W2k SP4 DNS Not Accepting No For an Answer

[Guest]

Hi All:

Our Windows 2000 sp4 DNS servers keep sending queries to our UNIX DNS server
continuously looking for names that the UNIX DNS server says that they IP
addresses are invalid. I would expect the W2k DNS server to stop quering for
these names once its been told that a particular IP address is invalid. Our
UNIX DNS machine is getting bombarded with these continuous queries.

Today between 12:40 and 12:45 EDT, the two MS DNS servers each asked takoma
about 3000 times for the address of www.ombek.com. Each time they were told
that the DNS servers for www.ombek.com were failing.

Is this a bug in Windows 2000 dns that is fixed in Windows 2003 DNS?

Thanks,
Charles

 

[Kevin D. Goodknecht Sr. [MVP]]

Hi All:

Our Windows 2000 sp4 DNS servers keep sending queries to our UNIX DNS
server continuously looking for names that the UNIX DNS server says
that they IP addresses are invalid. I would expect the W2k DNS
server to stop quering for these names once its been told that a
particular IP address is invalid. Our UNIX DNS machine is getting
bombarded with these continuous queries.

Today between 12:40 and 12:45 EDT, the two MS DNS servers each asked
takoma about 3000 times for the address of www.ombek.com. Each time
they were told that the DNS servers for www.ombek.com were failing.

Is this a bug in Windows 2000 dns that is fixed in Windows 2003 DNS?

I don't know of any bugs that cause DNS to resolve names that it was not
asked to resolve. I would more than likely think it is trying to resolve the
name for a client. If the MS DNS servers are forwarding to the BIND DNS
nothing would be cached to tell the MS DNS not to query again. There is no
default TTL on the domain, it can get NS records from the com gTLD servers.
But those DNS servers are lame and can't return the SOA record which have
the default TTL for the domain.
The default TTL is used for negative caching, so if the is no SOA, there is
also no negative cache. So the DNS client would continue to try to resolve
the name and so would the DNS server.

 

[Guest]

Thanks for responding Kevin. Our setup is that we have our internal dns
machines handling all of the internal domain queries. When our internal dns
servers cannot resolve a query, it passes it on to our UNIX DNS server. The
problem is when some application on our internal network causes our internal
DNS machine to query for a name that does not exist either internally or
outside, our internal DNS server sends the query out to our UNIX DNS server.
Our UNIX DNS server figures out that the name in the query does not exist so
it returns a message to our internal DNS server that it does not exist or its
invalid. I would think that our internal DNS server wouuld no longer
continue to send queries to our UNIX Dns serve but it doesn't. It continues
3000 more times although the UNIX DNS server told our internal DNS server
that the name/ip is invalid.

I would think that this is probably a bug?

Thanks in advance!

Charles

 

[Kevin D. Goodknecht Sr. [MVP]]

Thanks for responding Kevin. Our setup is that we have our internal
dns machines handling all of the internal domain queries. When our
internal dns servers cannot resolve a query, it passes it on to our
UNIX DNS server. The problem is when some application on our
internal network causes our internal DNS machine to query for a name
that does not exist either internally or outside, our internal DNS
server sends the query out to our UNIX DNS server. Our UNIX DNS
server figures out that the name in the query does not exist so it
returns a message to our internal DNS server that it does not exist
or its invalid. I would think that our internal DNS server wouuld no
longer continue to send queries to our UNIX Dns serve but it doesn't.
It continues 3000 more times although the UNIX DNS server told our
internal DNS server that the name/ip is invalid.

I would think that this is probably a bug?

It's not a bug (I don't think) this is just one of the drawbacks to
forwarding, the internal DNS that you are forwarding from cannot get an
authoritative answer, it caches no NS records and no SOA records since BIND
does not return those records. BIND cannot return the SOA record because the
SOA record does not exist. Since there is no SOA, there is no negative
caching, if there is no negative caching, it means DNS will continue to ask
for the A records.
One way to test my theory, nslookup -qtype=NS ombeck.com. <IPofMSDNS>
(Don't forget the trailing "." after ombeck.com.
After the MS DNS caches the NS records, it will stop forwarding to BIND for
that domain. (Unless you have "Do not use recursion" checked.)

This is why I never recommend a forwarder, unless it is a conditional
forwarder. I always say, "you can enable a forwarder" but I cannot recommend
a forwarder.

If I recommend anything, it is to install a fully delegated root zone. By
using a fully delegated root, your DNS will always get an authoritative
answer because it goes directly to the authoritative DNS for whatever domain
it resolves. If it forwards, all answers it gets from the forwarder is
non-authoritative, unless its forwarder is authoritative for the domain
queried for.

 

[Guest]

Hi Kevin:

Thanks again for this great information. Fully understand it except for the
part of how conditional forwarding will help me. Since I don't know of all
of the domains to add to my forwarder, wouldn't this be impossible to do? I
wish there was a way to put in the forwarder the domain names that I don't
want forwarded off to my UNIX dns machine. This way when I see that there
are huge numbers of requests forwarded from the MS DNS machine to the UNIX, I
can get the name of the domain from the query and place it in the conditional
forwarder configured for the UNIX dns system so queries for that domain would
not be sent or forwarded to the UNIX dns system.

