Forwarders cannot be validated and recursive query fails

Discussion in 'DNS Server' started by Bennett, Feb 23, 2009.

  1. Bennett

    Bennett Guest

    I'm migrating one of my clients from Windows Server 2003 to 2008. However,
    DNS recursive query and nslookup are failing on the new 2008 DC. Yes,
    recursion is enabled (or rather not disabled on Advanced tab). I have the
    same forwarders and root hints as my working 2003 DC and I can telnet to the
    forwarders' port 53 from the 2008 DC. Event logs show no errors.

    Odd thing is, when adding the forwarders, their FQDN resolved, but the
    Validated column said "An unknown error occurred while validating the
    server." Can't find anything about this message online and can't find any
    event, log entry, or other explanation of what this error is. Guess that's
    why it says "unknown error". ;)

    Seems obvious problem is recursion/forwarding, but I can't figure out how to
    diagnose the problem since recursion is already enabled. Help!
     
    Bennett, Feb 23, 2009
    #1
    1. Advertisements

  2. In
    I see you tested with telnet, but that only indicates if TCP is responding.
    Telnet is TCP based, not UDP. Keep in mind, by default, DNS on Windows 2003
    and newer, uses EDNS0, which uses UDP to query (if the response packet is
    under 1280 bytes, not like the old 500 bytes using non-EDNS0). It will
    switch to TCP if the response packet is greater than 1280 bytes.

    Use nslookup to test it. If it doesn't work with a simple nslookup test,
    use the 'set vc' option in nslookup to force TCP and see if it works. If it
    does, it says UDP is blocked.

    Example:

    nslookup
    testmachine.yourdomain.com
    www.OnSomeOtherOutsideDomain.com
    www.yahoo.com

    if it doesn't work, try:

    nslookup
    set vc
    (and retry the queries)

    Also try nslookup diagnostic mode:
    nslookup
    set d2

    and post your results, please



    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
    Microsoft Certified Trainer


    For urgent issues, you may want to contact Microsoft PSS directly. Please
    check http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [Microsoft Certified Trainer], Feb 23, 2009
    #2
    1. Advertisements

  3. Bennett

    Bennett Guest

    Never considered the TCP/UDP aspect of telnet. Have to remember that. :)

    Already used nslookup d2 to test & failed (hadn't tried set vc, but that
    failed, too). I had even compared d2 output to my 2003 server and didn't see
    anything significant. Only real difference was a nondescript "rcode =
    SERVFAIL" instead of NOERROR. Pretty worthless, but maybe you can glean
    something from the results that I missed:

    ==================================================
    Server: xxx.xxxxxx.com
    Address: xxx.xxx.xxx.xxx

    ------------
    Got answer:
    HEADER:
    opcode = QUERY, id = 78, rcode = NXDOMAIN
    header flags: response, auth. answer, want recursion, recursion
    avail.
    questions = 1, answers = 0, authority records = 1, additional = 0

    QUESTIONS:
    microsoft.com.xxxxxx.com, type = A, class = IN
    AUTHORITY RECORDS:
    -> xxxxxx.com
    ttl = 3600 (1 hour)
    primary name server = xxx.xxxxxx.com
    responsible mail addr = hostmaster
    serial = 10377
    refresh = 900 (15 mins)
    retry = 600 (10 mins)
    expire = 86400 (1 day)
    default TTL = 3600 (1 hour)

    ------------
    ------------
    Got answer: HEADER:
    opcode = QUERY, id = 79, rcode = NXDOMAIN
    header flags: response, auth. answer, want recursion, recursion
    avail.
    questions = 1, answers = 0, authority records = 1, additional = 0

    QUESTIONS:
    microsoft.com.xxxxxx.com, type = AAAA, class = IN
    AUTHORITY RECORDS:
    -> xxxxxx.com
    ttl = 3600 (1 hour)
    primary name server = xxx.xxxxxx.com
    responsible mail addr = hostmaster
    serial = 10377
    refresh = 900 (15 mins)
    retry = 600 (10 mins)
    expire = 86400 (1 day)
    default TTL = 3600 (1 hour)

    ------------
    ------------
    Got answer:
    HEADER:
    opcode = QUERY, id = 80, rcode = SERVFAIL
    header flags: response, want recursion, recursion avail.
    questions = 1, answers = 0, authority records = 0, additional = 0

