Windows 2003 DNS: Recursive query fails when looking its own domai

Discussion in 'DNS Server' started by Lito Kusnadi, Dec 28, 2005.

  1. Lito Kusnadi

    Lito Kusnadi Guest


    I recently setup a Windows 2003 server for a client. I use internet FQDN for
    the AD domain.

    When I tested the DNS service using NSlookup, I got a timeout issue in
    forward lookup on the DC itself.

    The server name is: dcserver1
    The FQDN server name is:
    I can get reply when I nslookup: dcserver1
    I also got the reverse lookup working for dcserver1
    But when I type:, it gives me timeout and then gives
    the correct result.

    The DC is not connected to the internet. When I add the "." zone, it doesn't
    create the issue anymore.

    The problem is: why the nslookup still wants to go out to another DNS server
    to look for name resolution for the DC? I can't understand why it's
    happening. I'm abit worried if there's an underlying problem as I need to
    register several servers to the AD.

    Any one could help me?
    Thank you.
    Lito Kusnadi, Dec 28, 2005
    1. Advertisements

  2. In
    Is the zone configured properly in DNS? Is the SOA (this DNS server)
    correctly configured in the nameservers tab under the zone properties?

    Can you give us an example using:
    nslookup -d2
    nslookup -d2 dcserver1

    Please don't edit the results to hide or obsfucate the domain name or it
    will make it difficult to diagnose.



    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    If you are having difficulty in reading or finding responses to your post,
    instead of the website you are using, if I may suggest to use OEx (Outlook
    Express or any other newsreader of your choosing), and configure a newsgroup
    account, pointing to This is a direct link into the
    Microsoft Public Newsgroups, and it is FREE and DOES NOT require a Usenet
    account with your ISP. With OEx, you can easily find your post, track
    threads, cross-post, and sort by date, poster's name, watched threads or

    Not sure how? It's easy:
    How to Configure OEx for Internet News

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft MVP - Windows Server Directory Services
    Microsoft Certified Trainer
    Assimilation Imminent. Resistance is Futile.
    Infinite Diversities in Infinite Combinations.
    Ace Fekay [MVP], Dec 28, 2005
    1. Advertisements

  3. Lito Kusnadi

    Transam388 Guest

    One thing to be aware of is the lookups for an internal system versus an
    external system. If you just do an nslookup servername does it resolve?
    Then when you do an nslookup it states the timeout
    and then resolve? This is generally a normal thing depending on different
    DNS setups. Essentially if all is working this one I would not get to
    worried about.
    Transam388, Dec 28, 2005

  4. OK, there isn't a simple answer but here we go.

    I'm sure it has something to do with the DNS suffix search list and the way
    nslookup and the DNS client service appends the Primary DNS suffix.
    When you do nslookup on just the server name the first query that goes to
    DNS is, so it resolves locally right away.

    However, when you do nslookup it does several
    queries before it resolves.
    1st query is:
    Your local server replies with the SOA record from but
    nslookup doesn't stop until it appends all DNS suffixes or resolves.

    2nd query is:
    This query is the stopper because "" is so your DNS
    forwards this query because "" is an unknown domain and it has
    to wait until the "" parent server returns its SOA record, nslookup
    doesn't stop because it is still using an appended suffix so it goes on
    again this time by sending the name without an appended suffix, (both
    nslookup and the DNS client only append down to the last two levels before
    the root, (the root is the ".") in the search list, which is

    3rd query is: which resolves.

    so if you look at only what it appends it looks like this:

    Which when added to the domain name , it searches these domains:
    Notice that neither nslookup nor the DNS client will append the TLD "au" it
    stops appending at ""
    Its the that times out.

    Do this, in TCP/IP properties, select the DNS tab, then clear the check box
    for "append parent suffixes of the primary DNS suffix".
    Doing this stops nslookup and the DNS client from appending "" (the
    parent suffix), so that only "" is appended, which your DNS
    server can handle without forwarding.

    If you will add a trailing "." to your query, neither nslookup nor the DNS
    client service will append DNS suffixes and will send only names before the
    "." to DNS.

    The reason why this doesn't happen with the root zone is because since it
    has the root zone, DNS "assumes" that is knows every TLD name below the root
    and does not have to forward to find that doesn't

    This is further complicated if you also have a Connection specific DNS
    suffix (the one labeled "DNS suffix for this connection") because it is
    added the DNS suffix search list, too. Although, it does not append parent
    suffixes of the connection suffix.

