DNS stops working and outbound email can no longer resolve domains.

[Michael]

Greetings,

I have a Windows2k domain controller running DNS and Exchange. DNS
works great for a couple of days and then simply stops resolving
external domains. To get around this problems I have used a script to
restart the DNS server every 2 hours which has been working. But I
would really like to resolve the DNS issue.

For my DNS I do not have a root (.) zone. I have enabled forwarders
pointed to three external DNS servers and my ISA server. I am not
getting any errors in the DNS except for a NETLOGON error that I don't
believe is related:

EventID: 5774
Source: NETLOGON
Description: Registration of the DNS record
'eaf4b04c-a1ab-4833-9785-
ec6b7e1db58f._msdcs.makai.com.
600 IN CNAME poweredge.makai.com.'
failed with the following error:
DNS RR set that ought to exist, does not exist.

I've checked technet, eventid.net, and other sources for a resolution
to no avail. To reiterate, DNS works great at resolving internal and
external addresses for about 14hrs and then simply stops resolving
external addresses. Can anyone offer suggestions?

Michael

 

[Herb Martin]

I have a Windows2k domain controller running DNS and Exchange. DNS

works great for a couple of days and then simply stops resolving
external domains.

For my DNS I do not have a root (.) zone. I have enabled forwarders
pointed to three external DNS servers and my ISA server.

Why so many forwarders? If one of them is sick then this may be
the reason for the intermittant problem. Nothing wrong with having
a backup but generally a couple of reliable DNS servers is better than
a bunch of flakey ones.

What happens if you query EACH of these servers when your internal
server exhibits problems? (Use Nslookup -or dig-- an query explicitly):

nslookup www.Yahoo.com isa.yourdomain.com
nslookup www.Yahoo.com ns1.yourISP.com
etc.

Since it is an external error only, let's make sure these guys are working.

Preferably do these tests from the command line of the internal DNS
server so we don't get into issues of "other client machines" being
filtered at the ISA server.

 

[art]

I have the same exact problem...at some point every day
the DNS server stops receiving updates from our dns server
in a different tree. If I perform a nslookup from the main
site to the other site, it times out...If I go into the
dns manager and restart the service everything works fine
until it stops again.
I have one forest, 2 sites, with a dns server running in
both sites. Each server is a backup for the other. Only
one side of the configuration stops working, where I need
to restart the service, the other side never has a
problem...
If you get a fix for this please let me know...I've been
trying to figure out why this happens for quite awhile now.
I even posted in this newsgroup, but didn't get a result.
Every one kept saying that the zone transfers were denied
for some reason, but that doen't make sense considering it
works most of the time...

 

[Michael]

Aloha!

Thanks for your patience. I have disabled my DNS server retart script
and am awaiting for the problem to return before I can provide
specific results.

When I say DNS stops resolving external domains I mean that my SMTP
outgoing queue fills up with email that can be delivered due to the
fact that the domain names cannot be resolved. Yes, I know that the
majority of the email that can't be delivered is due to spam and
domains that don't even exist. However, I am speaking of domains that
do exist, like yahoo.com. When I do a NSLOOKUP on yahoo.com it fails.
It's almost as if the "Forwarders" on the DNS server stop working
because the internal DNS resolution is not affected (workstations and
printers on the LAN are resolved just fine). I currently have the
forward timeout at 5 seconds. Perhaps during heavy traffic this time
is too short? And I'm not using recursion. Simply restarting the DNS
server fixes the problem and external domains are resolved and
outbound email is once again delivered.

When the problem recurs I can provide more details. I will perform a
NSlookup and provide you with the results. Is there any other output
that you would like to see?

Thanks,
Michael

 

[Ace Fekay [MVP]]

In

I have the same exact problem...at some point every day
the DNS server stops receiving updates from our dns server
in a different tree. If I perform a nslookup from the main
site to the other site, it times out...If I go into the
dns manager and restart the service everything works fine
until it stops again.
I have one forest, 2 sites, with a dns server running in
both sites. Each server is a backup for the other. Only
one side of the configuration stops working, where I need
to restart the service, the other side never has a
problem...
If you get a fix for this please let me know...I've been
trying to figure out why this happens for quite awhile now.
I even posted in this newsgroup, but didn't get a result.
Every one kept saying that the zone transfers were denied
for some reason, but that doen't make sense considering it
works most of the time...

