DNS resolution for external address appends local DNS suffix (Ping and NSlookup)
I am having an issue at several client sites. The symptoms appear to be identical, even though the environments vary significantly.
Environment(s):
Server (2003 or 2008(both standard and SBS)) with AD/DNS/DHCP installed. DNS is configured to use root hints and has the local domains defined in both the forward and reverse lookup zones. Various firewalls are in place (Cisco ASA 5505, Sidewinder
410, SnapGear). ISP for each client experiencing the issue is different (Frontier.net, Comcast, Utility Telephone). Windows updates are current, including the latest root hint updates.
From a workstation or the server a resolution is attempted for an external address. These addresses specifically have their DNS hosted on NS01(or02).sacramento.ca.gov and the problem only occurs when querying against those two name servers. When
a request is made for any domain on those name servers we get a timeout/cannot resolve
"ping www.cityofsacramento.org> Ping request could not find host www.cityofsacramento.org. Please check the name and try again."
Utilizing NSLookup we get a "DNS request timed out" (copy/pasta below).
I have contacted the DNS manager at the relevant name servers and ensured that none of our requesting IP addresses are not blocked and had him do a trace of the problem as it was occurring. What we found is that when the DNS request arrives at their
DNS server(via root hints), it is appending the DNS request with the internal domain name of the requesting client. e.g. looking up www.cityofsacramento.org from the internal domain of caladmanagement.local looks like: (3)www(16)cityofsacramento(3)org(15)CALADMANAGEMENT(5)local(0).
We have a work around for the moment of implementing a forwarder to either the local ISP DNS server, or one of the various public ones (4.2.2.2, 4.3.3.3, or 75.75.75.75) but prefer to utilize root hints for any domains that are not local. We have explored
several settings on the network cards of the workstations, the server, and the DNS server settings themselves to no avail. The NIC settings that were adjusted were the DNS append settings under the network card configuration, TCP/IP configuration, Advanced
- DNS but have not found anything that changed the test results. We have also utilized NSLookup to attach directly to the name servers with the same result.
C:\Users\rap>nslookup
Default Server: camsdc.caladmanagement.local
Address: 192.168.1.10
> server ns01.sacramento.ca.gov
DNS request timed out.
timeout was 2 seconds.
Default Server: ns01.sacramento.ca.gov
Address: 208.87.81.11
> www.cityofsacramento.org
Server: ns01.sacramento.ca.gov
Address: 208.87.81.11
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to ns01.sacramento.ca.gov timed-out
>
I look forward to any suggestions
Thank you
Rich
May 4th, 2011 6:51pm
Hi,
I have tried the DNS server 208.87.81.11 from my client, and it works fine. I do not think the issue is caused by the suffix that the client added automatically.
I think you may need to verify whether the DNS reply message from the DNS server 208.87.81.11 reached to your client or blocked by firewalls. Or please verify whether the DNS servers 208.87.81.11 can reach the root-hints
servers.
If you want to get rid of the suffix that appended to the FQDN
www.cityofsacramento.org, you can typically run "ping
www.cityofsacramento.org." instead of "ping
www.cityofsacramento.org". The dot (.) appends to the FQDN prevent the client from adding the suffix automatically. You can try that and check the result.
At last, I am putting my name resolution test result against the server 208.87.81.11 below,
> www.cityofsacramento.org
Server: [208.87.81.11]
Address: 208.87.81.11
Name: ewcityweb01.cityofsacramento.org
Address: 208.87.81.165
Aliases: www.cityofsacramento.org
> www.microsoft.com.
Server: [208.87.81.11]
Address: 208.87.81.11
Non-authoritative answer:
Name: lb1.www.ms.akadns.net
Address: 207.46.19.254
Aliases: www.microsoft.com
toggle.www.ms.akadns.net
g.www.ms.akadns.net
God Bless!
Free Windows Admin Tool Kit Click here and download it now
May 5th, 2011 12:52am
We did try adding the "." to the end of our ping requests and it did not appear to make any difference. According to the remote DNS admin, the request is coming in with the local DNS suffix attached to the request and thier DNS server obviously does
not host the local internal domain. We have been able to get successful tests on other client sites with what appears to be the same type of configuration against those particular DNS servers. We are also able to resolve against any other DNS server
on the internet (so far). I don't have the log with me at the moment, but the response was a Servfail. The clients local firewalls are disabled and the border firewalls have been checked, so I cannot find anything that would be blocking the return packets.
Would it be helpful if I posted the DNS Debug log from the local DNS server?The answer is 42. What was the question?
May 5th, 2011 11:55am