Win2K DNS cannot query BIND 9

[.]

I'm running my authoritative non-recursive DNS on BIND 9 with a secondary on
DJBDNS. One of our customers, who uses Windows 2000 for their DNS, cannot
query any of our domains. I can see the queries coming into the firewall and
I can see the queries logged in the BIND server's messages log, but they say
they just get a timeout.

If I use nslookup to their server, I also get a timeout when I query any of
my zones. They used to work just fine and then "all of a sudden" it stopped
working in early November. They found some problem in their configuration
and it started working again. It worked for two weeks and then stopped
working a month ago. Of course, we're both claiming nothing has changed on
either side. <sigh>

Oddly, when they try to query my secondary, which belongs to my ISP, they
also get a timeout.
www.dnsreport.com & www.dnsstuff.com all show my DNS servers as fine.

If anyone has any guesses, I'd sure appreciate hearing them.

Thanks,

Ray

 

[Kevin D. Goodknecht Sr. [MVP]]

I'm running my authoritative non-recursive DNS on BIND 9 with a
secondary on DJBDNS. One of our customers, who uses Windows 2000 for
their DNS, cannot query any of our domains. I can see the queries
coming into the firewall and I can see the queries logged in the BIND
server's messages log, but they say they just get a timeout.

If I use nslookup to their server, I also get a timeout when I query
any of my zones. They used to work just fine and then "all of a
sudden" it stopped working in early November. They found some problem
in their configuration and it started working again. It worked for
two weeks and then stopped working a month ago. Of course, we're both
claiming nothing has changed on either side. <sigh>

Oddly, when they try to query my secondary, which belongs to my ISP,
they also get a timeout.
www.dnsreport.com & www.dnsstuff.com all show my DNS servers as fine.

If anyone has any guesses, I'd sure appreciate hearing them.

So are you saying the Windows DNS cannot get an answer to a referral to your
DNS?
Or are you saying when queried directly?
It may be understandable if your DNS is being queried directly since you
have recursion disabled, but I would have to see the 'nslookup -d2' results.

 

[.]

Hi Kevin,

Thanks for the quick reply. I didn't know about that option; I was using
"dig" from a Linux box on a cable modem connection from the Internet side.

The problem is when they query me directly for zones that the server is
authoritative for.

Thanks,

Ray

 

[Kevin D. Goodknecht Sr. [MVP]]

Hi Kevin,

Thanks for the quick reply. I didn't know about that option; I was
using "dig" from a Linux box on a cable modem connection from the
Internet side.

The problem is when they query me directly for zones that the server
is authoritative for.

Without a domain name, I can only make a blind guess.

 

[.]

I sent you an email a few hours ago because I didn't want to post the domain
name publicly.

Ray

 

[Ace Fekay [MVP]]

In

I sent you an email a few hours ago because I didn't want to post the
domain name publicly.

Ray

Do you have both UDP and TCP 53 opened to the server?

If you try nslookup with a vc option:
nslookup

set vc

Does it work? That forces TCP. If that works, then it's implying UDP 53 is
blocked.

Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

If you are having difficulty in reading or finding responses to your post,
instead of the website you are using, if I may suggest to use OEx (Outlook
Express or any other newsreader of your choosing), and configure a newsgroup
account, pointing to news.microsoft.com. This is a direct link into the
Microsoft Public Newsgroups, and it is FREE and DOES NOT require a Usenet
account with your ISP. With OEx, you can easily find your post, track
threads, cross-post, and sort by date, poster's name, watched threads or
subject.

Not sure how? It's easy:
How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Windows Server Directory Services
Microsoft Certified Trainer
Assimilation Imminent. Resistance is Futile.
Infinite Diversities in Infinite Combinations.
=================================

 

[.]

Hi Ace,

All of their queries are UDP. I am seeing their queries in the messages log
on the DNS servers. I even opened service-any from their DNS servers and it
still doesn't work.

I even ran Mice and Men's DNS Expert Pro against my servers from the
Internet side and it reported zero errors.

It's got to be them.

Thanks,

Ray

"Ace Fekay [MVP]"

 

[Kevin D. Goodknecht Sr. [MVP]]

Hi Ace,

All of their queries are UDP. I am seeing their queries in the
messages log on the DNS servers. I even opened service-any from their
DNS servers and it still doesn't work.

I even ran Mice and Men's DNS Expert Pro against my servers from the
Internet side and it reported zero errors.

It's got to be them.

I'm still unable to make a TCP query to your DNS servers, by default the
SMTP service will use TCP to query DNS servers,
http://support.microsoft.com/kb/263237/en-us

 

[.]

Hi Kevin,

Interesting article, thanks (again). It will work now.

I added those other zones as you suggested, but their servers still don't
work to us.

Ray

 

[Kevin D. Goodknecht Sr. [MVP]]

Hi Kevin,

Interesting article, thanks (again). It will work now.

I added those other zones as you suggested, but their servers still
don't work to us.

At this point I can't be sure the problem is not with beartech.net's DNS
servers.
I can make TCP queries to yours now, all DNS servers I manage some Windows
2000, some Windows Server 2003; all can resolve all records from your
domain.
But the ISP DNS at beartech.net (all three) can only return the NS records
for your domain. The fact that they can return NS records but no MX, SOA, A,
or TXT records, for your domain name is interesting to say the least. I know
all of these exist and are returned for your domain name from any other DNS
I can find.
The only A records I can get from their DNS for your domain is the ones for
the NS records.
I would like to know what is blocking their DNS from resolving these records
from your domain. It kind of makes me wonder if their firewall (assuming
they have one) is not causing this.

 

[.]

Thanks, Kevin, that's the assumption I have as well. They have not responded
to my queries ever since I pointed out that all external tests of my systems
seemed to show we were OK.

Ray