Server 2003 MX Look-Up Problem

Discussion in 'DNS Server' started by Phil, Nov 29, 2005.

  1. Phil

    Phil Guest

    We have an Active Directory Domain with two DNS servers, one running Windows
    2003 Server and the other running Windows 2000 Server. Both are behind
    firewalls and use root hints and no forwarders for external look-ups.

    The Windows 2003 DNS Server will not return a MX record for dsl.pipex.com,
    the Windows 2000 DNS Server is ok. Both Servers appear to have no problems
    with all other addresses. We have tried disabling EDNS0 support but it makes
    no difference.

    Any ideas would be gratefully received,

    Thanks,

    Phil.
     
    Phil, Nov 29, 2005
    #1
    1. Advertisements

  2. I usually recommend fixing the firewall to not block large UDP packets, did
    you try that?



    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    https://secure.lsaol.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Nov 29, 2005
    #2
    1. Advertisements

  3. Phil

    Phil Guest

    Thanks for the reply. We are using Smoothwall Corporate Firewall V4 a Linux
    based product. Is there still an issue with large UDP packets when EDNS0
    support is diabled.

    Thanks,
    Phil.
     
    Phil, Nov 29, 2005
    #3
  4. It shouldn't be, but UDP connections require less overhead to set up and the
    MX records for this domain won't fit into a single UDP packet, so the query
    has to be retried with TCP, this slows resolution quite a bit, and is why I
    recommend keeping EDNS and allowing large UDP packet.

    Another problem you have is the .net TLD servers don't have Glue (An A
    record) for your DNS servers' names. This is causing a slowdown because DNS
    servers are having to resolve the NS records. Take a look at this:
    http://www.dnsstuff.com/tools/dnstime.ch?name=dsl.pipex.com&type=MX




    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    https://secure.lsaol.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Nov 29, 2005
    #4
  5. Phil

    Phil Guest

    Many thanks for the information. I'll ask the firewall people if they have a
    solution for large UDP packets.

    Regards,
    Phil.
     
    Phil, Nov 30, 2005
    #5
  6. Based your comments, I don't think this is a problem with large UPD.

    Once cached, I can get the entire MX expansion for this domain in one UPD
    packet:

    D:\local\wc5\tools> nslookup -query=mx dsl.pipex.com 208.247.131.10

    Server: ns.santronics.com
    Address: 208.247.131.10

    Non-authoritative answer:
    dsl.pipex.com MX preference = 10, mail exchanger =
    smtp.he1.systems.pipex.net
    dsl.pipex.com MX preference = 10, mail exchanger =
    smtp.gs1.systems.pipex.net

    smtp.he1.systems.pipex.net internet address = 62.241.163.97
    smtp.he1.systems.pipex.net internet address = 62.241.163.104
    smtp.he1.systems.pipex.net internet address = 62.241.163.105
    smtp.he1.systems.pipex.net internet address = 62.241.163.108
    smtp.he1.systems.pipex.net internet address = 62.241.163.109
    smtp.he1.systems.pipex.net internet address = 62.241.163.96
    smtp.gs1.systems.pipex.net internet address = 62.241.162.96
    smtp.gs1.systems.pipex.net internet address = 62.241.162.97
    smtp.gs1.systems.pipex.net internet address = 62.241.162.100
    smtp.gs1.systems.pipex.net internet address = 62.241.162.101
    smtp.gs1.systems.pipex.net internet address = 62.241.162.106
    smtp.gs1.systems.pipex.net internet address = 62.241.162.107

    The issue you have having is the difference in the DNS server or resolver is
    expanding the MX records.

    The one thing for sure is that the authoritative zone has two MX host
    records with no A records. So the DNS server might return it or not.

    Against my primary server, it has cached only forwarders, so it has caches
    this A records and remembers it.

