DNS not doing recursive lookups

Discussion in 'DNS Server' started by Rob Boylan, Aug 16, 2005.

  1. Rob Boylan

    Rob Boylan Guest

    I originally posted my question to microsoft.public.windows.server.migration.
    Someone suggested that this group would be more appropriate.

    To recap:

    I took an NT PDC that was hosting a primary DNS for the top-level country
    code domain FM and migrated it to a Windows 2003 DC with the single-level AD
    domain "FM". DCPROMO installed the DNS and migrated over all the forward and
    reverse zones from the NT installation. I manually added the SRV records from
    NetLogon.dns to support AD.

    The DNS will correctly resolve names for all records hosted in the server's
    zone files. However, when asked to resolve a name outside its scope (such as
    www.yahoo.com), it fails.

    Prior to the migration, DNS on the server was working correctly. In the
    network, I have a NT BDC that is the secondary DNS for all the zones hosted
    on the primary server. It continues to function normally.

    I copied the root hints from the operational secondary DNS server, so I'm
    reasonably sure they are valid.

    I do not have a root (.) zone defined.

    I am not running Windows Firewall, but my Cisco router is doing some
    filtering for traffic coming into this server. It is allowing TCP and UDP
    traffic on port 53. The same criteria is being applied to my secondary server
    as well.

    NSLookup tests to remote DNS servers fail when performed on either Windows
    2003 primary DNS machine or the NT secondary DNS machine. If I run the same
    tests from a machine that does not have any filtering defined at the router,
    then the ns lookup tests will succeed.

    Anyone have any ideas?
     
    Rob Boylan, Aug 16, 2005
    #1
    1. Advertisements

  2. In
    I actually see three issues here.

    One is your AD domain name is possibly a single label domain name? It should
    be in the form of the TLD plus the first level name, such as example.com. I
    hope you were just trying to mask the names and you do not have a single
    label name.

    Second, there is NO need for manually creating any records in the
    netlogon.dns file for AD. This is an automatic process. The netlogon
    services updates the netlogon.dns file from what it reads in AD, then it
    sends that data to the zone name configured in the Primary DNS Suffix using
    the DNS address listed in it's IP properties. If this is not working
    automatically, then there is a major configuration problem. A single label
    domain name will cause this not to function.

    Third, the inability for Win2003 to resolve external names without a
    forwarder is possibly due to your Cisco router. Windows 2003 is now using a
    new industry standard feature called EDNS0 that allows UDP DNS queries to go
    beyond the previously capped limit of 512 bytes to the max 1500 MTU. To fix
    it, either update the Cisco firmware (which is the recommendation), or
    disable it in Win2003.

    828731 - An External DNS Query May Cause an Error Message in Windows Server
    2003:
    http://support.microsoft.com/?id=828731

    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services
    Infinite Diversities in Infinite Combinations.
    =================================
     
    Ace Fekay [MVP], Aug 16, 2005
    #2
    1. Advertisements

  3. Rob Boylan

    Rob Boylan Guest

    Thanks for your help Ace.

    Actually, I do have a single-label domain name. This place really is a TLD.
    If I understand the <a
    href="http://support.microsoft.com/?kbid=300684">knowledge base article</a>
    correctly, there are two things that do not work automatically in a single
    label domain: 1) dynamic updates do not work and 2) member computers cannot
    use DNS to locate DCs in a single-label domain that is in another forest. I'm
    not planning on allowing dynamic updates in this domain and I'm not dealing
    with multiple forests. So is there another gotcha that I'm overlooking?
    Netlogon is not doing this automatically. I had assumed that this was
    because dynamic DNS was disabled.
    The Cisco link on this page goes to a "Page Not Found". Searching the Cisco,
    site I could not find anything that seemed to mention increasing the
    allowable UDP packet size. Does this require a firmware upgrade or just an
    upgrade to the IOS? Which versions have the required modification? I'll need
    to find firm documentation before I'll be allowed to make changes to the
    routers.

    In the meantime, I will try disabling the EDNS0 on the Windows 2003 server,
    although I will have to wait for a non-peek usage time to perform the test.

