SBS Unable to resolve domain but Bind can?

Discussion in 'DNS Server' started by Andrew, Nov 17, 2007.

  1. Andrew

    Andrew Guest

    I have a SBS 2003 Server with the DNS server set to use root hints and no
    forwarders. The SBS server is unable to resolve some domains but if I install
    bind (on the same network and the rest) it can resolve those domains?

    I have tried adjusting a few settings like round robin, recursion and the
    odd regedit, but no luck.

    Is there any tool that will help diagnose why this is happening?

    Using bind or forwarders is out of the question as I would like to
    understand why this problem is happening rather than using a work around.
     
    Andrew, Nov 17, 2007
    #1
    1. Advertisements

  2. Read inline please.

    In
    Just guessing, there is a good chance that you are behind a firewall that is
    blocking EDNS (UDP Packets over 512 bytes), while newer BIND servers support
    EDNS, it is disabled by default.

    Configure your firewall to pass UDP packets up to 1500 bytes (Internet MTU),
    (the maximum is 65535 bytes) to the Win2k3 server, or disable EDNS. EDNS
    increases efficiency by allowing DNS to resolve larger DNS responses without
    using TCP. Large DNS responses are answers that have several CNAME or MX
    records in them, these responses exceed 512 bytes and will not fit in a
    single UDP packet without EDNS, in this case DNS has to retry the query
    using TCP, which is a lot slower to set up.

    828263 - DNS query responses do not travel through a firewall in Windows
    Server 2003:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;828263&sd=RMVP

    You can also install the Support tools with dnscmd.exe and run this from a
    command prompt.

    dnscmd /config /enableednsprobes 0

    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps

    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Nov 17, 2007
    #2
    1. Advertisements

  3. In
    Kevin provided a possibility, which I agree with. To further test it just in
    case it is not passying port 53 UDP traffic greater than 512 bytes, you can
    use nslookup.

    nslookup
    hostname.domain.com

    If that does not respond, then enter this:

    set vc
    hostname.domain.com

    If this responds, then EDNS0 is being blocked. Normally nslookup uses UDP.
    The set vc command forces TCP.


    --
    Regards,
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
    MVP Microsoft MVP - Directory Services
    Microsoft Certified Trainer

    Infinite Diversities in Infinite Combinations
     
    Ace Fekay [MVP], Nov 18, 2007
    #3
  4. Andrew

    Andrew Guest

    Hi Kevin,

    The SBS server has a public IP and it is not behind or running any firewall.
    I tried your suggestions but I still have the same problem.
     
    Andrew, Nov 18, 2007
    #4
  5. Andrew

    Andrew Guest

    Hi Ace,

    The SBS server has a public IP and it is not behind or running any firewall.
    I tried running nslookup and using 'set vc' but I still have the same problem.
     
    Andrew, Nov 18, 2007
    #5
  6. Read inline please.

    In
    What domains is it unable to resolve?
    Show the nslookup with a -d2 switch output.

    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps

    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Nov 18, 2007
    #6
  7. Andrew

    Andrew Guest

    The domain is 'southbank.blackboard.net'.
    The weird thing is, I can resolve 'southbank.blackboard.com'.
    Here is the debug output:

    ------------
    SendRequest(), len 52
    HEADER:
    opcode = QUERY, id = 2, rcode = NOERROR
    header flags: query, want recursion
    questions = 1, answers = 0, authority records = 0, additional = 0

    QUESTIONS:
    southbank.blackboard.net.MRH.local, type = A, class = IN

    ------------
    ------------
    Got answer (115 bytes):
    HEADER:
    opcode = QUERY, id = 2, rcode = NXDOMAIN
    header flags: response, auth. answer, want recursion, recursion
    avail.
    questions = 1, answers = 0, authority records = 1, additional = 0

    QUESTIONS:
    southbank.blackboard.net.MRH.local, type = A, class = IN
    AUTHORITY RECORDS:
    -> mrh.local
    type = SOA, class = IN, dlen = 42
    ttl = 3600 (1 hour)
    primary name server = ###.mrh.local
    responsible mail addr = hostmaster
    serial = 1156
    refresh = 900 (15 mins)
    retry = 600 (10 mins)
    expire = 86400 (1 day)
    default TTL = 3600 (1 hour)

    ------------
    ------------
    SendRequest(), len 42
    HEADER:
    opcode = QUERY, id = 3, rcode = NOERROR
    header flags: query, want recursion
    questions = 1, answers = 0, authority records = 0, additional = 0

    QUESTIONS:
    southbank.blackboard.net, type = A, class = IN

    ------------
    ------------
    Got answer (42 bytes):
    HEADER:
    opcode = QUERY, id = 3, rcode = SERVFAIL
    header flags: response, want recursion, recursion avail.
    questions = 1, answers = 0, authority records = 0, additional = 0

    QUESTIONS:
    southbank.blackboard.net, type = A, class = IN
     
    Andrew, Nov 18, 2007
    #7
  8. Andrew

    Andrew Guest

    Hi Kevin,

    I can't see my last post, so I'm posting it again.
    Here's the debug output:

    ------------
    SendRequest(), len 52
    HEADER:
    opcode = QUERY, id = 2, rcode = NOERROR
    header flags: query, want recursion
    questions = 1, answers = 0, authority records = 0, additional = 0

    QUESTIONS:
    southbank.blackboard.net.MRH.local, type = A, class = IN

    ------------
    ------------
    Got answer (115 bytes):
    HEADER:
    opcode = QUERY, id = 2, rcode = NXDOMAIN
    header flags: response, auth. answer, want recursion, recursion
    avail.
    questions = 1, answers = 0, authority records = 1, additional = 0

