Hi, occasionally a DNS server installed on 2008 R2 cannot resolve a client request. The Event log lists Event ID 5501, source DNS-Server-Service. Another server (based on 2003 R2) can resolve the same request just fine. The 2008 server is configured with root hints only, no forwarders. Can this be a problem related to DNSSEC and its larger then expected response packets? The server has no DNSSEC anchors configured since the function in 2008 R2 is not usable anyway. Can anyone help? Regards, AngusMac

Hello, start by that: http://technet.microsoft.com/en-us/library/ee783616(WS.10).aspx It is mentioned that this is a normal condition. If you suspect that it is DNSSEC then disable it and check again. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner 2010 / 2011 Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration Microsoft Certified Technology Specialist: Windows 7, Configuring Microsoft Certified IT Professional: Enterprise Administrator

Yes, this is the event I'm seeing. Where would you want me to start from that page? And no, this is most certainly _not_ a normal condition: Client requests for addresses fail, while they are resolved perfectly well by other DNS servers. Finally: As I already stated, no DNSSEC anchors are configured on the server in question. How would you want me to further disable DNSSEC?Regards, AngusMac

Hi AngusMac, Thanks for posting here. I’d just like to confirm that if you have added local DNS zone on that server and will it be properly resolved by clients also ?or just unable to resolve any external domain ? this will help us to determine if this is a DNS function or internet connectivity issue. Meanwhile, I’d rather suspect this was relate with EDNS0 , you might try to disable it on this windows server 2008 and see if this issue persist, the article blow should also work with Windows server 2008: DNS query responses do not travel through a firewall in Windows Server 2003 http://support.microsoft.com/kb/828263 Have you also modified any system setting before this issue occurred ? Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi AngusMac, If there is any update on this issue, please feel free to let us know. We are looking forward to your reply. Regards, Tiger Li TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, thank you for your answer. I tried to disable EDNS (command "dnscmd Server Name/Config /EnableEDnsProbes 0"), then restart the DNS service. The problem still persists. The issue comes and goes, for example a few days ago I saw the problem with "www.tomshardware.de", today this address is being resolved just fine. Just now I have the problem with "www.ciprico.com", which once more is being resolved fine by a 2003 R2 server, but not on the 2008 R2 server. (The two servers are on different networks, though.) Actually, I'm not at all convinced that the problem lies with the server. Could anybody perhaps take a look at the DNS records of the two addresses I named and look for something they might have in common, as opposed to the majority of other DNS records that work fine on both my machines? Regards, AngusMac

I forgot to add: Neither of the servers has been set up within the last half year, both are working productivly with generally good results (meaning it's the rare exception when an address happens to be unresolvable) and the problem on the 2008 R2 server has been seen on and off for many months. There are no dedicated firewalls involved, but each network is connected via a consumer-grade DSL router. I haven't noticed any other interference by the router yet, though.Regards, AngusMac

I did some further testing. The problem seems to be connected with the DLS router, but I don't see in which way. First test: Ask a root server directly: D:\TMP\DNS>dig @198.41.0.4 www.ciprico.com any ; <<>> DiG 9.7.1-P2 <<>> @198.41.0.4 www.ciprico.com any ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3978 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 14 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;www.ciprico.com. IN ANY ;; AUTHORITY SECTION: com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. ;; ADDITIONAL SECTION: a.gtld-servers.net. 172800 IN A 192.5.6.30 a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30 b.gtld-servers.net. 172800 IN A 192.33.14.30 b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30 c.gtld-servers.net. 172800 IN A 192.26.92.30 d.gtld-servers.net. 172800 IN A 192.31.80.30 e.gtld-servers.net. 172800 IN A 192.12.94.30 f.gtld-servers.net. 172800 IN A 192.35.51.30 g.gtld-servers.net. 172800 IN A 192.42.93.30 h.gtld-servers.net. 172800 IN A 192.54.112.30 i.gtld-servers.net. 172800 IN A 192.43.172.30 j.gtld-servers.net. 172800 IN A 192.48.79.30 k.gtld-servers.net. 172800 IN A 192.52.178.30 l.gtld-servers.net. 172800 IN A 192.41.162.30 ;; Query time: 75 msec ;; SERVER: 198.41.0.4#53(198.41.0.4) ;; WHEN: Thu Jul 21 23:12:18 2011 ;; MSG SIZE rcvd: 505 Fine. Second test: Ask my local DNS server: D:\TMP\DNS>dig www.ciprico.com any ; <<>> DiG 9.7.1-P2 <<>> www.ciprico.com any ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4720 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.ciprico.com. IN ANY ;; AUTHORITY SECTION: ciprico.com. 300 IN SOA authns2.qwest.net. dns-admin.qwe stip.net. 2010110200 10800 3600 604800 300 ;; Query time: 146 msec ;; SERVER: 10.1.1.3#53(10.1.1.3) ;; WHEN: Thu Jul 21 23:12:39 2011 ;; MSG SIZE rcvd: 104 Not fine. To be honest, I don't know what to make of that, or even why it may be different from the result of the first test. Third test: Ask the router (it includes a DNS forwarder, but, as stated before, my DNS server asks the root servers directly without forwarding to the router): D:\TMP\DNS>dig @10.1.1.254 www.ciprico.com any ; <<>> DiG 9.7.1-P2 <<>> @10.1.1.254 www.ciprico.com any ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51867 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.ciprico.com. IN ANY ;; AUTHORITY SECTION: ciprico.com. 299 IN SOA authns2.qwest.net. dns-admin.qwe stip.net. 2010110200 10800 3600 604800 300 ;; Query time: 1165 msec ;; SERVER: 10.1.1.254#53(10.1.1.254) ;; WHEN: Thu Jul 21 23:14:24 2011 ;; MSG SIZE rcvd: 104 Same (non-helpful) result. Any ideas? Let me be very clear: The router is NOT specified at the server as a forwarder. It should play no part in DNS resolution whatsoever. Regards, AngusMac

Apparently, there are two problems. 1. Clients are unable to resolve names on one server. It is using Root Hints. - If intermittent, verify the TTL for the record has not expired. Check the server for the record and check the properties. - If consistent, verify that you are able to resolve the name at the server. Use NSLookup. 2. You are getting Event ID 5501. This could be related to edns and the DNS servers at the domain in question (aka Akamai's servers for Yahoo.com). - This can be ignored if they're not excessive. - You can tested by removing edns on Server 2008. -- If the problem occurs with just one domain, please share the domain fqdn.Ketan Thakkar | Microsoft Online Community Support