    Here is the same NSLOOKUP "BEFORE" it was cached, and it still had the
    smtp.he1.system.pipex.net A records only:

    D:\local\wc5\tools>nslookup -query=mx dsl.pipex.com 208.247.131.10
    Server: ns.santronics.com
    Address: 208.247.131.10

    Non-authoritative answer:
    dsl.pipex.com MX preference = 10, mail exchanger =
    smtp.he1.systems.pipex.ne
    dsl.pipex.com MX preference = 10, mail exchanger =
    smtp.gs1.systems.pipex.ne

    smtp.he1.systems.pipex.net internet address = 62.241.163.96
    smtp.he1.systems.pipex.net internet address = 62.241.163.97
    smtp.he1.systems.pipex.net internet address = 62.241.163.104
    smtp.he1.systems.pipex.net internet address = 62.241.163.105
    smtp.he1.systems.pipex.net internet address = 62.241.163.108
    smtp.he1.systems.pipex.net internet address = 62.241.163.109

    then I expanded the smtp.gs1 group and:

    D:\local\wc5\tools>nslookup -query=a smtp.gs1.systems.pipex.net
    208.247.131.10
    Server: ns.santronics.com
    Address: 208.247.131.10

    Non-authoritative answer:
    Name: smtp.gs1.systems.pipex.net
    Addresses: 62.241.162.96, 62.241.162.97, 62.241.162.100, 62.241.162.101
    62.241.162.106, 62.241.162.107

    and then I ran fist NSLOOKUP you saw above to show it can definitely handle
    1 single UDP packet.

    Here is the same NSLOOKUP against another server:

    D:\local\wc5\tools> nslookup -query=mx dsl.pipex.com

    Server: dns.msy.bellsouth.net
    Address: 205.152.132.23

    Non-authoritative answer:
    dsl.pipex.com MX preference = 10, mail exchanger =
    smtp.he1.systems.pipex.net
    dsl.pipex.com MX preference = 10, mail exchanger =
    smtp.gs1.systems.pipex.net

    As you can see there is NO MX expansion.

    The point is this.

    To the outside world, mainly the SMTP software who cares for this stuff,
    unless the SMTP client is hitting some cached DNS server, you can expect
    that they will most likely need to do atleast 3 DNS calls:

    1) Get the MX with 2 host records
    2) Expand and sort the 2 host A records.

    At a minimum, per RFC, atleast 2 IP is suggested as a strategy. Our SMTP
    software allows the ADMIN to define the total MX expanded amount to
    including as part of a outbound process.

    Take a look at AOL.COM, same thing with them:

    When queried against our server with its cached forwarder, we get the total
    expansion simply because AOL.COM is a more common request.

    D:\local\wc5\tools>nslookup -query=mx aol.com 208.247.131.10
    Server: ns.santronics.com
    Address: 208.247.131.10

    Non-authoritative answer:
    aol.com MX preference = 15, mail exchanger = mailin-04.mx.aol.com
    aol.com MX preference = 15, mail exchanger = mailin-01.mx.aol.com
    aol.com MX preference = 15, mail exchanger = mailin-02.mx.aol.com
    aol.com MX preference = 15, mail exchanger = mailin-03.mx.aol.com

    mailin-01.mx.aol.com internet address = 205.188.158.121
    mailin-01.mx.aol.com internet address = 64.12.137.249
    mailin-01.mx.aol.com internet address = 205.188.156.185
    mailin-02.mx.aol.com internet address = 64.12.138.185
    mailin-02.mx.aol.com internet address = 205.188.155.89
    mailin-02.mx.aol.com internet address = 205.188.157.25
    mailin-03.mx.aol.com internet address = 64.12.138.120
    mailin-03.mx.aol.com internet address = 205.188.157.217
    mailin-03.mx.aol.com internet address = 205.188.159.57
    mailin-03.mx.aol.com internet address = 64.12.138.57
    mailin-04.mx.aol.com internet address = 64.12.138.152
    mailin-04.mx.aol.com internet address = 205.188.156.249
    mailin-04.mx.aol.com internet address = 205.188.159.217
    mailin-04.mx.aol.com internet address = 64.12.138.89

    But when done against another ISP server without a cached forwarder:

    D:\local\wc5\tools>nslookup -query=mx aol.com
    Server: dns.msy.bellsouth.net
    Address: 205.152.132.23

    Non-authoritative answer:
    aol.com MX preference = 15, mail exchanger = mailin-03.mx.aol.com
    aol.com MX preference = 15, mail exchanger = mailin-04.mx.aol.com
    aol.com MX preference = 15, mail exchanger = mailin-01.mx.aol.com
    aol.com MX preference = 15, mail exchanger = mailin-02.mx.aol.com

    You get only the 4 MX records which a typical SMTP client now has to
    expands. They can chose to expand just one, two or all of them. Whatever
    strategy it chooses to use as part of its outbound logic. The RFC minimum
    is to try atleast 2.

    Please note, that this is consider a OK setup because it allows for cyclic
    and/or round robin, load balanced resolution of the MX host names as well as
    the A records. For large systems, it helps to be more dynamic here and
    optimized host availibility.
     
    Hector Santos, Nov 30, 2005
    #6
  7. Phil

    Phil Guest

    Thanks for your reply and explanation. I think I understand the problem but
    am not sure of a solution. I'm also puzzled as to why the Windows 2000 DNS
    server allways finds the MX record and the 2003 DNS server never finds it.

    Regards,
    Phil
     
    Phil, Dec 1, 2005
    #7
  8. In
    Test it with forcing nslookup to use TCP only. How? Set this switch to only
    use TCP:
    set vc

    If it works, then you know it's an EDNS0 (UDP) issue and you now have a
    basis to argure it with your 'firewall people'.

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    If this post is viewed at a non-Microsoft community website, and you were to
    respond to it through that community's website, I may not see your reply
    unless that website posts replies back to the original Microsoft forum.
    Therefore, please direct all replies ONLY to the Microsoft public newsgroup
    this thread originated in so all can benefit or ensure the web community
    posts it back to the original forum.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft MVP - Windows Server Directory Services
    Microsoft Certified Trainer
    Infinite Diversities in Infinite Combinations.
    =================================
     
    Ace Fekay [MVP], Dec 1, 2005
    #8
  9. it.

    By never find it, do you mean it returns NXDOMAIN? Does it return a
    SOA?

    Anyway, from my quick review, it isn't a UPD packet size issue For this
    domain, the entire MX expansion can be stuff into 1 UPD packet.

    Why not use the "-debug" option of debug and see what you get

    nslookup -query=mx -debug dsl.pipex.com > foo
     
    Hector Santos, Dec 1, 2005
    #9
  10. Phil,
    I see why you are puzzled, I've done some testing on a Win2k3 server I
    manage, I found that it won't resolve the MX records either. But another one
    I manage does, neither are behind a firewall that blocks EDNS, so it appears
    to be something in the configuration or possibly differences in the TCP/IP
    stack.
    One does have the TCP/IP hot fix applied (the one that fails) in KB 898060
    http://support.microsoft.com/?kbid=898060 , the other does not. Pretty much
    that the only difference between the two servers other that location, both
    even connect via the same ISP but are 140 miles apart. However one is
    Standard while the other is Enterprise, both are SP1 have Exchange 2003 with
    SP2.

    There seem to be some problems with the authoritative DNS but I'm not sure
    if it is outside the RFCs. It may take some time, but I will be doing more
    testing to see if this is a bug in Windows server 2003 with some setups and
    it may take a call to MS PSS, should I resolve that there is a bug here.

    If you can provide as much information on your server I will do some
    comparative results.
    Does this server have recursion disabled on the Advanced tab?
    Are you connected in any way to the network that hosts the DNS servers?


    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    https://secure.lsaol.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Dec 1, 2005
    #10
  11. Kevin,

    Just winging it here...

    Check to see of the failing server is returned a SERVFAIL response.

    The reason I started hanging out on the DNS forums was to research a
    problem with my DNS server (NT 4.0/SP6e, upgrade planned for this year),
    returning a SERVFAIL while on other servers it did not (returned SOA) on
    a MX lookup for an email domain with only an A RR Record.

    During my research of the problem, I found many servers (including BIND,
    MS DNS) historically had SERVFAIL errors. But I had the final NT 4.0
    SP6e server pack so I didn't know why I was seeing this problem against
    my server.

    It was only when I finally decided to google "Microsoft DNS.EXE date
    size" to see if I can find MSDN info on the current file info, did I
    find this HOTFIX article explaining exactly was what happening:

    http://support.microsoft.com/default.aspx?scid=kb;en-us;295933

    I called for the hotfix, get the file, applied and voila - fixed!

    So it is quite possible that your DNS server is performing recursion and
    not handling a packet correctly or its uplink isn't handling a packet
    correctly. Either or may be returning a SERVFAIL response.

    If this is the issue, you would be able to see it with NSLOOKUP -DEBUG.

