microsoft dns server not resolving external Names

Discussion in 'DNS Server' started by ERES, Sep 2, 2005.

  1. ERES

    ERES Guest

    It seems that I cannot resolve external DNS Names,
    internal Names for which it is the primary Nameserver are no problem.

    If I configure a forwarder DNS Server, there are no problems resolving
    names,
    but it seems my DNS server does not ask the root servers itself. Why?

    I have no more clues,
    thanks in advance,
    Jan Dorninger
     
    ERES, Sep 2, 2005
    #1
    1. Advertisements

  2. ERES

    Todd J Heron Guest

    Do you have the "Disable recursion..." check box enabled on the Forwarders
    tab?

    --
    Todd J Heron, MCSE
    Windows Server 2003/2000/NT; CCA
    ----------------------------------------------------------------------------
    This posting is provided "as is" with no warranties and confers no rights

    It seems that I cannot resolve external DNS Names,
    internal Names for which it is the primary Nameserver are no problem.

    If I configure a forwarder DNS Server, there are no problems resolving
    names,
    but it seems my DNS server does not ask the root servers itself. Why?

    I have no more clues,
    thanks in advance,
    Jan Dorninger
     
    Todd J Heron, Sep 2, 2005
    #2
    1. Advertisements

  3. Is "Do not use recursion" checked? (Forwarders tab)



    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Sep 2, 2005
    #3
  4. ERES

    ERES Guest

    "Do not use recursion" is not checked,
    my DNS is resolving names, but only with forwarders configurated,

    I want a stand-alone DNS-Server, which resolves names on his one :(

    Jan
     
    ERES, Sep 5, 2005
    #4
  5. It should be able to this by default, it uses Root Hints for this.
    Are the root hints loaded and resolved?
    Try running this command using this exact syntax, this query is to your DNS
    asking for the NS records for the ICANN root, don't miss the ".", which it
    the root.
    nslookup -qtype=ns .

    You should expect it to return the root server addresses for the ICANN root.
    If it does not use this command which is querying one of the root servers
    itself for the NS records for all the root servers:
    nslookup -qtype=ns . 198.41.0.4


    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Sep 5, 2005
    #5
  6. In
    What kind of firewall is being used?

    --
    Regards,
    Ace

    Please direct all replies ONLY to the Microsoft public newsgroups
    so all can benefit.

    This posting is provided "AS-IS" with no warranties or guarantees
    and confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft Windows MVP - Windows Server - Directory Services
    Infinite Diversities in Infinite Combinations.
    =================================
     
    Ace Fekay [MVP], Sep 5, 2005
    #6
  7. ERES

    ERES Guest

    It should be able to this by default,
    Yeah, thought so too :)

    Your querys are working for the root-servers, but no other external domain.

    Now I am forwarding to my secondary DNS, which is able to query root-servers
    by default.

    Maybe I should reinstall? :(

    Jan
     
    ERES, Sep 5, 2005
    #7
  8. So it did return the gTLD server addresses?
    Post the results from an external query using nslookup -d2 www.yahoo.com

    Not likely to help.


    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Sep 5, 2005
    #8
  9. ERES

    ERES Guest

    So it did return the gTLD server addresses?
    both queries returned the root servers


    C:\>nslookup -d2 www.yahoo.com ns1.immobilien.net
    ------------
    SendRequest(), len 43
    HEADER:
    opcode = QUERY, id = 1, rcode = NOERROR
    header flags: query, want recursion
    questions = 1, answers = 0, authority records = 0, additional = 0

    QUESTIONS:
    5.14.164.213.in-addr.arpa, type = PTR, class = IN

    ------------
    ------------
    Got answer (75 bytes):
    HEADER:
    opcode = QUERY, id = 1, rcode = NOERROR
    header flags: response, auth. answer, want recursion, recursion
    avail.
    questions = 1, answers = 1, authority records = 0, additional = 0

    QUESTIONS:
    5.14.164.213.in-addr.arpa, type = PTR, class = IN
    ANSWERS:
    -> 5.14.164.213.in-addr.arpa
    type = PTR, class = IN, dlen = 20
    name = ns1.immobilien.net
    ttl = 86400 (1 day)

    ------------
    Server: ns1.immobilien.net
    Address: 213.164.14.5

    ------------
    SendRequest(), len 46
    HEADER:
    opcode = QUERY, id = 2, rcode = NOERROR
    header flags: query, want recursion
    questions = 1, answers = 0, authority records = 0, additional = 0

