Different answers from internal and external DNS servers

Bert Roos · Jan 9, 2004

Hi,

I'm having a problem sending mail to people at nl.ibm.com that boils down to
a DNS problem. We're internally running a DNS server on Windows Server 2003.
That server forwards all unknown addresses to the DNS servers of our ISP.
When I use nslookup to retrieve the MX record for nl.ibm.com through our
internal server, I get the following output:

Server: [10.31.1.1]
Address: 10.31.1.1

nl.ibm.com
primary name server = ns1.emea.ibm.com
responsible mail addr = attibmuk.emea.att.com
serial = 2003102900
refresh = 3600 (1 hour)
retry = 1800 (30 mins)
expire = 604800 (7 days)
default TTL = 10800 (3 hours)

Performing the same request on the external DNS server returns the
following:

Server: ns2.xs4all.nl
Address: 194.109.9.99

Non-authoritative answer:
nl.ibm.com MX preference = 10, mail exchanger = mtagate5.uk.ibm.com
nl.ibm.com MX preference = 10, mail exchanger = mtagate6.uk.ibm.com
nl.ibm.com MX preference = 10, mail exchanger = mtagate7.uk.ibm.com
nl.ibm.com MX preference = 20, mail exchanger = mtagate1.de.ibm.com
nl.ibm.com MX preference = 20, mail exchanger = mtagate2.de.ibm.com
nl.ibm.com MX preference = 20, mail exchanger = mtagate3.de.ibm.com
nl.ibm.com MX preference = 20, mail exchanger = mtagate4.de.ibm.com
nl.ibm.com MX preference = 20, mail exchanger = mtagate5.de.ibm.com
nl.ibm.com MX preference = 20, mail exchanger = mtagate6.de.ibm.com
nl.ibm.com MX preference = 20, mail exchanger = mtagate7.de.ibm.com
nl.ibm.com MX preference = 10, mail exchanger = mtagate1.uk.ibm.com
nl.ibm.com MX preference = 10, mail exchanger = mtagate2.uk.ibm.com
nl.ibm.com MX preference = 10, mail exchanger = mtagate3.uk.ibm.com
nl.ibm.com MX preference = 10, mail exchanger = mtagate4.uk.ibm.com

nl.ibm.com nameserver = ns1.emea.ibm.com
nl.ibm.com nameserver = ns2.emea.ibm.com
mtagate5.uk.ibm.com internet address = 195.212.29.138
mtagate6.uk.ibm.com internet address = 195.212.29.139
mtagate7.uk.ibm.com internet address = 195.212.29.140
mtagate1.de.ibm.com internet address = 195.212.29.150
mtagate2.de.ibm.com internet address = 195.212.29.151

The latter output is correct; the former is wrong. It also frequently occurs
that our own DNS server gives timeouts on nl.ibm.com (not on other
addresses, even not on ibm.com).
Can anybody explain why our own server returns different information? Why is
this specific to nl.ibm.com? Is there a way that I can trace how the DNS
server gets its data?

Jonathan de Boyne Pollard · Jan 9, 2004

BR> Is there a way that I can trace how the DNS server gets its data?

Yes.

<URL:http://microsoft.com./technet/prodt...entserver/sag_DNS_imp_UsingLoggingOptions.asp>

Ace Fekay [MVP] · Jan 9, 2004

In

Bert Roos said:
Hi,

I'm having a problem sending mail to people at nl.ibm.com that boils
down to a DNS problem. We're internally running a DNS server on
Windows Server 2003. That server forwards all unknown addresses to
the DNS servers of our ISP. When I use nslookup to retrieve the MX
record for nl.ibm.com through our internal server, I get the
following output:

Server: [10.31.1.1]
Address: 10.31.1.1

nl.ibm.com
primary name server = ns1.emea.ibm.com
responsible mail addr = attibmuk.emea.att.com
serial = 2003102900
refresh = 3600 (1 hour)
retry = 1800 (30 mins)
expire = 604800 (7 days)
default TTL = 10800 (3 hours)

Performing the same request on the external DNS server returns the
following:

Server: ns2.xs4all.nl
Address: 194.109.9.99

Non-authoritative answer:
nl.ibm.com MX preference = 10, mail exchanger =
mtagate5.uk.ibm.com nl.ibm.com MX preference = 10, mail
exchanger = mtagate6.uk.ibm.com nl.ibm.com MX preference = 10,
mail exchanger = mtagate7.uk.ibm.com nl.ibm.com MX preference =
20, mail exchanger = mtagate1.de.ibm.com nl.ibm.com MX
preference = 20, mail exchanger = mtagate2.de.ibm.com nl.ibm.com
MX preference = 20, mail exchanger = mtagate3.de.ibm.com nl.ibm.com
MX preference = 20, mail exchanger = mtagate4.de.ibm.com nl.ibm.com
MX preference = 20, mail exchanger = mtagate5.de.ibm.com nl.ibm.com
MX preference = 20, mail exchanger = mtagate6.de.ibm.com nl.ibm.com
MX preference = 20, mail exchanger = mtagate7.de.ibm.com nl.ibm.com
MX preference = 10, mail exchanger = mtagate1.uk.ibm.com nl.ibm.com
MX preference = 10, mail exchanger = mtagate2.uk.ibm.com nl.ibm.com
MX preference = 10, mail exchanger = mtagate3.uk.ibm.com nl.ibm.com
MX preference = 10, mail exchanger = mtagate4.uk.ibm.com

nl.ibm.com nameserver = ns1.emea.ibm.com
nl.ibm.com nameserver = ns2.emea.ibm.com
mtagate5.uk.ibm.com internet address = 195.212.29.138
mtagate6.uk.ibm.com internet address = 195.212.29.139
mtagate7.uk.ibm.com internet address = 195.212.29.140
mtagate1.de.ibm.com internet address = 195.212.29.150
mtagate2.de.ibm.com internet address = 195.212.29.151

The latter output is correct; the former is wrong. It also frequently
occurs that our own DNS server gives timeouts on nl.ibm.com (not on
other addresses, even not on ibm.com).
Can anybody explain why our own server returns different information?
Why is this specific to nl.ibm.com? Is there a way that I can trace
how the DNS server gets its data?

With Windows 2003, there is a new feature called EDNS0, which could your
culprit. It allows UDP packets greater than 512 bytes. Some other DNS
servers out there don;t quite yet use this feature, but many are coming up
to speed. As long as your firewall is allowing TCP and UDP 53, then let's
disable EDNS0 and give it a shot:

EDNS0:
http://www.microsoft.com/technet/tr...roddocs/entserver/sag_DNS_imp_EDNSsupport.asp

828731 - An External DNS Query May Cause an Error Message in Windows Server
2003:
http://support.microsoft.com/default.aspx?scid=kb;en-us;828731&Product=winsvr2003

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

Bert Roos · Jan 14, 2004

Thanks Ace, that resolves the issue. We still have to figure out whether
it's the firewall or the external DNS server, but we now know what to look
for.

Regards, Bert Roos

"Ace Fekay [MVP]"

Bert Roos said:
In

Bert Roos said:

Hi,

I'm having a problem sending mail to people at nl.ibm.com that boils
down to a DNS problem. We're internally running a DNS server on
Windows Server 2003. That server forwards all unknown addresses to
the DNS servers of our ISP. When I use nslookup to retrieve the MX
record for nl.ibm.com through our internal server, I get the
following output:

Server: [10.31.1.1]
Address: 10.31.1.1

nl.ibm.com
primary name server = ns1.emea.ibm.com
responsible mail addr = attibmuk.emea.att.com
serial = 2003102900
refresh = 3600 (1 hour)
retry = 1800 (30 mins)
expire = 604800 (7 days)
default TTL = 10800 (3 hours)

Performing the same request on the external DNS server returns the
following:

Server: ns2.xs4all.nl
Address: 194.109.9.99

Non-authoritative answer:
nl.ibm.com MX preference = 10, mail exchanger =
mtagate5.uk.ibm.com nl.ibm.com MX preference = 10, mail
exchanger = mtagate6.uk.ibm.com nl.ibm.com MX preference = 10,
mail exchanger = mtagate7.uk.ibm.com nl.ibm.com MX preference =
20, mail exchanger = mtagate1.de.ibm.com nl.ibm.com MX
preference = 20, mail exchanger = mtagate2.de.ibm.com nl.ibm.com
MX preference = 20, mail exchanger = mtagate3.de.ibm.com nl.ibm.com
MX preference = 20, mail exchanger = mtagate4.de.ibm.com nl.ibm.com
MX preference = 20, mail exchanger = mtagate5.de.ibm.com nl.ibm.com
MX preference = 20, mail exchanger = mtagate6.de.ibm.com nl.ibm.com
MX preference = 20, mail exchanger = mtagate7.de.ibm.com nl.ibm.com
MX preference = 10, mail exchanger = mtagate1.uk.ibm.com nl.ibm.com
MX preference = 10, mail exchanger = mtagate2.uk.ibm.com nl.ibm.com
MX preference = 10, mail exchanger = mtagate3.uk.ibm.com nl.ibm.com
MX preference = 10, mail exchanger = mtagate4.uk.ibm.com

nl.ibm.com nameserver = ns1.emea.ibm.com
nl.ibm.com nameserver = ns2.emea.ibm.com
mtagate5.uk.ibm.com internet address = 195.212.29.138
mtagate6.uk.ibm.com internet address = 195.212.29.139
mtagate7.uk.ibm.com internet address = 195.212.29.140
mtagate1.de.ibm.com internet address = 195.212.29.150
mtagate2.de.ibm.com internet address = 195.212.29.151

The latter output is correct; the former is wrong. It also frequently
occurs that our own DNS server gives timeouts on nl.ibm.com (not on
other addresses, even not on ibm.com).
Can anybody explain why our own server returns different information?
Why is this specific to nl.ibm.com? Is there a way that I can trace
how the DNS server gets its data?

Click to expand...

With Windows 2003, there is a new feature called EDNS0, which could your
culprit. It allows UDP packets greater than 512 bytes. Some other DNS
servers out there don;t quite yet use this feature, but many are coming up
to speed. As long as your firewall is allowing TCP and UDP 53, then let's
disable EDNS0 and give it a shot:

EDNS0:
http://www.microsoft.com/technet/tr...roddocs/entserver/sag_DNS_imp_EDNSsupport.asp

828731 - An External DNS Query May Cause an Error Message in Windows Server

2003:

Click to expand...

http://support.microsoft.com/default.aspx?scid=kb;en-us;828731&Product=winsvr2003

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

Ace Fekay [MVP] · Jan 14, 2004

In

Bert Roos said:
Thanks Ace, that resolves the issue. We still have to figure out
whether
it's the firewall or the external DNS server, but we now know what to
look
for.

Regards, Bert Roos

Glad to be of help.

Your firewall may just not be able to handle it. Have to check the docs on
it.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

Bert Roos · Jan 15, 2004

Hi Ace,

It's indeed the firewall. We've a Cisco PIX firewall. Our current version of
the software blocks UDP packets larger than 512 bytes. That's why the large
MX record of nl.ibm.com is blocked. Once we've upgraded the firewall, I'll
switch on EDNS0 again.

Thanks for the support!
Bert Roos

"Ace Fekay [MVP]"

Ace Fekay [MVP] · Jan 15, 2004

In

Bert Roos said:
Hi Ace,

It's indeed the firewall. We've a Cisco PIX firewall. Our current
version of the software blocks UDP packets larger than 512 bytes.
That's why the large MX record of nl.ibm.com is blocked. Once we've
upgraded the firewall, I'll switch on EDNS0 again.

Thanks for the support!
Bert Roos

Glad to hear there's an upgrade for the PIX for this.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

problem resolving yahoo.com mx records	3	Apr 28, 2004
Equally weighted MX records issue - OK on Windows 2003 but not Windows 2000	7	Mar 17, 2004
How to Hide External Dns ip??	5	May 26, 2006
Hijacked DNS - How is this being done?	2	Oct 4, 2006
Loosing entries	2	Sep 17, 2004
URGENT DNS HELP, PLEASE	3	Nov 1, 2004
DNS may be setup incorrectly for my Exchange 2000 Server	11	Aug 7, 2003
MX Record and AD Circular Logic	2	Dec 9, 2003

Different answers from internal and external DNS servers

Bert Roos

Jonathan de Boyne Pollard

Ace Fekay [MVP]

Bert Roos

Ace Fekay [MVP]

Bert Roos

Ace Fekay [MVP]

Ask a Question

Similar Threads