    In short, I learned that most of the cooperation between DNS servers,
    forwarders, cached-only, etc, depends very much on legacy server
    operations and from what I found, the common issue seems to be erroneous
    SERVFAIL result due to incorrect response handling by some older servers
    still running. And that includes BIND servers as well. Not just
    Windows.

    --
    Hector Santos, Santronics Software, Inc.
    http://www.santronics.com





    another one > I manage does, neither are behind a firewall that blocks
    EDNS, so it appears > to be something in the configuration or possibly d
    ifferences in the TCP/IP
     
    Hector Santos, Dec 1, 2005
    #11
  12. Phil

    Phil Guest

    Thanks for your reply and interest in this problem. Recursion is not
    disabled, and we are not connected via Pipex’s network. We use a different
    ISP. The server has Exchange 2003 and doesn’t have KB898060 installed. SP1 is
    not installed on the Server or Exchange. Below is the result of debug result
    of NSLookup

    ------------
    Got answer:
    HEADER:
    opcode = QUERY, id = 1, rcode = NOERROR
    header flags: response, auth. answer, want recursion, recursion avail.
    questions = 1, answers = 1, authority records = 0, additional = 0

    QUESTIONS:
    23.1.168.192.in-addr.arpa, type = PTR, class = IN
    ANSWERS:
    -> 23.1.168.192.in-addr.arpa
    name = joel.covlec.org
    ttl = 1200 (20 mins)

    ------------
    Server: joel.covlec.org
    Address: 192.168.1.23

    ------------
    Got answer:
    HEADER:
    opcode = QUERY, id = 2, rcode = NXDOMAIN
    header flags: response, auth. answer, want recursion, recursion avail.
    questions = 1, answers = 0, authority records = 1, additional = 0

    QUESTIONS:
    dsl.pipex.com.CovLec.org, type = MX, class = IN
    AUTHORITY RECORDS:
    -> covlec.org
    ttl = 3600 (1 hour)
    primary name server = joel.covlec.org
    responsible mail addr = admin
    serial = 6977
    refresh = 900 (15 mins)
    retry = 600 (10 mins)
    expire = 86400 (1 day)
    default TTL = 3600 (1 hour)

    ------------
    DNS request timed out.
    timeout was 2 seconds.
    timeout (2 secs)

    Regards,
    Phil
     
    Phil, Dec 2, 2005
    #12
  13. Phil

    Beth Guest

    Can you explain in "easy" terms what needs to be done to the DNS servers. My
    issue is similar I think.

    Our mail server's primary DNS is our DNS Server and DC. THe lookup(nslookup)
    for mx records wasn't coming back with any records. If I cleared the cache on
    the primary DNS server and ran nslookup for the mx record on the domain in
    question it worked but a few minutes later it wouldn't work. This issue is
    only happening on one domain (ie abc.com). Using nslookup for mx records on
    similar domains (ie. 123.abc.com) gives correct records. This issue just
    started 2 days ago, but was working fine for months before. Our backup dns
    isn't having this issue, so we changed our mail server to it. The mail server
    is working fine again.
    Dns isn't something I know to well, so this explanation isn't very good. But
    I just need some things to try to correct the problem so the mail server can
    point back to the primary dns server....

    -B
     
    Beth, Jan 6, 2006
    #13
  14. What is the domain?



    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    https://secure.lsaol.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Jan 7, 2006
    #14
  15. Phil

    Beth Guest

    It has something to do with the cache...

    the domain is bursar.psu.edu. When I use nslookup on that server (also dns
    server) to look up PSU.edu, it should respond with 6 servers. Sometimes it
    does. But most of the time is just returns psu.edu. If I clear the cache, it
    will then show the 6 ip addresses. This is causing a problem for our mail
    server. When it tries to do the mx record thing when it sends the messages,
    the dns server isn't responding with the right answer. But if the cache is
    cleared, it sometimes works.

    I changed the mail server's dns to point to the backup dns server, and it
    worked great this weekend.

    All the servers re-booted this weekend, so I am hoping it could have fixed
    itself since this just started late last week.
     
    Beth, Jan 9, 2006
    #15
  16. Can you post the nslookup results using the -d2 switch against the server
    that gives the bad results?



    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    https://secure.lsaol.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Jan 9, 2006
    #16
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.