DNS Stop resolving external address

[Andy]

I have a W2K DC, with DHCP Server Service and DNS Server Service. My network
contains only one domain and it's the only one DC.
The problem I see is that my DNS Server, stop resolving External names, but
if i restart the DNS service, it works again.
Example:
From DNS Server
- running "nslookup www.msn.com", it works well obtaining IP addressess.
- Later (maybe next day), running the same command it doesn't work. All I
obtain ia a request timeout.
- I restart the DNS Server service and run my "nslookup www.msn.com"
command, and it works well again

In the Event Log I don´t se any Error message or something suspect.
Any idea about the problem?.
Note: Running a netdiag command, it does not present any error. All tests
are passed.

Thank you

 

[Lanwench [MVP - Exchange]]

Are you using forwarders, or root hints?

 

[Andy]

Thank you by answer:
I have the default Root hints list, and Enabled Forwarders.
In the forwarders list, i have the IPs from my ISP. Is that correct ?

"Lanwench [MVP - Exchange]"

 

[Ace Fekay [MVP]]

In

Thank you by answer:
I have the default Root hints list, and Enabled Forwarders.
In the forwarders list, i have the IPs from my ISP. Is that correct ?

"Lanwench [MVP - Exchange]"

Are you using forwarders, or root hints?

That's correct configuration.
Also enable Secure Cache Against Pollution. Seems there's quite a bit of
stir lately in "DNSLand" out there. Massive UDP 53 scans and redirected
lookups happening causing poisoning cache, is what you're experiencing.

Hope you installed the updates on your machines as per the articles below:

Security Experts On Alert for Large-Scale Hacker Assault:
http://www.esecurityplanet.com/trends/article.php/2242891

What You Should Know About Microsoft Security Bulletin MS03-026:
http://www.microsoft.com/security/security_bulletins/ms03-026.asp


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Jonathan de Boyne Pollard]

A> I have [...] Enabled Forwarders.

When next the problem manifests itself, issue the relevant queries against
your forwardees and see whether they respond correctly. Rule out the
possibility that this is their problem and not yours.

 

[Jonathan de Boyne Pollard]

AF> Also enable Secure Cache Against Pollution.

Whilst this is good advice in general (As you know, my advice is to _always_
enable this option, there being no good reason for ever disabling it.) it
won't prevent problems in the situation that he describes.

He's using forwarders. One of the disadvantages of forwarding is that it
leaves one as vulnerable to cache poisoning as one's forwardees are.
Preventing cache poisoning locally won't help.

AF> Massive UDP 53 scans [...]

The article doesn't mention port 53. It talks about scans for vulnerabilities
in Windows' RPC services. That's a wholly different set of ports.

 

[Ace Fekay [MVP]]

AF> Massive UDP 53 scans [...]

The article doesn't mention port 53. It talks about scans for vulnerabilities
in Windows' RPC services. That's a wholly different set of ports.

I meant UDP scans, don't know why I threw in 53.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory