Hi All:

Our Windows 2000 sp4 DNS servers keep sending queries to our UNIX DNS server
continuously looking for names that the UNIX DNS server says that they IP
addresses are invalid. I would expect the W2k DNS server to stop quering for
these names once its been told that a particular IP address is invalid. Our
UNIX DNS machine is getting bombarded with these continuous queries.

Today between 12:40 and 12:45 EDT, the two MS DNS servers each asked takoma
about 3000 times for the address of www.ombek.com. Each time they were told
that the DNS servers for www.ombek.com were failing.

Is this a bug in Windows 2000 dns that is fixed in Windows 2003 DNS?

Thanks,
Charles

Charles wrote:
> Hi All:
>
> Our Windows 2000 sp4 DNS servers keep sending queries to our UNIX DNS
> server continuously looking for names that the UNIX DNS server says
> that they IP addresses are invalid. I would expect the W2k DNS
> server to stop quering for these names once its been told that a
> particular IP address is invalid. Our UNIX DNS machine is getting
> bombarded with these continuous queries.
>
> Today between 12:40 and 12:45 EDT, the two MS DNS servers each asked
> takoma about 3000 times for the address of www.ombek.com. Each time
> they were told that the DNS servers for www.ombek.com were failing.
>
> Is this a bug in Windows 2000 dns that is fixed in Windows 2003 DNS?

I don't know of any bugs that cause DNS to resolve names that it was not
asked to resolve. I would more than likely think it is trying to resolve the
name for a client. If the MS DNS servers are forwarding to the BIND DNS
nothing would be cached to tell the MS DNS not to query again. There is no
default TTL on the domain, it can get NS records from the com gTLD servers.
But those DNS servers are lame and can't return the SOA record which have
the default TTL for the domain.
The default TTL is used for negative caching, so if the is no SOA, there is
also no negative cache. So the DNS client would continue to try to resolve
the name and so would the DNS server.


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

Thanks for responding Kevin. Our setup is that we have our internal dns
machines handling all of the internal domain queries. When our internal dns
servers cannot resolve a query, it passes it on to our UNIX DNS server. The
problem is when some application on our internal network causes our internal
DNS machine to query for a name that does not exist either internally or
outside, our internal DNS server sends the query out to our UNIX DNS server.
Our UNIX DNS server figures out that the name in the query does not exist so
it returns a message to our internal DNS server that it does not exist or its
invalid. I would think that our internal DNS server wouuld no longer
continue to send queries to our UNIX Dns serve but it doesn't. It continues
3000 more times although the UNIX DNS server told our internal DNS server
that the name/ip is invalid.

I would think that this is probably a bug?

Thanks in advance!

Charles

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Charles wrote:
> > Hi All:
> >
> > Our Windows 2000 sp4 DNS servers keep sending queries to our UNIX DNS
> > server continuously looking for names that the UNIX DNS server says
> > that they IP addresses are invalid. I would expect the W2k DNS
> > server to stop quering for these names once its been told that a
> > particular IP address is invalid. Our UNIX DNS machine is getting
> > bombarded with these continuous queries.
> >
> > Today between 12:40 and 12:45 EDT, the two MS DNS servers each asked
> > takoma about 3000 times for the address of www.ombek.com. Each time
> > they were told that the DNS servers for www.ombek.com were failing.
> >
> > Is this a bug in Windows 2000 dns that is fixed in Windows 2003 DNS?
>
> I don't know of any bugs that cause DNS to resolve names that it was not
> asked to resolve. I would more than likely think it is trying to resolve the
> name for a client. If the MS DNS servers are forwarding to the BIND DNS
> nothing would be cached to tell the MS DNS not to query again. There is no
> default TTL on the domain, it can get NS records from the com gTLD servers.
> But those DNS servers are lame and can't return the SOA record which have
> the default TTL for the domain.
> The default TTL is used for negative caching, so if the is no SOA, there is
> also no negative cache. So the DNS client would continue to try to resolve
> the name and so would the DNS server.
>
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> https://secure.lsaol.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>

Charles wrote:
> Thanks for responding Kevin. Our setup is that we have our internal
> dns machines handling all of the internal domain queries. When our
> internal dns servers cannot resolve a query, it passes it on to our
> UNIX DNS server. The problem is when some application on our
> internal network causes our internal DNS machine to query for a name
> that does not exist either internally or outside, our internal DNS
> server sends the query out to our UNIX DNS server. Our UNIX DNS
> server figures out that the name in the query does not exist so it
> returns a message to our internal DNS server that it does not exist
> or its invalid. I would think that our internal DNS server wouuld no
> longer continue to send queries to our UNIX Dns serve but it doesn't.
> It continues 3000 more times although the UNIX DNS server told our
> internal DNS server that the name/ip is invalid.
>
> I would think that this is probably a bug?

It's not a bug (I don't think) this is just one of the drawbacks to
forwarding, the internal DNS that you are forwarding from cannot get an
authoritative answer, it caches no NS records and no SOA records since BIND
does not return those records. BIND cannot return the SOA record because the
SOA record does not exist. Since there is no SOA, there is no negative
caching, if there is no negative caching, it means DNS will continue to ask
for the A records.
One way to test my theory, nslookup -qtype=NS ombeck.com. <IPofMSDNS>
(Don't forget the trailing "." after ombeck.com.
After the MS DNS caches the NS records, it will stop forwarding to BIND for
that domain. (Unless you have "Do not use recursion" checked.)

This is why I never recommend a forwarder, unless it is a conditional
forwarder. I always say, "you can enable a forwarder" but I cannot recommend
a forwarder.

If I recommend anything, it is to install a fully delegated root zone. By
using a fully delegated root, your DNS will always get an authoritative
answer because it goes directly to the authoritative DNS for whatever domain
it resolves. If it forwards, all answers it gets from the forwarder is
non-authoritative, unless its forwarder is authoritative for the domain
queried for.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

Hi Kevin:

Thanks again for this great information. Fully understand it except for the
part of how conditional forwarding will help me. Since I don't know of all
of the domains to add to my forwarder, wouldn't this be impossible to do? I
wish there was a way to put in the forwarder the domain names that I don't
want forwarded off to my UNIX dns machine. This way when I see that there
are huge numbers of requests forwarded from the MS DNS machine to the UNIX, I
can get the name of the domain from the query and place it in the conditional
forwarder configured for the UNIX dns system so queries for that domain would
not be sent or forwarded to the UNIX dns system.

Also, is there a way to put rejected names in the MS DNS cache manually or
using some tool to work around this issue? Or is there a way to tell our our
internal DNS server that responses from our external UNIX dns server are
authoritative (so our internal MS DNS will stop sending repeated queries
after UNIX dns rejected it)? I understand there can only be one SOA in a
zone? It would be nice if I could let my internal ms dns know that the
external UNIX dns is authoritative.

Please advise.

Thanks Much,
Charles

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Charles wrote:
> > Thanks for responding Kevin. Our setup is that we have our internal
> > dns machines handling all of the internal domain queries. When our
> > internal dns servers cannot resolve a query, it passes it on to our
> > UNIX DNS server. The problem is when some application on our
> > internal network causes our internal DNS machine to query for a name
> > that does not exist either internally or outside, our internal DNS
> > server sends the query out to our UNIX DNS server. Our UNIX DNS
> > server figures out that the name in the query does not exist so it
> > returns a message to our internal DNS server that it does not exist
> > or its invalid. I would think that our internal DNS server wouuld no
> > longer continue to send queries to our UNIX Dns serve but it doesn't.
> > It continues 3000 more times although the UNIX DNS server told our
> > internal DNS server that the name/ip is invalid.
> >
> > I would think that this is probably a bug?
>
> It's not a bug (I don't think) this is just one of the drawbacks to
> forwarding, the internal DNS that you are forwarding from cannot get an
> authoritative answer, it caches no NS records and no SOA records since BIND
> does not return those records. BIND cannot return the SOA record because the
> SOA record does not exist. Since there is no SOA, there is no negative
> caching, if there is no negative caching, it means DNS will continue to ask
> for the A records.
> One way to test my theory, nslookup -qtype=NS ombeck.com. <IPofMSDNS>
> (Don't forget the trailing "." after ombeck.com.
> After the MS DNS caches the NS records, it will stop forwarding to BIND for
> that domain. (Unless you have "Do not use recursion" checked.)
>
> This is why I never recommend a forwarder, unless it is a conditional
> forwarder. I always say, "you can enable a forwarder" but I cannot recommend
> a forwarder.
>
> If I recommend anything, it is to install a fully delegated root zone. By
> using a fully delegated root, your DNS will always get an authoritative
> answer because it goes directly to the authoritative DNS for whatever domain
> it resolves. If it forwards, all answers it gets from the forwarder is
> non-authoritative, unless its forwarder is authoritative for the domain
> queried for.
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> https://secure.lsaol.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>

