MS Update Breaks External DNS again

Discussion in 'DNS Server' started by Allen Harkleroad, Mar 11, 2009.

  1. The Fixup DNS doesn't apply as this is a 2600 router and not a firewall,
    both tests you posted work.

    The only two patches that aren't installed on DNS are the last two supplied
    via WU, all others are there.

    In the interim I am using OpenDNS for forwarding. I may build a BIND box and
    see how complicated importing our MSFT DNS records into it, if it goes
    smoothly I am going to switch to BIND and dispense with MS DNS (tired of the
    random breakage of DNS).

    Allen Harkleroad, Mar 17, 2009
    1. Advertisements

  2. Are there multiple NICs or IPs on these boxes? If so, what IP is DNS set to
    listen on? How about RRAS?

    I have ran Microsoft DNS for web hosting in the past, and in a fashion you
    have described, but never seen any of these issues. Of course, I don;t have
    DNS on a web server. I keep the services separate due to security. Also,
    other services and configurations can cause issues with DNS if running on
    the same box, such as RRAS and multihoming, PPPoE services, ICF, among

    It is rather easy to go from Microsoft DNS to Bind by using a simple
    Secondary, allow the transfer, then make it a Primary. But this could be
    cumbersome if you have100's of zones.

    Here are a couple of suggestions if you really want to migrate to BIND:

    Ace Fekay [Microsoft Certified Trainer], Mar 18, 2009
    1. Advertisements

  3. Sorry for the delay, I was out of town on business.

    Two NIC's in each machine, however the 2nd NIC in each machine are disabled
    (only using 1 NIC) and no RRAS or similar services installed.
    Allen Harkleroad, Mar 31, 2009
  4. Thanks for the BIND links. I am most likely going to go to BIND. I bought
    the O'Riley DNS and BIND 5th edition book to help me as well. If it weren't
    for Microsoft DNS problems I generally would have zero issues with our

    Allen Harkleroad, Mar 31, 2009
  5. In

    Hi Allen,

    Earlier you mentioned you were using OpenDNS. Was that used as a forwarder
    from your Windows machines? If you forwarded to them, or directly to the ISP
    (bypassing your Root hints), does the problem go away? The reason I am
    asking, there is a current known issue regarding resolving certain outside
    names and the work around is to simply use a Forwarder until it gets
    addressed. Forwarding is recommended anyway as a best practice.

    Ace Fekay [Microsoft Certified Trainer], Mar 31, 2009
  6. I had to switch back from OpenDNS, yesterday it stopped responding to
    queries for us, so I am back to stand-alone mode and not using any
    forwaders. It worked for about a week. I went back to root hints (still have
    to manually update and restart to make DNS work).

    As simple as DNS is, you would think there would be zero issues with a
    simple stand-alone DNS implementation (no AD, etc.). I have less than 300
    public DNS records and using the resolver for our mail server and internal

    I hope there is a fix for DNS so I can fully patch it. In the mean time I am
    putting up a test server and installing BIND on it and learn BIND, just in
    case I have to resort to using BIND. If BIND had a decent GUI it would be
    better, unformtunately the few that I have found are expensive, and the one
    free BIND GUI one I found CodePlex only seems to have 2 features and neither
    of them help with adding/deleting DNS records, etc.

    I may end up writing my own BIND GUI ( 2.0 vb app) when I have time
    and if I decide to replace Microsoft DNS with BIND.

    Thanks for responding, I will try to keep an eye on this thread.

    Allen Harkleroad, Apr 1, 2009
  7. So far there is no word of an update, other than using a Forwarder. Curious,
    why not use a Forwarder? It is considered a best practice anyway to offload
    query processing, and reduces internet exposure to your internal DNS.

    And good luck with your efforts creating a GUI with .Net 20. I remember a
    prior MVP, William Stacey, created a .Net 20 GUI for DIG called NetDIG
    2.5RC1 (his latest that I remembered). It is a nice tool. I knew what he
    went through to prior to completing it, and creating a GUI for BIND is a
    larger feat. I have an older version of it, but not his latest, and the
    domain he used to own, is no longer available, so I don't have a later copy
    to share. I will try to get a hold of him.

    Ace Fekay [Microsoft Certified Trainer], Apr 1, 2009
  8. Thanks Ace. If forwarders would be reliable I would use them, but every time
    I do it seems that they work for a while then something breaks. Prefer stand
    alone to relying on other DNS server to do the work.

    Allen Harkleroad, Apr 1, 2009
  9. As I pointed out, it's a best practice, as well as part of a security
    design, but I can quite understand your viewpoint. I guess it would depend
    on who's DNS you used as a forwarder. The one I gave earlier is reliable. It
    is one of the ones I use for all of my customers.

    If I hear of any hotfixes for this issue, I will post back. I'll keep this
    thread marked.

    Ace Fekay [Microsoft Certified Trainer], Apr 2, 2009
  10. Thank you.


    Allen Harkleroad, Apr 8, 2009
  11. Hi Michael,
    We do not have a firewall in front. These are internet web/mail/DNS servers
    only a Cisco modulr router in front of them and the TCP/UDP ports for DNS
    are open. We do block non-service ports, however packets orginating behind
    the router are allowed back fron from the outside, so no friewall blocking
    at all.


    Allen Harkleroad, Apr 8, 2009
  12. In
    You are welcome, Allen!

    Ace Fekay [Microsoft Certified Trainer], Apr 8, 2009
  13. Allen Harkleroad

    Yogi Guest

    Do you have any more information on which updates you removed in order to
    fix your problem? I think I'm running into the same issue and I'd like to
    remove the updates to see if it fixes the problem for me as well. The KB
    numbers would be ideal.

    Yogi, Apr 14, 2009
  14. I removed the last 3-4 DNS patches/updates to get the DNS back to where it
    woule resolved external sites. I still have to manually pull Root Hints
    though from another server.
    Allen Harkleroad, Apr 15, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.