    Thanks,
    --Rob
     
    Rob Boylan, Aug 16, 2005
    #3
  4. In
    That article states a client cannot locate DCs because the DNS resolver will
    not treat the name as prefix to suffix the search string. If the name has an
    identical NetBIOS name, then it will resolve, whether in the local domain or
    in other domains: But if there is no cooresponding NetBIOS name, then it
    will not resolve.

    Keep in mind, GPOs will not apply. This is because it looks for this share:
    \\domain.com\sysvol\domain.com\Policies\[GUIDNumberOfPolicy-etc]

    Notice it needs to resolve "domain.com" above? That is the LdapIpAddress
    record in DNS. If it is a single label name, there is no cooresponding
    record and it cannot resolve it.

    The problem is especially apparent in Win2000 SP4 and newer OSes such as XP
    and 2003
    826743 - Clients cannot dynamically register DNS records in a single-label
    forward lookup zone:
    http://web.archive.org/web/20040518224908/support.microsoft.com/?kbid=826743

    Do you know why Microsoft stopped single label name dynamic updates
    behavior? Look below this post for a passage from a Microsoft engineer that
    was posted when Win2000 SP4 came out.

    Is it disabled on the zone properties? It won't update in a single label
    name anyway if you have W2000 SP4 or newer.

    Here's some info on dynamic updates:

    816592 - How it works and HOW TO Configure DNS Dynamic Update in Windows
    2003:
    http://support.microsoft.com/default.aspx?kbid=816592

    Rules of engagement for dynamic updates to automatically work (which is
    default): are below. But before that, I just want to let you know, as an
    FYI, AD requires DNS. AD stores it's resource and service locations in the
    form of SRV records in DNS. When any communication function occurs in AD
    (logons, Kerberos authentication, replication intiation, GPOs getting
    applied, and numerous other functions), DNS is queried for the location of
    that respective service. If DNS doesn't have those records, then that
    function will fail. The records get registered into DNS by the netlogon
    service on the DCs. The main thing is required for registration are these
    simple rules:

    1. AD's DNS name can't be a single label name
    2. The AD DNS name MUST match the name of the zone in DNS
    3. Dynamic Updates are allowed in the zone properties
    4. The Primary DNS Suffix MUST match the zone name and the AD DNS name
    5. You must only use the DNS servers that host a copy of the AD zone name or
    have a reference to get to them. Do not use your ISP's or some other DNS
    that does not have a copy of the AD zone. Internet resolution for your
    machines will be accomplished by the Root servers (Root Hints). It is
    recommended to configure a forwarder for efficient Internet resolution. When
    you attempt to configure a forwader and the forwarding option is grayed out,
    you need to delete the Root zone (looks like a period), refresh the console
    and try again. Forwarders and how to are all explained in:
    http://support.microsoft.com/?id=300202

    If none of the above is correct, we've got a problem or you can apply the
    reg fix based on article #300684 on all your machines (DC and clients).


    IOS upgrade actually. Here'a s couple more links on it. I'm surprised Cisco
    pulled their webpage regarding this:

    828263 - DNS query responses do not travel through a firewall in Windows
    Server 2003:
    http://support.microsoft.com/?id=828263

    832223 - Some DNS Name Queries Are Unsuccessful After You Upgrade Your DNS
    Server to Windows Server 2003:
    http://support.microsoft.com/?id=832223
    Single label names repost:
    ++++++++++++++++++++++++++++++
    ================================
    Single label name from Alan Woods, MS:
    "We really would preffer to use FQDN over Single labled. There are
    alot of other issues that you can run into when using a Single labeled
    domain name with other AD integrated products. Exchange would be a great
    example. Also note that the DNR (DNS RESOLVER) was and is designed to
    Devolve DNS requests to the LAST 2 names.

    Example: Single Labeled domain .domainA
    then, you add additional domains on the forest.
    child1.domainA
    Child2.child1.domainA

    If a client in the domain Child2 wants to resolve a name in domainA
    Example. Host.DomainA and uses the following to connect to a share
    \\host then it is not going to resolve. WHY, because the resolver is
    first going to query for first for Host.Child2.child1.domainA, then it
    next try HOST.Child1.domainA at that point the Devolution process is
    DONE. We only go to the LAST 2 Domain Names.