    QUESTIONS:
    www.yahoo.com.IMMOBILIEN.NET, type = A, class = IN

    ------------
    ------------
    Got answer (103 bytes):
    HEADER:
    opcode = QUERY, id = 2, rcode = NXDOMAIN
    header flags: response, auth. answer, want recursion, recursion
    avail.
    questions = 1, answers = 0, authority records = 1, additional = 0

    QUESTIONS:
    www.yahoo.com.IMMOBILIEN.NET, type = A, class = IN
    AUTHORITY RECORDS:
    -> immobilien.net
    type = SOA, class = IN, dlen = 31
    ttl = 86400 (1 day)
    primary name server = ns1.immobilien.net
    responsible mail addr = me.immobilien.net
    serial = 20050328
    refresh = 10800 (3 hours)
    retry = 1800 (30 mins)
    expire = 604800 (7 days)
    default TTL = 86400 (1 day)

    ------------
    ------------
    SendRequest(), len 31
    HEADER:
    opcode = QUERY, id = 3, rcode = NOERROR
    header flags: query, want recursion
    questions = 1, answers = 0, authority records = 0, additional = 0

    QUESTIONS:
    www.yahoo.com, type = A, class = IN

    ------------
    DNS request timed out.
    timeout was 2 seconds.
    timeout (2 secs)
    SendRequest failed
    *** Request to ns1.immobilien.net timed-out
     
    ERES, Sep 6, 2005
    #9
  10. ERES

    ERES Guest

    My secondary DNS is making querys just fine,
    there can't be a firewall issue, can it?

    Why are you asking?

    Thanks for all your help,
    Jan


    "Ace Fekay [MVP]"
     
    ERES, Sep 6, 2005
    #10
  11. It works fine from here.
    W:\>nslookup -d2 www.yahoo.com. ns1.immobilien.net.
    ------------
    SendRequest(), len 43
    HEADER:
    opcode = QUERY, id = 1, rcode = NOERROR
    header flags: query, want recursion
    questions = 1, answers = 0, authority records = 0, additional = 0

    QUESTIONS:
    5.14.164.213.in-addr.arpa, type = PTR, class = IN

    ------------
    ------------
    Got answer (75 bytes):
    HEADER:
    opcode = QUERY, id = 1, rcode = NOERROR
    header flags: response, auth. answer, want recursion, recursion
    avail.
    questions = 1, answers = 1, authority records = 0, additional = 0

    QUESTIONS:
    5.14.164.213.in-addr.arpa, type = PTR, class = IN
    ANSWERS:
    -> 5.14.164.213.in-addr.arpa
    type = PTR, class = IN, dlen = 20
    name = ns1.immobilien.net
    ttl = 86400 (1 day)

    ------------
    Server: ns1.immobilien.net
    Address: 213.164.14.5

    ------------
    SendRequest(), len 31
    HEADER:
    opcode = QUERY, id = 2, rcode = NOERROR
    header flags: query, want recursion
    questions = 1, answers = 0, authority records = 0, additional = 0

    QUESTIONS:
    www.yahoo.com, type = A, class = IN

    ------------
    ------------
    Got answer (193 bytes):
    HEADER:
    opcode = QUERY, id = 2, rcode = NOERROR
    header flags: response, want recursion, recursion avail.
    questions = 1, answers = 9, authority records = 0, additional = 0

    QUESTIONS:
    www.yahoo.com, type = A, class = IN
    ANSWERS:
    -> www.yahoo.com
    type = CNAME, class = IN, dlen = 22
    canonical name = www.yahoo.akadns.net
    ttl = 54 (54 secs)
    -> www.yahoo.akadns.net
    type = A, class = IN, dlen = 4
    internet address = 216.109.117.205
    ttl = 19 (19 secs)
    -> www.yahoo.akadns.net
    type = A, class = IN, dlen = 4
    internet address = 216.109.117.110
    ttl = 19 (19 secs)
    -> www.yahoo.akadns.net
    type = A, class = IN, dlen = 4
    internet address = 216.109.117.207
    ttl = 19 (19 secs)
    -> www.yahoo.akadns.net
    type = A, class = IN, dlen = 4
    internet address = 216.109.117.107
    ttl = 19 (19 secs)
    -> www.yahoo.akadns.net
    type = A, class = IN, dlen = 4
    internet address = 216.109.118.68
    ttl = 19 (19 secs)
    -> www.yahoo.akadns.net
    type = A, class = IN, dlen = 4
    internet address = 216.109.118.72
    ttl = 19 (19 secs)
    -> www.yahoo.akadns.net
    type = A, class = IN, dlen = 4
    internet address = 216.109.118.76
    ttl = 19 (19 secs)
    -> www.yahoo.akadns.net
    type = A, class = IN, dlen = 4
    internet address = 216.109.118.75
    ttl = 19 (19 secs)

