I am having an issue at several client sites. The symptoms appear to be identical, even though the environments vary significantly. Environment(s): Server (2003 or 2008(both standard and SBS)) with AD/DNS/DHCP installed. DNS is configured to use root hints and has the local domains defined in both the forward and reverse lookup zones. Various firewalls are in place (Cisco ASA 5505, Sidewinder 410, SnapGear). ISP for each client experiencing the issue is different (Frontier.net, Comcast, Utility Telephone). Windows updates are current, including the latest root hint updates. From a workstation or the server a resolution is attempted for an external address. These addresses specifically have their DNS hosted on NS01(or02).sacramento.ca.gov and the problem only occurs when querying against those two name servers. When a request is made for any domain on those name servers we get a timeout/cannot resolve "ping www.cityofsacramento.org> Ping request could not find host www.cityofsacramento.org. Please check the name and try again." Utilizing NSLookup we get a "DNS request timed out" (copy/pasta below). I have contacted the DNS manager at the relevant name servers and ensured that none of our requesting IP addresses are not blocked and had him do a trace of the problem as it was occurring. What we found is that when the DNS request arrives at their DNS server(via root hints), it is appending the DNS request with the internal domain name of the requesting client. e.g. looking up www.cityofsacramento.org from the internal domain of caladmanagement.local looks like: (3)www(16)cityofsacramento(3)org(15)CALADMANAGEMENT(5)local(0). We have a work around for the moment of implementing a forwarder to either the local ISP DNS server, or one of the various public ones (4.2.2.2, 4.3.3.3, or 75.75.75.75) but prefer to utilize root hints for any domains that are not local. We have explored several settings on the network cards of the workstations, the server, and the DNS server settings themselves to no avail. The NIC settings that were adjusted were the DNS append settings under the network card configuration, TCP/IP configuration, Advanced - DNS but have not found anything that changed the test results. We have also utilized NSLookup to attach directly to the name servers with the same result. C:\Users\rap>nslookup Default Server: camsdc.caladmanagement.local Address: 192.168.1.10 > server ns01.sacramento.ca.gov DNS request timed out. timeout was 2 seconds. Default Server: ns01.sacramento.ca.gov Address: 208.87.81.11 > www.cityofsacramento.org Server: ns01.sacramento.ca.gov Address: 208.87.81.11 DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Request to ns01.sacramento.ca.gov timed-out > I look forward to any suggestions Thank you Rich

Hi, I have tried the DNS server 208.87.81.11 from my client, and it works fine. I do not think the issue is caused by the suffix that the client added automatically. I think you may need to verify whether the DNS reply message from the DNS server 208.87.81.11 reached to your client or blocked by firewalls. Or please verify whether the DNS servers 208.87.81.11 can reach the root-hints servers. If you want to get rid of the suffix that appended to the FQDN www.cityofsacramento.org, you can typically run "ping www.cityofsacramento.org." instead of "ping www.cityofsacramento.org". The dot (.) appends to the FQDN prevent the client from adding the suffix automatically. You can try that and check the result. At last, I am putting my name resolution test result against the server 208.87.81.11 below, > www.cityofsacramento.org Server: [208.87.81.11] Address: 208.87.81.11 Name: ewcityweb01.cityofsacramento.org Address: 208.87.81.165 Aliases: www.cityofsacramento.org > www.microsoft.com. Server: [208.87.81.11] Address: 208.87.81.11 Non-authoritative answer: Name: lb1.www.ms.akadns.net Address: 207.46.19.254 Aliases: www.microsoft.com toggle.www.ms.akadns.net g.www.ms.akadns.net God Bless!

We did try adding the "." to the end of our ping requests and it did not appear to make any difference. According to the remote DNS admin, the request is coming in with the local DNS suffix attached to the request and thier DNS server obviously does not host the local internal domain. We have been able to get successful tests on other client sites with what appears to be the same type of configuration against those particular DNS servers. We are also able to resolve against any other DNS server on the internet (so far). I don't have the log with me at the moment, but the response was a Servfail. The clients local firewalls are disabled and the border firewalls have been checked, so I cannot find anything that would be blocking the return packets. Would it be helpful if I posted the DNS Debug log from the local DNS server?The answer is 42. What was the question?