DNS stops resolving...outbound email stuck until dns restarted

Discussion in 'DNS Server' started by Patty S, Sep 6, 2006.

  1. Patty S

    Patty S Guest

    I have two companies that we support that each have Windows 2003 with
    Exchange 2003. They each are current on all updates and service packs.
    But, on occasion, their dns service stops resolving and the queue's stack
    up. Email does not go out.

    If we restart the dns server service, email starts moving again.

    We have actually worked with Microsoft on this one without being able to
    resolve it. It is random and can go three weeks or stop every other day.

    I know this is a short description, but I wanted to see if anyone out there
    has experienced this same situation.

    Patty S.
     
    Patty S, Sep 6, 2006
    #1
    1. Advertisements

  2. Try updating the root hints, the Win2k3 DNS console made it real easy, first
    remove all root hints, then click the copy from server button, enter
    198.41.0.4 in the copy from dialog (A.ROOT-SERVERS.NET.) this will reload
    all the Root hints from the master ICANN root server.


    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Sep 7, 2006
    #2
    1. Advertisements

  3. Patty S

    Patty S Guest

    I just did that. I think they have tried that, but everything is worth a
    try now.

    The interesting thing is both sites have barracuda spam devices, but we have
    set the barracuda to use a different dns server at one site. The second
    site is still set to the same dns server.

    Both sites have a Cisco Pix, 501 and a 506.

    Any ideas would greatly be appreciated!

    Patty Seaman (a MVP years ago)
     
    Patty S, Sep 7, 2006
    #3
  4. PIX Firewall?
    Did you try this one?
    828263 - DNS query responses do not travel through a firewall in Windows
    Server 2003:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;828263&sd=RMVP

    It mentions to methods, one is to fix the firewall to allow UDP packets
    larger than 512 bytes, two is to disable EDNS.
    I usually recommend fixing the firewall, if possible, because UDP is much
    more efficient protocol for DNS, if you disable EDNS, and the DNS response
    will not fit into one UDP packet, the DNS server should retry the query
    using TCP.

    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Sep 7, 2006
    #4
  5. Patty S

    Patty S Guest

    We automatically do that when we install.

     
    Patty S, Sep 7, 2006
    #5
  6. Instead of restarting the DNS service, does clearing the DNS server cache
    work?

    Are you using a forwarder?
    Has it (the forwarder) been tested to allow recursion?

    Does your firewall allow your DNS access to any address on port 53 UDP and
    TCP?
    If your firewall only allows access to your ISP's DNS on those two ports,
    check the box "Do not use recursion for this domain" on the forwarders tab.

    On the subject of forwarders, my preference is to not use a forwarder and
    just let DNS do its own recursive lookups. It actually make you DNS less
    susceptible to corruption because it will only use Authoritative servers for
    resolution. I use a forwarder only if I have a caching DNS that I'm in
    control of.


    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Sep 7, 2006
    #6
  7. Patty S

    Patty S Guest

    I will try the clearing of the cache next time it fails. Now it is just a
    waiting game until it failes again.

    We do have forwarders in there. Both sites do actually go to the same isp.

    I will check with the Cisco guys here in regards to the ports.

    Thanks for the assistance. There are 7 of us here and we are hitting a
    wall. I was hoping someone else out there had run into this problem. I
    can't believe that we are the only ones. We have been trying to come up
    with what is similar between the two clients. We have about 100 clients and
    it is just these two. We have quite a few that are with the same isp and
    not having problems.
     
    Patty S, Sep 7, 2006
    #7
  8. Patty S

    Patty S Guest

    Well, clearing the cache didn't work.

    When I do nslookup, I get a timeout for external sites.
     
    Patty S, Sep 8, 2006
    #8
  9. Can you post dnscmd <servername> /Info

    Maybe something will jump out, this usually points to a problem with the
    root hints or the forwarders.

    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Sep 8, 2006
    #9
  10. Patty S

    Patty S Guest

    I replaced the domain names with xxxxxxxx

    Query result:

    Server info

    server name = sweepea.xxxxxxxx.com

    version = 0ECE0205 (5.2 build 3790)

    DS container = cn=MicrosoftDNS,cn=System,DC=xxxxxxxx,DC=com

    forest name = xxxxxxxx.com

    domain name = xxxxxxxx.com

    builtin domain partition = ForestDnsZones.xxxxxxxx.com

    builtin forest partition = DomainDnsZones.xxxxxxxx.com

    last scavenge cycle = not since restart (0)

    Configuration:

    dwLogLevel = 0000F331

    dwDebugLevel = 00000000

    dwRpcProtocol = FFFFFFFF

    dwNameCheckFlag = 00000002

    cAddressAnswerLimit = 0

    dwRecursionRetry = 3

    dwRecursionTimeout = 15

    dwDsPollingInterval = 180

    Configuration Flags:

    fBootMethod = 3

    fAdminConfigured = 1

    fAllowUpdate = 1

    fDsAvailable = 1

    fAutoReverseZones = 1

    fAutoCacheUpdate = 0

    fSlave = 0

    fNoRecursion = 0

    fRoundRobin = 1

    fStrictFileParsing = 0

    fLooseWildcarding = 0

    fBindSecondaries = 1

    fWriteAuthorityNs = 0

    fLocalNetPriority = 1

    Aging Configuration:

    ScavengingInterval = 0

    DefaultAgingState = 0

    DefaultRefreshInterval = 168

    DefaultNoRefreshInterval = 168

    ServerAddresses:

    Addr Count = 1 Addr[0] => 10.0.1.6 ListenAddresses:

    NULL IP Array. Forwarders:

    Addr Count = 2 Addr[0] => 216.57.214.17 Addr[1] => 216.57.207.18 forward
    timeout = 5

    slave = 0

    Command completed successfully.
     
    Patty S, Sep 8, 2006
    #10
  11. I believe this could be your problem
    On the Debug Logging tab, clear the Log packets for debugging check box.

    Under loaded situations when DNS is answering a lot of queries, you can
    overload the service with debug logging enabled. DNS can handle hundreds of
    queries a second in normal read only mode, until it has to write a log. If
    it has to log these queries, it can cause DNS to stop responding.

    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Sep 8, 2006
    #11
  12. Patty S

    Patty S Guest

    I just turned on debugging yesterday.
     
    Patty S, Sep 8, 2006
    #12
  13. Patty S

    markSD Guest

    Hi Patty and Kevin,
    I came across your posts and am having the same exact problem! I cannot find
    any answers. was this ever resolved?
     
    markSD, Sep 29, 2006
    #13
  14. Patty S

    Patty S. Guest

    The problem hasn't occurred again. But at times, we could go three weeks
    without it happening.

    So here are the steps we took...

    On 9/7/06, I updated the root hints
    9/8/06 am - failed
    9/8/06 pm - added a third forwarder that wasn't their isp, it was our
    dns server at a co-location
    ran the dnscmd Server Name /Config
    /EnableEDnsProbes 0 on each server. (it previously had been run on one out
    of two servers)
    Increased max length on the pix to 1500

    I hope this helps someone else.

    If it fails again, I will post an update.
     
    Patty S., Sep 29, 2006
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.