    QUESTIONS:
    microsoft.com, type = A, class = IN

    ------------
    ------------
    Got answer:
    HEADER:
    opcode = QUERY, id = 81, rcode = SERVFAIL
    header flags: response, want recursion, recursion avail.
    questions = 1, answers = 0, authority records = 0, additional = 0

    QUESTIONS:
    microsoft.com, type = AAAA, class = IN
     
    Bennett, Feb 23, 2009
    #3
  4. In

    The Servfail is saying that it could not get the response from the server it
    was using, and NXDDOMAIN is saying the domain doesn't exist. It sounds like
    the query is not passing through or returning through a firewall. What type
    of firewall are you using? Is UDP53 permitted through it? But you said set
    vc did not work either? Canyou describe your setup a little, please?

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Feb 24, 2009
    #4
  5. Bennett

    Bennett Guest

    My suspicions were port 53 blocked, too, because if I add the old 2003
    server to the 2008's forwarders, it works. However, I can't find where (or
    even if) its blocked. Firewall is pfSense (FreeBSD-based packet filter).
    All outbound LAN traffic is allowed except port 25 from non-mail servers.
    Even so, I added a rule to explicitly allow TCP/UDP port 53 from this server.
    I disabled Windows Server 2008 firewall to eliminate it from the picture,
    even though it has multiple built-in rules on all profiles to explicitly
    allow port 53 and even allow all traffic from DNS Service.

    However, as I said before I added firewall rules and disabled firewalls, I
    can telnet port 53 from this server to the external DNS but nslookup with set
    vc still fails. So the port works, but DNS service doesn't.

    Something interesting I didn't notice earlier. When I first open nslookup,
    it doesn't find this DNS server it's running on and I have manually set the
    server. The startup looks like this:

    C:\>nslookup
    Default Server: UnKnown
    Address: ::1

    Colons made me suspicious of IP6, so I disabled it, and now nslookup finds
    server localhost 127.0.0.1, but still no worky. Still same nondescript
    SERVFAIL error, but nothing else. Aaaarrrggghh!
     
    Bennett, Feb 24, 2009
    #5
  6. In
    Is there an 'established' rule to allow any outbound requests (other than
    http and https) to the 2008 server? Can you mimic the 2003 server's rules in
    the firewall for the 2008's server's IP?

    As a test, unplug the 2003 server, then change the 2008 server's IP to the
    one the 2003 server is using, then test it. Does it work? (of course do this
    after hours, especially if the 2003 server is a prod server).

    Remove the loopback and change the DNS address to the actual server's IP.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Feb 25, 2009
    #6
  7. Bennett

    Bennett Guest

    Found problem/solution! Just for giggles, I tried OpenDNS and viola,
    they're validated and everything works! If I set nslookup server to Time
    Warner DNS servers on both 2003/2008 boxes, I get "rcode = REFUSED" on
    lookups. Frankly, now I'm not sure how 2003 server was working at all since
    these are the only external DNS listed anywhere in it. I'll try to figure
    that out after the 2008 switch is complete but before I decommission the 2003
    box. In the meantime, I'm using OpenDNS & some Time Warner DNS snagged from
    another local Time Warner client because all the other DNS servers I could
    find on the worthless Time Warner business-class "support" website fail, too.
    :p

    Thanks for assistance, Ace. Problem was all Time Warner's DNS servers.
     
    Bennett, Feb 25, 2009
    #7
  8. In
    Ahh, interesting. I bet if you ran nslookup with the d2 switch (set d2),
    that you will find at the recursion request portion, it would say recursion
    is not available. Apparently they have it turned off for customers outside
    of their network, or turned off period. I would have suggested to try
    4.2.2.2, but it didn't occur to me it would be an external DNS issue.

    Good to see you have it working. Good luck. Post back if you have any other
    questions.

    Ace
     
    Ace Fekay [Microsoft Certified Trainer], Feb 26, 2009
    #8
  9. I dont know if you managed to solve this but we ran into the same issue when Comcast changed their DNS servers.

    The solution was we had to contact Comcast and ask them to change their ACL list since all of our traffic comes from non Comcast IPs. If you have non Comcast IPs you will have to do the same. They didn't want everyone to validate against their servers and take up their traffic.

    Hope this helps!
     
    Peter de Kanter, Feb 8, 2011
    #9
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.