Re: DNS Server set to forwarder randomly going out to root servers

We implemented the EDNS0 change to no avail.

The firewall is actually acting as a caching DNS server. It has rules
specifically to block all port 53 traffic from traversing the firewall
regardless if it is UDP or TCP. It is meant to service the request of the
forwarder.

What I am really trying to understand is if the 2003 Server has a forwarder
set why does it also randomly try and go to the root servers. What happens
then is the firewall sees this attempt and purposely drops the traffic
because of the rules we have set.

Again what I don't understand is why the 2003 Server attempts to bypass the
forwarder that is set and go to the root to traverse down the DNS tree. Can
you stop this behaviour? I would prefer the DNS query just fail and then
deal with the problem of why the Firewall as a Caching DNS server is not
correctly servicing it's downstream clients.

Thanks for your advise.

Fred Lobmeyer

"Ace Fekay [MVP]" wrote:

> In news:B03DCA84-72DD-4C17-8264-0A30157EAFB8@xxxxxxxxxxxxx,
> Fred L <FredL@xxxxxxxxxxxxxxxxxxxxxxxxx> stated, which I then commented on
> below:
> > Hi,
> >
> > The problem we are having is intermittent DNS lookup failures tring to
> > resolve Public Internet based Web Services or Pages.
> >
> > I have a W2K3 SP1 single forest single domain with integrated AD/DNS
> > established.
> >
> > The clients (XP SP2) are set to resolve from a specific DC enabled
> > for DNS in the domain. (Set via DHCP Scope)
> >
> > The Domain is Fred.Local
> >
> > The DNS Server is configured with 1 forwarder which points to the
> > Internal interface of the Firewall. The DNS Server is not configured
> > as a root server "." The Firewall is configured as DNS proxy.
> >
> > The Firewall also has a rule set that says that no internal machine
> > may make DNS requests to external DNS hosts.
> >
> > Here is where I don't know how to configure the internal DNS server
> > correctly. I would like to stop the Internal DNS Server (forwarder)
> > from going out to the root servers for lookups. When it does this
> > the firewall rule blocks the request (as it should) and the request
> > times out which returns to the client as a failed request.
> >
> > So can you stop the DNS Server from doing this? Do you want to?
> > What am I misunderstanding about this?
> >
> > Thanks in advance!
> >
> > Fred Lobmeyer
>
> It sounds like your firewall is not properly setup to proxy DNS forwarding
> requests, hence why it is reverting to the Roots. Check and ensure your
> firewall has UDP and TCP 53 open to allow that sort of traffic. You will
> need to double check your settings.
>
> Since you are using Windows 2003, it uses EDNS0, a new industry
> implementation that Windows 2003 uses to allows UDP packets greater than 512
> bytes. The old method uses UDP upto 512, then reverts to TCP above 512.
> EDNS0 is more efficient, however many older firewalls just do not support it
> or need to be updated. Check your firewall docs to see if it supports it.
>
> 828263 - DNS query responses do not travel through a firewall in Windows
> Server 2003:
> http://support.microsoft.com/?id=828263
>
> All in all, you can allow DNS traffic to the Win2003 server only, as long as
> it supports EDNS0. This will eliminate an extra query hop and increase
> efficiency. If the firewall doesn't, you can always disable EDNS0. The above
> article shows you that option as well.
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Windows Server - Directory Services
> Infinite Diversities in Infinite Combinations.
> =================================
>
>
>
>
.

Relevant Pages

  • Re: Can Not Ping By Name
    ... >>> Make sure there's no firewall packaged with the VPN client. ... >>DNS server is the same physical server as the Exchange, ... > Network problem solving - general advice: ...
    (microsoft.public.windowsxp.network_web)
  • Re: dns server behind a firewall?
    ... > cause I wanted to be sure about the server IP switching. ... Your DNS will be down during switchover ... No. Doublecheck that the DNS server allows queries on all ... >>> firewall and want me to do the job, thats why I m posting again. ...
    (microsoft.public.windows.server.dns)
  • Re: Internet access problem caused by DNS failure
    ... i.e. before the Firewall part. ... Nothing stands out for the dns server. ... Ethernet adapter Wireless Network Connection: ...
    (microsoft.public.windows.server.sbs)
  • Re: Do I really need a DNS Server?
    ... > My firewall handles the DHCP so I'll have to look into how that will work ... If you cannot set the correct DNS server on the ... >> Configure all clients to use ONLY the internal DNS server ...
    (microsoft.public.windows.server.dns)
  • Re: DNS server not returning lookups
    ... NAT firewall and your PC is on the LAN. ... assuming that if this is an existing DNS zone, you've waited the 2 to 3 days ... In a DMZ and assuming that the DNS server is using real (a.k.a. ... Have the clients query your DNS server directly. ...
    (microsoft.public.windows.server.dns)