    ------------
    Non-authoritative answer:
    Name: www.yahoo.akadns.net
    Addresses: 216.109.117.205, 216.109.117.110, 216.109.117.207,
    216.109.117.107
    216.109.118.68, 216.109.118.72, 216.109.118.76, 216.109.118.75
    Aliases: www.yahoo.com

    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Sep 7, 2005
    #11
  12. ERES

    ERES Guest

    Yeah, I know,
    but only because ns1 is forwarding to the dns of our isp,
    a so called workaround, which I don't want to become a solution ;)

    If I take out the forwarder, it gives me a timeout :(

    Best regards,
    Jan
     
    ERES, Sep 7, 2005
    #12
  13. Is there any way I can remote in to this server?

    This could also be a corruption of the Root Hints file.
    249868 - Replacing Root Hints with the Cache.dns File:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;249868

    You can also install a Secondary delegated root zone. I've used a secondary
    delegated root zone for two years because it is the easiest way to resolve
    the ORSC Root. But, you can also install a secondary ICANN Root, just as
    easily.

    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Sep 7, 2005
    #13
  14. ERES

    ERES Guest

    Yeahhhh, its resolving without forwarderes
    Its always the simpel solution :)

    My DNS shouldn't use AD, but your link did the job,
    Thanks a lot,
    Jan
     
    ERES, Sep 7, 2005
    #14
  15. Good deal, I knew with enough patience it would eventually come to the
    surface.


    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Sep 7, 2005
    #15
  16. In
    I was asking because Win2003 DNS uses a new industry feature called EDNS0.
    But it sounds like you got it working with Kevin's help.

    :)

    Ace
     
    Ace Fekay [MVP], Sep 7, 2005
    #16
  17. ERES

    ERES Guest

    yes, that's a point,
    never heard of EDNS0 before, and now I had to change my firewall config, ...
    Thanks

    What would be the recommanded paket size?

    Why are there always more questions than answers?
    I am opening a door only to see a lot more doors, ... ?
    :)

    Jan



    "Ace Fekay [MVP]"
     
    ERES, Sep 8, 2005
    #17
  18. In
    Because this is not a finite field of study. Networking is very flexible.
    Not everyone has the same exact setup, such as fingerprints.

    THere is no "recommended packet size." It's a matter of Windows 20003 DNS
    using EDNS0 which allows UDP response packets larger than 512bytes which
    increases efficiency. Older firewalls or firewalls not updated do not
    understand this new traffic.

    You can either disable EDNS0 and lost the benefits, or update your firewall
    to allow it.

    828263 - DNS query responses do not travel through a firewall in Windows
    Server 2003:
    http://support.microsoft.com/?id=828263

    828731 - An External DNS Query May Cause an Error Message in Windows Server
    2003:
    http://support.microsoft.com/?id=828731

    832223 - Some DNS Name Queries Are Unsuccessful After You Upgrade Your DNS
    Server to Windows Server 2003:
    http://support.microsoft.com/?id=832223

    Ace
     
    Ace Fekay [MVP], Sep 8, 2005
    #18
  19. ERES

    ERES Guest

    Sure, you are right,

    BTW, my firewall is up to date ;)

    Therefore I wanted to configure the inspection for DNS/UDP,
    but what would the packet size be?

    I scanned through the RFC 2671 but I didn't found a max-size of UDP packets

    Best Regards,
    Jan



    "Ace Fekay [MVP]"
     
    ERES, Sep 8, 2005
    #19
  20. 1500 bytes, which is also the internet MTU.
    If your Network has a different MTU I'd recommend using that setting.

    To find your MTU use this command to ping the gateway for your firewall
    (Usually assigned by your ISP) The point here is to use that same MTU from
    any machine to this gateway address not just to the router itself.

    ping -f <internetgatewayip> -l 1472

    1472 is used because you have a 28 byte overhead for the ICMP packets, so
    1472+28=1500 If the ping times out reduce the 1472 incrementally until the
    ping is returned. I'd also recommend that if the ping does timeout that you
    set the MTU on all network interfaces to the same MTU packet size.


    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Sep 8, 2005
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.