Due to compliance purposes we must have the Windows firewall enabled on our servers.  This particular server is our PDC/DHCP/DNS.  (192.168.211.17).  The BDC (192.168.211.16) is a replica of the PDC.  

PDC:

Primary DNS: 192.168.211.16

Secondary DNS: 192.168.211.17

BDC:

Primary DNS: 192.168.211.17

Secondary DNS: 192.168.211.16

The firewall seems to be blocking lookup requests.  

w:~> nslookup
> server 192.168.211.17
Default server: 192.168.211.17
Address: 192.168.211.17#53
>google.com;; connection time out; no servers could be reached

When I disable the firewall.  It works fine.

w:~> nslookup
> server 192.168.211.17
Default server: 192.168.211.17
Address: 192.168.211.17#53
> google.com
Server:		192.168.211.17
Address:	192.168.211.17#53
Non-authoritative answer:
Name:	google.comAddress: 173.194.115.68
Name:	google.comAddress: 173.194.115.69
Name:	google.comAddress: 173.194.115.65
Name:	google.comAddress: 173.194.115.66
Name:	google.comAddress: 173.194.115.64
Name:	google.comAddress: 173.194.115.67
Name:	google.comAddress: 173.194.115.72
Name:	google.comAddress: 173.194.115.71
Name:	google.comAddress: 173.194.115.70
Name:	google.comAddress: 173.194.115.78
Name:	google.comAddress: 173.194.115.73

I have enabled logging and can see it blocking the request when its enabled.  The default DNS rules are in place DNS (TCP, Incoming) DNS (UDP, Incoming).  I have even reset the firewall to defaults and re-imported the rules from the BDC to no avail.   The BDC has no issue.  It's using the same forwarders as .17

Anything else I may try?

• Edited by EvanR- 12 hours 6 minutes ago

Evan,

it may also be blocked outgoing. Please check that too. I see 3 outbound rules regarding DNS on a 2008 R2 DC.

---
Jan