    Also note that if you have a single labeled domain name it causes excess
    DNS traffic on the ROOT HINTS servers and being all Good Internet Community
    users we definitely do not want to do that. NOTE that in Windows 2003,
    you get a big Pop UP Error Message when trying to create a single labeled
    name telling you DON'T DO IT. It will still allow you to do it, but you
    will still be required to make the registry changes, which is really not
    fun.

    Microsoft is seriously asking you to NOT do this. We will support you but
    it the end results could be limiting as an end results depending on the
    services you are using.

    Thank you,

    Alan Wood[MSFT]"
    =====================================


    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services
    Infinite Diversities in Infinite Combinations.
    =================================
     
    Ace Fekay [MVP], Aug 16, 2005
    #4
  5. In Ace Fekay [MVP] <PleaseSubstituteMyActualFirstName&>
    made this post, which I then commented about below:
    A correction.

    I stated:
    "Keep in mind, GPOs will not apply. This is because it looks for this share:
    \\domain.com\sysvol\domain.com\Policies\[GUIDNumberOfPolicy-etc]

    Notice it needs to resolve "domain.com" above? That is the LdapIpAddress
    record in DNS. If it is a single label name, there is no cooresponding
    record and it cannot resolve it."

    I meant to also add, that it will treat it as a NetBIOS name as well and the
    GetGPOList function the client performs may have difficulty resolving to the
    LdapIpAddress to grab any GPOs that apply to it.

    Ace
     
    Ace Fekay [MVP], Aug 17, 2005
    #5
  6. Rob Boylan

    Rob Boylan Guest

    I conceed that using a single-level domain is a bad idea. I have even asked
    the migration group how I can undo it. (The answer was basically start over
    from scratch) So I will tackle that little project soon. In the meantime, I
    still have this little DNS problem.

    To eliminate all issues with the domain, I configured a brand new server
    with Windows 2003 Enterprise Edition. I installed DNS and WINS on it, but did
    not make it a domain controller (it's sitting in a workgroup by itself). I
    gave it an IP address that passes through our router's access-lists
    unfiltered and set the computer's network interface to point to itself for
    DNS.

    This worked. I was able to perform recursive lookups. I tried it first with
    EnableEDnsProbes set to 0, and then with the parameter set to 1. Both ways
    worked, so the router apparently supports EDNS.

    I then applied the following in the access-list on our main router to the IP
    on the test machine, which is similar to the filters on the regular DNS
    servers (where xxx.xxx.xxx.xxx is the IP address of the machine):

    permit udp any host xxx.xxx.xxx.xxx eq domain
    permit tcp any host xxx.xxx.xxx.xxx eq domain
    deny ip any host xxx.xxx.xxx.xxx

    Immediately, recursive lookups failed.

    Some research on the router and on Cisco's site revealed that I needed the
    following:

    permit udp any host xxx.xxx.xxx.xxx eq domain
    permit udp any eq domain host xxx.xxx.xxx.xxx
    permit tcp any host xxx.xxx.xxx.xxx eq domain
    permit tcp any eq domain host xxx.xxx.xxx.xxx
    deny ip any host xxx.xxx.xxx.xxx

    Apparently, the NT DNS servers must source their lookups from port 53.
    Otherwise they would not be working. But Window 2003 seems to use a random
    source port. This was causing the responses back from the root-servers to
    reach the deny statement and be dropped.
     
    Rob Boylan, Aug 18, 2005
    #6
  7. In
    That's right. That's called the empherical response port, which is UDP
    security. I would suggest to change the list to:

    permit udp any host xxx.xxx.xxx.xxx eq domain
    permit tcp any host xxx.xxx.xxx.xxx eq domain
    permit udp any x.x.x.0 0.0.0.255 gt 1023
    deny ip any host xxx.xxx.xxx.xxx

    The "x.x.x.0 0 0.0.0.255" is a blanket subnet wide allowance. You can also
    choose just the specific IP by stating:
    permit udp any x.x.x.x gt 1023

    There are also reg entries to control the traffic on the DNS server to use
    specifically TCP and UDP 53, and not use the empherical ports, although I've
    never tested it. If you are going to implement this, I would suggest to test
    it during off-production hours. Look for the "SendPort" info:

    813965 - Description of DNS registry entries in Windows 2000 Server, part 3
    of 3:
    http://support.microsoft.com/default.aspx?kbid=813965

    Ace
     
    Ace Fekay [MVP], Aug 19, 2005
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.