    QUESTIONS:
    southbank.blackboard.net.MRH.local, type = A, class = IN
    AUTHORITY RECORDS:
    -> mrh.local
    type = SOA, class = IN, dlen = 42
    ttl = 3600 (1 hour)
    primary name server = ###.mrh.local
    responsible mail addr = hostmaster
    serial = 1156
    refresh = 900 (15 mins)
    retry = 600 (10 mins)
    expire = 86400 (1 day)
    default TTL = 3600 (1 hour)

    ------------
    ------------
    SendRequest(), len 42
    HEADER:
    opcode = QUERY, id = 3, rcode = NOERROR
    header flags: query, want recursion
    questions = 1, answers = 0, authority records = 0, additional = 0

    QUESTIONS:
    southbank.blackboard.net, type = A, class = IN

    ------------
    ------------
    Got answer (42 bytes):
    HEADER:
    opcode = QUERY, id = 3, rcode = SERVFAIL
    header flags: response, want recursion, recursion avail.
    questions = 1, answers = 0, authority records = 0, additional = 0

    QUESTIONS:
    southbank.blackboard.net, type = A, class = IN
     
    Andrew, Nov 19, 2007
    #8
  9. In
    Ok. Just wanted to eliminate that possiblity.

    Ace
     
    Ace Fekay [MVP], Nov 19, 2007
    #9
  10. In
    It seems like the AUTHORITY for southbank.blackboard.net is mrh.local.
    That's telling me, if I am reading this right and trying to figure out if
    you hid or edited anything other than the IP addresses and the server name
    which you called it "###.mrh.local ," that the zone is confgured locally on
    your DNS and 'southbank' does not exist as an A record. Is this true?

    Curious, does "###.mrh.local' host the public record and is authorative for
    blackboard.net?

    Can you let us know what zones are created on your DNS server?

    Also curious, why does the server have a public IP?

    When I ran an nslookup setting q=soa on southbank.blackboard.net, I received
    an interesting response of unknown tupe 39. It also looks like
    southbank.blackboard.com is a CNAME (alisas) pointing to
    southbank.blackboard.net which probably explains why when I pinged
    southbank.blackboard.net and southbank.blackboard.com, they both came up
    with 209.133.75.134.

    ========================
    Server: london.nwtraders.msft
    Address: 192.168.10.200

    Non-authoritative answer:
    blackboard.net ??? unknown type 39 ???
    southbank.blackboard.net canonical name = southbank.blackboard.com

    blackboard.com
    primary name server = dnsmaster01.blackboard.com
    responsible mail addr = internic.blackboard.com
    serial = 2006034191
    refresh = 900 (15 mins)
    retry = 3600 (1 hour)
    expire = 2592000 (30 days)
    default TTL = 900 (15 mins)
    =======================


    Can you elaborate bit on your SBS domain controller (assuming it's a DC
    because it's SBS) and how you have it's DNS server's roles, what zones it is
    hosting and the records and their types please? This will better help to
    diagnose why this is not working for you.

    Thanks,
    Ace

    Ace
     
    Ace Fekay [MVP], Nov 19, 2007
    #10
  11. Andrew

    Andrew Guest

    I did edit the debug, I removed the server name and replaced it with '###'.
    This is interesting, my server is not authorative for 'blackboard.net'. Looks
    like the server is just appending .mrh.local to the end of the request? The
    only zone the server has is mrh.local, all other requests should be going to
    the root dns.

    Just 'mrh.local' for AD, no other zones or any special records.

    Frontline test server/crash test dummy.

    I wonder what an uknown type error 39 means? Might have to do some searching.

    The server is a DC hosting only the one zone 'mrh.local' for the AD DC
    stuff. The only records that should be in that zone are the ones created by
    the server (dynamic reg. etc). The only record I have added is an MX record
    that points to the SBS server.
     
    Andrew, Nov 19, 2007
    #11
  12. Andrew

    Andrew Guest

    Does anyone have any instructions or a link on how to force DNS with AD
    stored zones to reload root hints?
     
    Andrew, Nov 19, 2007
    #12
  13. Read inline please.

    In
    Win2k3 is really easy, in the DNS console, root hints tab, delete all the
    existing root hint servers, then click the Copy from button, and enter one
    of the root server IPs 198.41.0.4 for the ICANN Root, or another DNS IP for
    an alternate root.

    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps

    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Nov 19, 2007
    #13
  14. Andrew

    Andrew Guest

    Most greatfull for your help, this makes complete sense now. I didn't think
    to even check the TTL since who would set that to 0 anyway!
     
    Andrew, Nov 19, 2007
    #14
  15. In
    I missed that all together as well.
     
    Ace Fekay [MVP], Nov 20, 2007
    #15
  16. In
    Nice catch.

    It's been quite some time since I've seen you in the groups, Jonathan. Nice
    to see you again,. I hope you've been well.

    Ace
     
    Ace Fekay [MVP], Nov 20, 2007
    #16
  17. In
    You are welcome. I hope you can overcome your dilemma with the crashed disc.
     
    Ace Fekay [MVP], Dec 6, 2007
    #17
  18. Read inline please.

    In
    All this time, and I just thought Jonathan must have fallen off the face of
    the Earth. I is kinda nice to have his intellectual type of input, I really
    did miss it.

    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps

    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Dec 6, 2007
    #18
  19. Read inline please.

    In
    All this time, and I just thought Jonathan must have fallen off the face of
    the Earth. I is kinda nice to have his intellectual type of input, I really
    did miss it.

    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps

    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    http://message.wftx.us/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Dec 6, 2007
    #19
  20. In
    I must agree!

    ;-)
     
    Ace Fekay [MVP], Dec 7, 2007
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.