root1.networkroot.com
    Address: 10.10.10.30
    ------------
    SendRequest(), len 56
    HEADER:
    opcode = QUERY, id = 2, rcode = NOERROR
    header flags: query, want recursion
    questions = 1, answers = 0, authority records = 0, additional = 0
    QUESTIONS:
    www.google.com.newyork.networkroot.com, type = A, class = IN
    ------------
    ------------
    Got answer (132 bytes):
    HEADER:
    opcode = QUERY, id = 2, rcode = NXDOMAIN
    header flags: response, auth. answer, recursion avail.
    questions = 1, answers = 0, authority records = 1, additional = 0
    QUESTIONS:
    www.google.com.newyork.networkroot.com, type = A, class = IN
    AUTHORITY RECORDS:
    -> newyork.networkroot.com
    type = SOA, class = IN, dlen = 41
    ttl = 3600 (1 hour)
    primary name server = dc.newyork.networkroot.com
    responsible mail addr = administrator.newyork.networkroot.com
    serial = 884
    refresh = 900 (15 mins)
    retry = 600 (10 mins)
    expire = 86400 (1 day)
    default TTL = 3600 (1 hour)
    ------------
    ------------
    SendRequest(), len 48
    HEADER:
    opcode = QUERY, id = 3, rcode = NOERROR
    header flags: query, want recursion
    questions = 1, answers = 0, authority records = 0, additional = 0
    QUESTIONS:
    www.google.com.networkroot.com, type = A, class = IN
    ------------
    ------------
    Got answer (110 bytes):
    HEADER:
    opcode = QUERY, id = 3, rcode = NXDOMAIN
    header flags: response, auth. answer, want recursion, recursion
    avail.
    questions = 1, answers = 0, authority records = 1, additional = 0
    QUESTIONS:
    www.google.com.networkroot.com, type = A, class = IN
    AUTHORITY RECORDS:
    -> networkroot.com
    type = SOA, class = IN, dlen = 35
    ttl = 3600 (1 hour)
    primary name server = root1.networkroot.com
    responsible mail addr = admin
    serial = 255
    refresh = 900 (15 mins)
    retry = 600 (10 mins)
    expire = 86400 (1 day)
    default TTL = 3600 (1 hour)
    ------------
    ------------
    SendRequest(), len 32
    HEADER:
    opcode = QUERY, id = 4, rcode = NOERROR
    header flags: query, want recursion
    questions = 1, answers = 0, authority records = 0, additional = 0
    QUESTIONS:
    www.google.com, type = A, class = IN
    ------------
    ------------
    Got answer (99 bytes):
    HEADER:
    opcode = QUERY, id = 4, rcode = NOERROR
    header flags: response, want recursion, recursion avail.
    questions = 1, answers = 3, authority records = 0, additional = 0
    QUESTIONS:
    www.google.com, type = A, class = IN
    ANSWERS:
    -> www.google.com
    type = CNAME, class = IN, dlen = 23
    canonical name = www.google.akadns.net
    ttl = 3210 (53 mins 30 secs)
    -> www.google.akadns.net
    type = A, class = IN, dlen = 4
    internet address = 216.239.51.104
    ttl = 300 (5 mins)
    -> www.google.akadns.net
    type = A, class = IN, dlen = 4
    internet address = 216.239.51.99
    ttl = 300 (5 mins)
    ------------
    Non-authoritative answer:
    Name: www.google.akadns.net
    Addresses: 216.239.51.104, 216.239.51.99
    Aliases: www.google.com
     
    Chris Herbert, Apr 16, 2004
    #13
  14. In
    That answers the question as to if this DNS is recursive or not. It
    definitely says recursion is available.
    Now, the DNS server that is giving this error, does it give the same error
    if you use a different forwarder?

    Just trying to figure which DNS is actually in error.

    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ============================
    --
    When responding to posts, please "Reply to Group" via your
    newsreader so that others may learn and benefit from your issue.
    To respond directly to me remove the nospam. from my email.
    ==========================================
    http://www.lonestaramerica.com/
    ==========================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ==========================================
    Keep a back up of your OE settings and folders with
    OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ==========================================
     
    Kevin D. Goodknecht [MVP], Apr 16, 2004
    #14
  15. JdeBP> Is the DNS server in fact configured to do this ?
    JdeBP> Is the DNS server listening on that IP address in fact
    JdeBP> configured to provide such proxy DNS service ?
    JdeBP> What did your test queries to that [latter] server show ?

    CH> The DNS servers are all set up correctly. [...] Also DNS
    CH> name resolution is working fine on all servers (tested with
    CH> nslookup).

    That doesn't actually answer _any_ of my questions. For example: "The DNS
    server is set up correctly." doesn't tell me whether the DNS server is in fact
    configured to forward queries to the IP address concerned. Please answer the
    questions.
     
    Jonathan de Boyne Pollard, Apr 16, 2004
    #15
  16. It seems to be affecting both forwarders (we only have two) on all three of
    our forwarding servers. I have tried switching the order in which the
    forwarding servers use the forwarders, but I just get messages complaining
    about 10.10.10.31 not being set to allow recursive queries.

    I am wondering whether it could be related to this micronet.fr domain? Every
    time I see this error in the DNS debugging logs this micronet.fr is the
    subject of the query.
     
    Chris Herbert, Apr 19, 2004
    #16
  17. Chris

    We are suffering from the same problem. We have a fairly large DNS environment in which a whole chain of forwarding DNS servers is used (DNS servers forward queries to forwarders that in turn forward them again...)

    The DNS server that is the top of our chain has no forwarders. So, it uses the root-servers to resolve queries. I have the feeling that our top DNS server is trying recursive queries against these root-servers, but the root-servers do not support recursive queries...

    I am not sure, but I think we can solve this problem by configuring our top DNS server with forwarders and disabling the use of recursion

    And hmmm - I was actually wondering whether you already found a solution...;-

    Sincerely

    Martijn Tigchelaar.
     
    Martijn Tigchelaar, Apr 20, 2004
    #17
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.