Also, is there a way to put rejected names in the MS DNS cache manually or
using some tool to work around this issue? Or is there a way to tell our our
internal DNS server that responses from our external UNIX dns server are
authoritative (so our internal MS DNS will stop sending repeated queries
after UNIX dns rejected it)? I understand there can only be one SOA in a
zone? It would be nice if I could let my internal ms dns know that the
external UNIX dns is authoritative.

Please advise.

Thanks Much,
Charles

 

[Kevin D. Goodknecht Sr. [MVP]]

Hi Kevin:

Thanks again for this great information. Fully understand it except
for the part of how conditional forwarding will help me. Since I
don't know of all of the domains to add to my forwarder, wouldn't
this be impossible to do? I wish there was a way to put in the
forwarder the domain names that I don't want forwarded off to my UNIX
dns machine. This way when I see that there are huge numbers of
requests forwarded from the MS DNS machine to the UNIX, I can get the
name of the domain from the query and place it in the conditional
forwarder configured for the UNIX dns system so queries for that
domain would not be sent or forwarded to the UNIX dns system.

Also, is there a way to put rejected names in the MS DNS cache
manually or using some tool to work around this issue? Or is there a
way to tell our our internal DNS server that responses from our
external UNIX dns server are authoritative (so our internal MS DNS
will stop sending repeated queries after UNIX dns rejected it)? I
understand there can only be one SOA in a zone? It would be nice if
I could let my internal ms dns know that the external UNIX dns is
authoritative.

Your options are limited since you have Windows 2000, which has no support
for stub zones or conditional forwarders.
You would have to use secondary zones for zones on the UNIX/BIND.

 

[Guest]

We will be upgrading our DNS servers to Windows 2003 (this is w2k3 domain).
Once we do, how can we configure conditional forwarders so it will accomplish
what I'm trying to do. It appears with the conditional fwdrs you can only
put names that you want forwarded but not names you don't want forwarded.
Maybe I'm missing something but how can I used conditional fwdrs to prevent
bad names from being forwarded to our UNIX dns server?

Thanks,
Charles

 

[Kevin D. Goodknecht Sr. [MVP]]

We will be upgrading our DNS servers to Windows 2003 (this is w2k3
domain). Once we do, how can we configure conditional forwarders so
it will accomplish what I'm trying to do. It appears with the
conditional fwdrs you can only put names that you want forwarded but
not names you don't want forwarded. Maybe I'm missing something but
how can I used conditional fwdrs to prevent bad names from being
forwarded to our UNIX dns server?

The only name you would use in the conditional forwarders are for the
domains that the UNIX DNS is authoritative for. I'm not a fan of blanket
forwarding, that is the "All other DNS domains" as used in Win2k3. I prefer
my DNS servers to get authoritative answers.

 

[Guest]

Thanks for these timely responses Kevin! That makes sense. There is another
guy managing our outside UNIX dns servers so I would just need to get a list
of the domains that the UNIX dns is authoritative and put them in as the
forwarders condition, correct?

You mentioned that you prefer your dns servers to get authoritative answers.
I do to. Not sure how to tell my internal MS DNS servers that the outside
UNIX dns is authoritative. Is there a way to put an SOA in the dns records
of my internal area so my computers know that the outside UNIX dns is
authoritative as th internal ms dns servers are?

Thanks!

 

[Guest]

Could the NT servers secondaries to the Unix master server for all of our
internal domains. They would then not have to query the Unix servers for
local stuff and could directly forward queries for external domains to the
internet.

Doing this UNIX DNS would never see these repeated queries but I think the
zone for our internal DNS would need to be Primary? Not sure if we could be
secondary to a UNIX master? Kinda remember it might be possible if UNIX is
running at a certain BIND level?

Please advise.

 

[Kevin D. Goodknecht Sr. [MVP]]

Could the NT servers secondaries to the Unix master server for all of
our internal domains. They would then not have to query the Unix
servers for local stuff and could directly forward queries for
external domains to the internet.
Doing this UNIX DNS would never see these repeated queries but I
think the zone for our internal DNS would need to be Primary? Not
sure if we could be secondary to a UNIX master?

Absolutely Windows DNS can be secondaries for any primary. MS DNS servers
that are RFC compliant, which controls all protocols used between different
servers. Just allow zone transfers from the zones on the UNIX to the IP
address of the Windows.
Unfortunately, Windows 2000 does not support conditional forwarding or stub
zones, you'll have to use secondary zones, or install a Windows Server 2003
Domain Controller to be used as the DNS server.
I wouldn't use forwarding at all if you don't have to. I've seen to many
situations just this week that prevents me from even mentioning forwarding
because of lame name servers. I've found that lame name servers give DNS
servers that use forwarding fits because lame name servers for registered
cannot return NXDOMAIN because they can't return an SOA and get stuck in a
DNS loop because they don't have the zone for the domain delegated to them.
It is hard to place blame on any particular DNS server software when the
people that operate them don't comply with RFCs themselves.