Re: Windows 2003 DNS: Recursive query fails when looking its own domai
- From: "Kevin D. Goodknecht Sr. [MVP]" <admin@xxxxxxxxxxxxxx>
- Date: Wed, 28 Dec 2005 19:36:59 -0600
Lito Kusnadi <LitoKusnadi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> Hi,
>
> I recently setup a Windows 2003 server for a client. I use internet
> FQDN for the AD domain.
>
> When I tested the DNS service using NSlookup, I got a timeout issue in
> forward lookup on the DC itself.
>
> The server name is: dcserver1
> The FQDN server name is: dcserver1.domain.com.au
> I can get reply when I nslookup: dcserver1
> I also got the reverse lookup working for dcserver1
> But when I type: dcserver1.domain.com.au, it gives me timeout and
> then gives the correct result.
>
> The DC is not connected to the internet. When I add the "." zone, it
> doesn't create the issue anymore.
>
> The problem is: why the nslookup still wants to go out to another DNS
> server to look for name resolution for the DC? I can't understand why
> it's happening. I'm abit worried if there's an underlying problem as
> I need to register several servers to the AD.
>
> Any one could help me?
> Thank you
OK, there isn't a simple answer but here we go.
I'm sure it has something to do with the DNS suffix search list and the way
nslookup and the DNS client service appends the Primary DNS suffix.
When you do nslookup on just the server name the first query that goes to
DNS is dcserver1.domain.com.au, so it resolves locally right away.
However, when you do nslookup dcserver1.domain.com.au it does several
queries before it resolves.
1st query is:
"dcserver1.domain.com.au.domain.com.au"
Your local server replies with the SOA record from domain.com.au but
nslookup doesn't stop until it appends all DNS suffixes or resolves.
2nd query is:
"dcserver1.domain.com.au.com.au"
This query is the stopper because "domain.com.au.com.au." is so your DNS
forwards this query because "com.au.com.au." is an unknown domain and it has
to wait until the "com.au." parent server returns its SOA record, nslookup
doesn't stop because it is still using an appended suffix so it goes on
again this time by sending the name without an appended suffix, (both
nslookup and the DNS client only append down to the last two levels before
the root, (the root is the ".") in the search list, which is com.au.
3rd query is:
dcserver1.domain.com.au. which resolves.
so if you look at only what it appends it looks like this:
domain.com.au.
com.au.
Which when added to the domain name , it searches these domains:
domain.com.au.domain.com.au.
domain.com.au.com.au
domain.com.au
Notice that neither nslookup nor the DNS client will append the TLD "au" it
stops appending at "com.au"
Its the domain.com.au.com.au that times out.
Do this, in TCP/IP properties, select the DNS tab, then clear the check box
for "append parent suffixes of the primary DNS suffix".
Doing this stops nslookup and the DNS client from appending "com.au" (the
parent suffix), so that only "domain.com.au" is appended, which your DNS
server can handle without forwarding.
If you will add a trailing "." to your query, neither nslookup nor the DNS
client service will append DNS suffixes and will send only names before the
"." to DNS.
Example:
"dcserver1.domain.com.au."
The reason why this doesn't happen with the root zone is because since it
has the root zone, DNS "assumes" that is knows every TLD name below the root
and does not have to forward to find that domain.com.au.com.au. doesn't
exist.
This is further complicated if you also have a Connection specific DNS
suffix (the one labeled "DNS suffix for this connection") because it is
added the DNS suffix search list, too. Although, it does not append parent
suffixes of the connection suffix.
As you see, it is not a simple answer, it is just the way nslookup (and the
DNS client service) appends suffixes from TCP/IP properties. And this does
not include nslookup's "stupid" behavior of doing a reverse lookup on the IP
of every DNS server it queries.
--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
https://secure.lsaol.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
.
- Follow-Ups:
- Re: Windows 2003 DNS: Recursive query fails when looking its own d
- From: Lito Kusnadi
- Re: Windows 2003 DNS: Recursive query fails when looking its own d
- Prev by Date: Re: DNS lookups slow on Windows Server 2003
- Next by Date: Re: DNS Forwarders working for clients, not Server
- Previous by thread: Re: Windows 2003 DNS: Recursive query fails when looking its own domai
- Next by thread: Re: Windows 2003 DNS: Recursive query fails when looking its own d
- Index(es):
Relevant Pages
|
Loading