    As you see, it is not a simple answer, it is just the way nslookup (and the
    DNS client service) appends suffixes from TCP/IP properties. And this does
    not include nslookup's "stupid" behavior of doing a reverse lookup on the IP
    of every DNS server it queries.

    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    Keep a back up of your OE settings and folders
    with OEBackup:
    Kevin D. Goodknecht Sr. [MVP], Dec 29, 2005
  5. Lito Kusnadi

    Lito Kusnadi Guest

    Thank you for everyone's reply. It has been mind-nourishing.

    It is true that the "" is the reason of the
    time out. If I do nslookup (with the dot after the
    "au"), it gives me the answer without forwarding the query.
    Thank you for the nslookup -d2 clue. It's very helpful.
    As mentioned, in the DNS tab, I tried to uncheck the appending parent DNS
    suffix, but still, it does not want to stop appending the bit.

    I'm thinking:
    Does the query: require to receive an answer
    from an authoritative DNS server? No matter if it's a positive answer (i.e.
    "yes, the domain exists") or a negative answer (i.e. "no, the domain not

    I believe this is what I don't have at the moment. The DNS for the AD is
    totally separated and isolated from the Internet. It does not do forward to
    the ISP DNS for any unresolved query.

    Adding the "." zone would make the DNS authoritative, which I believe stops
    the forwarding. Is this statement correct?

    Thank you.

    Result of nslookup -d2:

    Got answer (121 bytes):
    opcode = QUERY, id = 2, rcode = NXDOMAIN
    header flags: response, auth. answer, want recursion, recursion avail.
    questions = 1, answers = 0, authority records = 1, additional = 0

    QUESTIONS:, type = A, class = IN
    type = SOA, class = IN, dlen = 44
    ttl = 3600 (1 hour)
    primary name server =
    responsible mail addr = hostmaster
    serial = 25
    refresh = 900 (15 mins)
    retry = 600 (10 mins)
    expire = 86400 (1 day)
    default TTL = 3600 (1 hour)

    SendRequest(), len 47
    opcode = QUERY, id = 3, rcode = NOERROR
    header flags: query, want recursion
    questions = 1, answers = 0, authority records = 0, additional = 0

    QUESTIONS:, type = A, class = IN

    DNS request timed out.
    timeout was 2 seconds.
    timeout (2 secs)

    Lito Kusnadi
    Technical Consultant
    React Solutions AU
    Lito Kusnadi, Dec 29, 2005
  6. In
    A reply can be negative or positive, either way, it's a reply. But unlike
    the local machine's resolver service, which will stop looking if a negative
    response is returned, nslookup will continue to devolve each suffix. As
    Kevin said, go ahead and uncheck "append parent suffixes of the primary DNS
    suffix" to stop it from appending

    Ace Fekay [MVP], Dec 29, 2005
  7. Yes, it does stop the forwarding, but it also stops DNS from being able to
    resolve internet names, unless the root zone is delegated with all TLDs. You
    can install a delegated root zone, but I think this puts you right back in
    the same position. Your DNS server will still have to contact the
    servers to verify that does not exist.

    Clearing the check box noted does stop the DNS client from appending parent
    suffixes, nslookup being its own animal, appears ignore this setting, or at
    least it does on my system.
    However, If you assign a custom DNS suffix, nslookup will use it instead.
    Use "Append these suffixes (in order)" then enter "" (without
    the quotes) only.
    You can assign either of these in a GPO to XP and 2k3 machines here:
    Computer Configuration
    -Administrative templates
    -DNS client

    Keep in mind, in an Active Directory environment, internet resolution is not
    necessary, internal resolution is REQUIRED. No member of an AD domain should
    ever have a DNS server in its list of DNS servers, in any position, on any
    interface, that cannot resolve the AD domain. This means that if you need
    internet resolution, you must get that resolution from a DNS server that
    resolves the AD domain. So you cannot use your ISP's DNS especially, if the
    internal DNS has the un-delegated root zone. If the internal DNS has an
    un-delegated root zone, it cannot resolve internet names and will timeout,
    this will move the ISP's DNS to the preferred DNS server and will leave it
    there until TCP/IP is reset.

    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    Keep a back up of your OE settings and folders
    with OEBackup:
    Kevin D. Goodknecht Sr. [MVP], Dec 29, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.