So you're saying that zone transfers *sometimes* work?

Usually they just work, unless a firewall is stopping it. If it *sometimes*
works, maybe the zone transfer is greater than 512 and it requires TCP. Are
both TCP and UDP 53 open as well as all UDP ports above 1024 between those
two specific IP addresses. This is because MS DNS requires those ports for
the response.

Hope that helps.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Ace Fekay [MVP]]

In

Aloha!

Thanks for your patience. I have disabled my DNS server retart script
and am awaiting for the problem to return before I can provide
specific results.

When I say DNS stops resolving external domains I mean that my SMTP
outgoing queue fills up with email that can be delivered due to the
fact that the domain names cannot be resolved. Yes, I know that the
majority of the email that can't be delivered is due to spam and
domains that don't even exist. However, I am speaking of domains that
do exist, like yahoo.com. When I do a NSLOOKUP on yahoo.com it fails.
It's almost as if the "Forwarders" on the DNS server stop working
because the internal DNS resolution is not affected (workstations and
printers on the LAN are resolved just fine). I currently have the
forward timeout at 5 seconds. Perhaps during heavy traffic this time
is too short? And I'm not using recursion. Simply restarting the DNS
server fixes the problem and external domains are resolved and
outbound email is once again delivered.

When the problem recurs I can provide more details. I will perform a
NSlookup and provide you with the results. Is there any other output
that you would like to see?

Thanks,
Michael

DNS [...] simply stops resolving external domains.

What does this mean ? Do DNS queries start timing out
with no response ? Do you suddenly start receiving "no such
name" answers ?

Please show us your actual actions and their exact results.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/problem-report-standa
rd-litany.html>

If the problem comes down to certain domains that cannot be looked up, it
maybe due to those domains having the response UDP (default) packet larger
than 512 bytes, so DNS will revert to TCP in a situation like that. Two
things to help in this scenario. Allow TCP 53 at the firewall (if
firewalled). If not firewalled, is this Win2003? If so, it could be EDNS0
being the culprit.

You can test this at an nslookup prompt. Try this:
nslookup
set type=mx
yahoo.com

Let us know if you get a response.

Another issue is if your forwarder (assuming you have forwarding configured
and your DNS AD infrastructure is setup properly) that the forwarder cannot
handle it. If so, I would suggest a different forwarder. You can try 4.2.2.2
to see if it helps.

If it is Win 2003, here's more info on EDNS0. It also shows how to disable
it.

Using Extension Meshanisms for DNS (EDNSO):
http://www.microsoft.com/technet/tr...proddocs/standard/sag_DNS_imp_EDNSsupport.asp


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Jonathan de Boyne Pollard]

M> When I do a NSLOOKUP on yahoo.com it fails.

How ?

M> It's almost as if [...]

We cannot diagnose your problem based upon your guess at what is
happening. After all, if your guess were accurate you wouldn't
be here asking for help.

M> When the problem recurs I can provide more details.
M> I will perform a NSlookup and provide you with the results.

That's the sort of stuff that will be useful (although the output
of a tool such as "dig" or "dnsquery" will be less cluttered with
extraneous chaff - and the use of "nslookup" has long since been
deprecated by its author).

M> Is there any other output that you would like to see?

* What the result of that same query, when sent from the machine
running your DNS server to each of the three forwardees at the
time that you are experiencing the problem, is.

* The resource record sets in your DNS server's cache that are
owned by the domain name involved.

* The exact error messages that your SMTP MTA is generating.

 

[Jonathan de Boyne Pollard]

a> If I perform a nslookup from the main
a> site to the other site, it times out...

What happens when you issue the same query locally, on
the machine, that is running the DNS server, itself ?

a> Only one side of the configuration stops working, [...]

Is it always the same server ?

a> Every one kept saying that the zone transfers were denied
a> for some reason, but that doen't make sense considering it
a> works most of the time...

How did you determine that "zone transfer" replication _was_
actually working ?

 

[Jonathan de Boyne Pollard]

AF> maybe the zone transfer is greater than 512 and it requires TCP.

"zone transfer" database replication _always_ requires TCP.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-shaped-firewall-holes.html#ZoneTransfer>

 

[Ace Fekay [MVP]]

In

"zone transfer" database replication _always_ requires TCP.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-shaped-firewall-h
oles.html#ZoneTransfer>

Sorry, meant the response and not a transfer.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Michael]

Aloha,

I thought I should post a follow-up to my problem. After researching
a bit more, I found that 4.2.2.2 is a global DNS server that accepts
forwarding. Therefore, I tried placing this server at the top of my
forwarding list and the problem has never recurred. I suspect that
one of my ISP's servers was malfunctioning, as originally suggested by
Herb. However, I have not taken the time to confirm that a
malfunctioning DNS server was the problem (not easily done on a
production server). If I can confirm this, I will post a followup.

Mahalos,
Michael

 

[Ace Fekay [MVP]]

In

Aloha,

I thought I should post a follow-up to my problem. After researching
a bit more, I found that 4.2.2.2 is a global DNS server that accepts
forwarding. Therefore, I tried placing this server at the top of my
forwarding list and the problem has never recurred. I suspect that
one of my ISP's servers was malfunctioning, as originally suggested by
Herb. However, I have not taken the time to confirm that a
malfunctioning DNS server was the problem (not easily done on a
production server). If I can confirm this, I will post a followup.

Mahalos,
Michael

That's a server I usually recommend to try.

To test is a server allows forwarding, which I suspect your ISP has it
turned off (recursion disabled), you can use DIG. Many ISPs turn that off.
Here's a DIG example:

C:\bind>dig @4.2.2.2 +vc

; <<>> DiG 9.2.2rc1 <<>> @4.2.2.2 +vc
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 9

;; QUESTION SECTION:
;. IN NS
etc...

The thing I'm looking for if it's working is the RD (recursion desired) and
the RA (recursion available) bits.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Herb Martin]

Well, you can check pretty easily by using NSLookup (or another tool)
pointed specifically at EACH ISP DNS server.

If you need to check for intermittent functioning you can write a simple
batch file to check, log, sleep, repeat for a while.

What is the status/rules for using 4.2.2.2? Are they welcoming anyone
who needs them?

It's easy to remember and I teach my students to remember SOME server
for occasional TEMPORARY use if they cannot find a DNS server (e.g.,
hotel Internet connection, new installation, etc.)

--
Herb Martin

Aloha,

I thought I should post a follow-up to my problem. After researching
a bit more, I found that 4.2.2.2 is a global DNS server that accepts
forwarding. Therefore, I tried placing this server at the top of my
forwarding list and the problem has never recurred. I suspect that
one of my ISP's servers was malfunctioning, as originally suggested by
Herb. However, I have not taken the time to confirm that a
malfunctioning DNS server was the problem (not easily done on a
production server). If I can confirm this, I will post a followup.

Mahalos,
Michael


Jonathan de Boyne Pollard <[email protected]> wrote in message

M> When I do a NSLOOKUP on yahoo.com it fails.

How ?

M> It's almost as if [...]

We cannot diagnose your problem based upon your guess at what is
happening. After all, if your guess were accurate you wouldn't
be here asking for help.

M> When the problem recurs I can provide more details.
M> I will perform a NSlookup and provide you with the results.

That's the sort of stuff that will be useful (although the output
of a tool such as "dig" or "dnsquery" will be less cluttered with
extraneous chaff - and the use of "nslookup" has long since been
deprecated by its author).

M> Is there any other output that you would like to see?

* What the result of that same query, when sent from the machine
running your DNS server to each of the three forwardees at the
time that you are experiencing the problem, is.

* The resource record sets in your DNS server's cache that are
owned by the domain name involved.

* The exact error messages that your SMTP MTA is generating.