Forwarders cannot be validated and recursive query fails

I'm migrating one of my clients from Windows Server 2003 to 2008. However,
DNS recursive query and nslookup are failing on the new 2008 DC. Yes,
recursion is enabled (or rather not disabled on Advanced tab). I have the
same forwarders and root hints as my working 2003 DC and I can telnet to the
forwarders' port 53 from the 2008 DC. Event logs show no errors.

Odd thing is, when adding the forwarders, their FQDN resolved, but the
Validated column said "An unknown error occurred while validating the
server." Can't find anything about this message online and can't find any
event, log entry, or other explanation of what this error is. Guess that's
why it says "unknown error".

Seems obvious problem is recursion/forwarding, but I can't figure out how to
diagnose the problem since recursion is already enabled. Help!

 

In

I see you tested with telnet, but that only indicates if TCP is responding.
Telnet is TCP based, not UDP. Keep in mind, by default, DNS on Windows 2003
and newer, uses EDNS0, which uses UDP to query (if the response packet is
under 1280 bytes, not like the old 500 bytes using non-EDNS0). It will
switch to TCP if the response packet is greater than 1280 bytes.

Use nslookup to test it. If it doesn't work with a simple nslookup test,
use the 'set vc' option in nslookup to force TCP and see if it works. If it
does, it says UDP is blocked.

Example:

nslookup
testmachine.yourdomain.com
www.OnSomeOtherOutsideDomain.com
www.yahoo.com

if it doesn't work, try:

nslookup
set vc
(and retry the queries)

Also try nslookup diagnostic mode:
nslookup
set d2

and post your results, please



--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
Microsoft Certified Trainer


For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

 

Never considered the TCP/UDP aspect of telnet. Have to remember that.

Already used nslookup d2 to test & failed (hadn't tried set vc, but that
failed, too). I had even compared d2 output to my 2003 server and didn't see
anything significant. Only real difference was a nondescript "rcode =
SERVFAIL" instead of NOERROR. Pretty worthless, but maybe you can glean
something from the results that I missed:

==================================================

Server: xxx.xxxxxx.com
Address: xxx.xxx.xxx.xxx

------------
Got answer:
HEADER:
opcode = QUERY, id = 78, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion
avail.
questions = 1, answers = 0, authority records = 1, additional = 0

QUESTIONS:
microsoft.com.xxxxxx.com, type = A, class = IN
AUTHORITY RECORDS:
-> xxxxxx.com
ttl = 3600 (1 hour)
primary name server = xxx.xxxxxx.com
responsible mail addr = hostmaster
serial = 10377
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)

------------
------------
Got answer: HEADER:
opcode = QUERY, id = 79, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion
avail.
questions = 1, answers = 0, authority records = 1, additional = 0

QUESTIONS:
microsoft.com.xxxxxx.com, type = AAAA, class = IN
AUTHORITY RECORDS:
-> xxxxxx.com
ttl = 3600 (1 hour)
primary name server = xxx.xxxxxx.com
responsible mail addr = hostmaster
serial = 10377
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)

------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 80, rcode = SERVFAIL
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
microsoft.com, type = A, class = IN

------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 81, rcode = SERVFAIL
header flags: response, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
microsoft.com, type = AAAA, class = IN

 

In

The Servfail is saying that it could not get the response from the server it
was using, and NXDDOMAIN is saying the domain doesn't exist. It sounds like
the query is not passing through or returning through a firewall. What type
of firewall are you using? Is UDP53 permitted through it? But you said set
vc did not work either? Canyou describe your setup a little, please?

Ace

 

My suspicions were port 53 blocked, too, because if I add the old 2003
server to the 2008's forwarders, it works. However, I can't find where (or
even if) its blocked. Firewall is pfSense (FreeBSD-based packet filter).
All outbound LAN traffic is allowed except port 25 from non-mail servers.
Even so, I added a rule to explicitly allow TCP/UDP port 53 from this server.
I disabled Windows Server 2008 firewall to eliminate it from the picture,
even though it has multiple built-in rules on all profiles to explicitly
allow port 53 and even allow all traffic from DNS Service.

However, as I said before I added firewall rules and disabled firewalls, I
can telnet port 53 from this server to the external DNS but nslookup with set
vc still fails. So the port works, but DNS service doesn't.

Something interesting I didn't notice earlier. When I first open nslookup,
it doesn't find this DNS server it's running on and I have manually set the
server. The startup looks like this:

C:\>nslookup
Default Server: UnKnown
Address: ::1

Colons made me suspicious of IP6, so I disabled it, and now nslookup finds
server localhost 127.0.0.1, but still no worky. Still same nondescript
SERVFAIL error, but nothing else. Aaaarrrggghh!

 

In

Is there an 'established' rule to allow any outbound requests (other than
http and https) to the 2008 server? Can you mimic the 2003 server's rules in
the firewall for the 2008's server's IP?

As a test, unplug the 2003 server, then change the 2008 server's IP to the
one the 2003 server is using, then test it. Does it work? (of course do this
after hours, especially if the 2003 server is a prod server).

Remove the loopback and change the DNS address to the actual server's IP.

Ace

 

Found problem/solution! Just for giggles, I tried OpenDNS and viola,
they're validated and everything works! If I set nslookup server to Time
Warner DNS servers on both 2003/2008 boxes, I get "rcode = REFUSED" on
lookups. Frankly, now I'm not sure how 2003 server was working at all since
these are the only external DNS listed anywhere in it. I'll try to figure
that out after the 2008 switch is complete but before I decommission the 2003
box. In the meantime, I'm using OpenDNS & some Time Warner DNS snagged from
another local Time Warner client because all the other DNS servers I could
find on the worthless Time Warner business-class "support" website fail, too.


Thanks for assistance, Ace. Problem was all Time Warner's DNS servers.

 

In

Ahh, interesting. I bet if you ran nslookup with the d2 switch (set d2),
that you will find at the recursion request portion, it would say recursion
is not available. Apparently they have it turned off for customers outside
of their network, or turned off period. I would have suggested to try
4.2.2.2, but it didn't occur to me it would be an external DNS issue.

Good to see you have it working. Good luck. Post back if you have any other
questions.

Ace

 

I dont know if you managed to solve this but we ran into the same issue when Comcast changed their DNS servers.

The solution was we had to contact Comcast and ask them to change their ACL list since all of our traffic comes from non Comcast IPs. If you have non Comcast IPs you will have to do the same. They didn't want everyone to validate against their servers and take up their traffic.

Hope this helps!