Charles wrote:
> Hi Kevin:
>
> Thanks again for this great information. Fully understand it except
> for the part of how conditional forwarding will help me. Since I
> don't know of all of the domains to add to my forwarder, wouldn't
> this be impossible to do? I wish there was a way to put in the
> forwarder the domain names that I don't want forwarded off to my UNIX
> dns machine. This way when I see that there are huge numbers of
> requests forwarded from the MS DNS machine to the UNIX, I can get the
> name of the domain from the query and place it in the conditional
> forwarder configured for the UNIX dns system so queries for that
> domain would not be sent or forwarded to the UNIX dns system.
>
> Also, is there a way to put rejected names in the MS DNS cache
> manually or using some tool to work around this issue? Or is there a
> way to tell our our internal DNS server that responses from our
> external UNIX dns server are authoritative (so our internal MS DNS
> will stop sending repeated queries after UNIX dns rejected it)? I
> understand there can only be one SOA in a zone? It would be nice if
> I could let my internal ms dns know that the external UNIX dns is
> authoritative.

Your options are limited since you have Windows 2000, which has no support
for stub zones or conditional forwarders.
You would have to use secondary zones for zones on the UNIX/BIND.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

We will be upgrading our DNS servers to Windows 2003 (this is w2k3 domain).
Once we do, how can we configure conditional forwarders so it will accomplish
what I'm trying to do. It appears with the conditional fwdrs you can only
put names that you want forwarded but not names you don't want forwarded.
Maybe I'm missing something but how can I used conditional fwdrs to prevent
bad names from being forwarded to our UNIX dns server?

Thanks,
Charles

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Charles wrote:
> > Hi Kevin:
> >
> > Thanks again for this great information. Fully understand it except
> > for the part of how conditional forwarding will help me. Since I
> > don't know of all of the domains to add to my forwarder, wouldn't
> > this be impossible to do? I wish there was a way to put in the
> > forwarder the domain names that I don't want forwarded off to my UNIX
> > dns machine. This way when I see that there are huge numbers of
> > requests forwarded from the MS DNS machine to the UNIX, I can get the
> > name of the domain from the query and place it in the conditional
> > forwarder configured for the UNIX dns system so queries for that
> > domain would not be sent or forwarded to the UNIX dns system.
> >
> > Also, is there a way to put rejected names in the MS DNS cache
> > manually or using some tool to work around this issue? Or is there a
> > way to tell our our internal DNS server that responses from our
> > external UNIX dns server are authoritative (so our internal MS DNS
> > will stop sending repeated queries after UNIX dns rejected it)? I
> > understand there can only be one SOA in a zone? It would be nice if
> > I could let my internal ms dns know that the external UNIX dns is
> > authoritative.
>
> Your options are limited since you have Windows 2000, which has no support
> for stub zones or conditional forwarders.
> You would have to use secondary zones for zones on the UNIX/BIND.
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> https://secure.lsaol.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>

Charles wrote:
> We will be upgrading our DNS servers to Windows 2003 (this is w2k3
> domain). Once we do, how can we configure conditional forwarders so
> it will accomplish what I'm trying to do. It appears with the
> conditional fwdrs you can only put names that you want forwarded but
> not names you don't want forwarded. Maybe I'm missing something but
> how can I used conditional fwdrs to prevent bad names from being
> forwarded to our UNIX dns server?

The only name you would use in the conditional forwarders are for the
domains that the UNIX DNS is authoritative for. I'm not a fan of blanket
forwarding, that is the "All other DNS domains" as used in Win2k3. I prefer
my DNS servers to get authoritative answers.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

Thanks for these timely responses Kevin! That makes sense. There is another
guy managing our outside UNIX dns servers so I would just need to get a list
of the domains that the UNIX dns is authoritative and put them in as the
forwarders condition, correct?

You mentioned that you prefer your dns servers to get authoritative answers.
I do to. Not sure how to tell my internal MS DNS servers that the outside
UNIX dns is authoritative. Is there a way to put an SOA in the dns records
of my internal area so my computers know that the outside UNIX dns is
authoritative as th internal ms dns servers are?

Thanks!

"Kevin D. Goodknecht Sr. [MVP]" wrote:

> Charles wrote:
> > We will be upgrading our DNS servers to Windows 2003 (this is w2k3
> > domain). Once we do, how can we configure conditional forwarders so
> > it will accomplish what I'm trying to do. It appears with the
> > conditional fwdrs you can only put names that you want forwarded but
> > not names you don't want forwarded. Maybe I'm missing something but
> > how can I used conditional fwdrs to prevent bad names from being
> > forwarded to our UNIX dns server?
>
> The only name you would use in the conditional forwarders are for the
> domains that the UNIX DNS is authoritative for. I'm not a fan of blanket
> forwarding, that is the "All other DNS domains" as used in Win2k3. I prefer
> my DNS servers to get authoritative answers.
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> https://secure.lsaol.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>

Could the NT servers secondaries to the Unix master server for all of our
internal domains. They would then not have to query the Unix servers for
local stuff and could directly forward queries for external domains to the
internet.

Doing this UNIX DNS would never see these repeated queries but I think the
zone for our internal DNS would need to be Primary? Not sure if we could be
secondary to a UNIX master? Kinda remember it might be possible if UNIX is
running at a certain BIND level?

Please advise.

"Charles" wrote:

> Thanks for these timely responses Kevin! That makes sense. There is another
> guy managing our outside UNIX dns servers so I would just need to get a list
> of the domains that the UNIX dns is authoritative and put them in as the
> forwarders condition, correct?
>
> You mentioned that you prefer your dns servers to get authoritative answers.
> I do to. Not sure how to tell my internal MS DNS servers that the outside
> UNIX dns is authoritative. Is there a way to put an SOA in the dns records
> of my internal area so my computers know that the outside UNIX dns is
> authoritative as th internal ms dns servers are?
>
> Thanks!
>
> "Kevin D. Goodknecht Sr. [MVP]" wrote:
>
> > Charles wrote:
> > > We will be upgrading our DNS servers to Windows 2003 (this is w2k3
> > > domain). Once we do, how can we configure conditional forwarders so
> > > it will accomplish what I'm trying to do. It appears with the
> > > conditional fwdrs you can only put names that you want forwarded but
> > > not names you don't want forwarded. Maybe I'm missing something but
> > > how can I used conditional fwdrs to prevent bad names from being
> > > forwarded to our UNIX dns server?
> >
> > The only name you would use in the conditional forwarders are for the
> > domains that the UNIX DNS is authoritative for. I'm not a fan of blanket
> > forwarding, that is the "All other DNS domains" as used in Win2k3. I prefer
> > my DNS servers to get authoritative answers.
> >
> > --
> > Best regards,
> > Kevin D. Goodknecht Sr. [MVP]
> > Hope This Helps
> > ===================================
> > When responding to posts, please "Reply to Group"
> > via your newsreader so that others may learn and
> > benefit from your issue, to respond directly to
> > me remove the nospam. from my email address.
> > ===================================
> > http://www.lonestaramerica.com/
> > http://support.wftx.us/
> > https://secure.lsaol.com/
> > ===================================
> > Use Outlook Express?... Get OE_Quotefix:
> > It will strip signature out and more
> > http://home.in.tum.de/~jain/software/oe-quotefix/
> > ===================================
> > Keep a back up of your OE settings and folders
> > with OEBackup:
> > http://www.oehelp.com/OEBackup/Default.aspx
> > ===================================
> >
> >
> >