DNS recursion and Windows Updates

Hello.

I have a scenario on my environment of 2 Internal AD DNS servers and 2 external Windows 2012 DNS servers. I disabled recursion on my external DNS servers for security reasons but now the servers are not able to do windows updates because they cannot resolve external names.
Is there a way to solve this problem without having to re-enable recursion every-time I need to do a windows update or adding the Microsoft servers to the hosts file?
Thanks in advance for your help!

Cheers!

August 31st, 2015 3:10pm

Hi Roeseler,

According to your description, you assume that we may add the Microsoft servers records to the host file, in order to perform windows update, because you have disabled recursion on the external DNS server.

As far as I know, the IP address for windows update web site constantly changes and it is not a fixed address. It may be difficult to achieve the goal.

When disable recursion, DNS server will use root hints to resolve name. However, the external DNS server couldnt resolve names after disabling recursion, we may check if the root hints are correct in the server.

Best regards,

Anne he

Free Windows Admin Tool Kit Click here and download it now
September 1st, 2015 3:19am

Hi Anne.

Thanks for the feedback. Root hints are working, as you can see from the nslookup, but I don't get an answer.

nslookup microsoft.com
Server:  our_dns_server
Address:  xxx.xxx.xxx.xxx

Name:    microsoft.com
Served by:
- ns4.msft.net
          208.76.45.53
          2620:0:37::53
          microsoft.com
- ns3.msft.net
          193.221.113.53
          2620:0:34::53
          microsoft.com
- ns2.msft.net
          208.84.2.53
          2620:0:32::53
          microsoft.com
- ns1.msft.net
          208.84.0.53
          2620:0:30::53
          microsoft.com

I'm guessing this has something to do with DNSSEC and some firewall is rejecting the packets...

This thread covers the same issue: https://social.technet.microsoft.com/forums/windowsserver/en-US/89f21534-4f5a-4a9e-9c7d-29db755a20dd/dns-resolution-using-root-hints-does-not-work

I'm just not sure how to test it without installing dig on the server; in our firewall I don't see any drops but there is another firewall before we reach the Internet so I have to check with the admins.

regards,

roeseler

September 2nd, 2015 9:11am

Hi Roeseler,

It may be the possibility that the issue is associated with DNSSEC, the firewall blocks messages larger than 512 bytes, you may contact the firewall admin to check for it.

Besides, we may check the WindowsUpdate file to analyze the update issue, file path:C:\windows. After opening the update file, we may click Windows update manually, then the file will record the process. At the bottom of the file, we may find an exit code, and find the update website domain name above. We may check the exit code and resolve the domain name on the DNS server, verify if the Windows update is failed with DNS issue.  

best regards,

Anne He

Free Windows Admin Tool Kit Click here and download it now
September 8th, 2015 3:29am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics