outbound resolution fails

[James]

Ok, periodically our internet stops working. If I try running a NSlookup
for an external site, it times out. We have our DNS setup to use your ISP
DNS servers as forwarders. If I stop and restart the DNS service, all of
the sudden NSlookups go through ok, and the internet works once again. No
errors are logged. Any idea why this would happen?

Thanks,

 

[Kevin D. Goodknecht Sr. [MVP]]

Ok, periodically our internet stops working. If I try running a
NSlookup for an external site, it times out. We have our DNS setup
to use your ISP DNS servers as forwarders. If I stop and restart the
DNS service, all of the sudden NSlookups go through ok, and the
internet works once again. No errors are logged. Any idea why this
would happen?

This sounds suspiciously like DNS Cache pollution.

How to prevent DNS cache pollution
http://support.microsoft.com/kb/241352/en-us

 

[James]

interesting, but we have windows 2000 service pack 4, and it is setup to
secure against pollution already...

Would there be any harm in creating a script to stop and restart the dns
service on a nightly basis until we can fully resolve this issue?

 

[Kevin D. Goodknecht Sr. [MVP]]

interesting, but we have windows 2000 service pack 4, and it is setup
to secure against pollution already...

Would there be any harm in creating a script to stop and restart the
dns service on a nightly basis until we can fully resolve this issue?

It wouldn't do any harm, it would basically clear the DNS server cache
nightly, but then the Maximum cached Ttl is 1 day on MS DNS so, it wouldn't
really save that much.
How many and what forwarders are you using?
Does the Root Hints tab only list the 13 ICANN Roots?
Are they all resolved to the correct IP addresses?
A.ROOT-SERVERS.NET. 206376 IN A 198.41.0.4
B.ROOT-SERVERS.NET. 206376 IN A 192.228.79.201
C.ROOT-SERVERS.NET. 206376 IN A 192.33.4.12
D.ROOT-SERVERS.NET. 206376 IN A 128.8.10.90
E.ROOT-SERVERS.NET. 206376 IN A 192.203.230.10
F.ROOT-SERVERS.NET. 206376 IN A 192.5.5.241
G.ROOT-SERVERS.NET. 206376 IN A 192.112.36.4
H.ROOT-SERVERS.NET. 206376 IN A 128.63.2.53
I.ROOT-SERVERS.NET. 206376 IN A 192.36.148.17
J.ROOT-SERVERS.NET. 206376 IN A 192.58.128.30
K.ROOT-SERVERS.NET. 206376 IN A 193.0.14.129
L.ROOT-SERVERS.NET. 206376 IN A 198.32.64.12
M.ROOT-SERVERS.NET. 206376 IN A 202.12.27.33

 

[James]

We have 2 of our ISP forwarders in place.
Yes, those are the root hints I see, but the " 206376 IN A" does not
show up, just the %.root-servers.net and the IP address
I'm not really sure how to use the root hints either, if I remove our ISP
forwarders, external name resolution fails. Is there something I have to do
to get the root hints working?

 

[Kevin D. Goodknecht Sr. [MVP]]

We have 2 of our ISP forwarders in place.
Yes, those are the root hints I see, but the " 206376 IN A"
does not show up, just the %.root-servers.net and the IP address

The Root hints would show that part, I downloaded these directly from
A.ROOT-SERVERS.NET. Which is the Start of Authority (Master) for the ICANN
Root.

I'm not really sure how to use the root hints either, if I remove our
ISP forwarders, external name resolution fails. Is there something I
have to do to get the root hints working?

Make sure "Do not use recursion" is NOT checked on the Forwarders tab. Other
than that, make sure you fire wall rules allow port 53 UDP & TCP to any
address on the internet. Believe it or not, a DNS server that uses root
hints is more difficult to hijack because when using root hints it goes
directly to the Authoritative DNS to resolve names, if you use a forwarder
some one can hijack the cache in the forwarder which will send the hijacked
record to you.

 

[James]

SO all I should have to do make sure do not use recursion, under forwarders
is unchecked, remove all forwarders, and make sure port 53 is open, and I
should be good?

Stranegly enough, that doesn't seem to do it...

 

[Kevin D. Goodknecht Sr. [MVP]]

SO all I should have to do make sure do not use recursion, under
forwarders is unchecked, remove all forwarders, and make sure port 53
is open, and I should be good?

Stranegly enough, that doesn't seem to do it...

You have to make sure that your DNS is capable of connecting to any
Authoritative DNS server for root hints to work. If your forwarder fails
then your DNS can still resolve names. If you disable the ability for your
DNS to use root hints when the forwarder fails, resolution will fail.
If you use a forwarder, make sure that forwarder can do recursive lookups
for you. Also, make sure that forwarder is one you can trust.