Re: Windows 2003 DNS: Recursive query fails when looking its own d
- From: Lito Kusnadi <LitoKusnadi@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 28 Dec 2005 22:20:01 -0800
Thank you for everyone's reply. It has been mind-nourishing.
It is true that the "dcserver1.domain.com.au.com.au" is the reason of the
time out. If I do nslookup dcserver1.domain.com.au. (with the dot after the
"au"), it gives me the answer without forwarding the query.
Thank you for the nslookup -d2 clue. It's very helpful.
As mentioned, in the DNS tab, I tried to uncheck the appending parent DNS
suffix, but still, it does not want to stop appending the .com.au bit.
I'm thinking:
Does the query: dcserver1.domain.com.au.com.au require to receive an answer
from an authoritative DNS server? No matter if it's a positive answer (i.e.
"yes, the domain exists") or a negative answer (i.e. "no, the domain not
exist").
I believe this is what I don't have at the moment. The DNS for the AD is
totally separated and isolated from the Internet. It does not do forward to
the ISP DNS for any unresolved query.
Adding the "." zone would make the DNS authoritative, which I believe stops
the forwarding. Is this statement correct?
Thank you.
Result of nslookup -d2:
Got answer (121 bytes):
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
dcserver1.domain.com.au.domain.com.au, type = A, class = IN
AUTHORITY RECORDS:
-> domain.com.au
type = SOA, class = IN, dlen = 44
ttl = 3600 (1 hour)
primary name server = dcserver1.domain.com.au
responsible mail addr = hostmaster
serial = 25
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
------------
------------
SendRequest(), len 47
HEADER:
opcode = QUERY, id = 3, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
dcserver1.domain.com.au.com.au, type = A, class = IN
------------
DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
--
Lito Kusnadi
Technical Consultant
React Solutions AU
"Kevin D. Goodknecht Sr. [MVP]" wrote:
> Lito Kusnadi <LitoKusnadi@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> > Hi,
> >
> > I recently setup a Windows 2003 server for a client. I use internet
> > FQDN for the AD domain.
> >
> > When I tested the DNS service using NSlookup, I got a timeout issue in
> > forward lookup on the DC itself.
> >
> > The server name is: dcserver1
> > The FQDN server name is: dcserver1.domain.com.au
> > I can get reply when I nslookup: dcserver1
> > I also got the reverse lookup working for dcserver1
> > But when I type: dcserver1.domain.com.au, it gives me timeout and
> > then gives the correct result.
> >
> > The DC is not connected to the internet. When I add the "." zone, it
> > doesn't create the issue anymore.
> >
> > The problem is: why the nslookup still wants to go out to another DNS
> > server to look for name resolution for the DC? I can't understand why
> > it's happening. I'm abit worried if there's an underlying problem as
> > I need to register several servers to the AD.
> >
> > Any one could help me?
> > Thank you
>
>
> OK, there isn't a simple answer but here we go.
>
> I'm sure it has something to do with the DNS suffix search list and the way
> nslookup and the DNS client service appends the Primary DNS suffix.
> When you do nslookup on just the server name the first query that goes to
> DNS is dcserver1.domain.com.au, so it resolves locally right away.
>
> However, when you do nslookup dcserver1.domain.com.au it does several
> queries before it resolves.
> 1st query is:
> "dcserver1.domain.com.au.domain.com.au"
> Your local server replies with the SOA record from domain.com.au but
> nslookup doesn't stop until it appends all DNS suffixes or resolves.
>
> 2nd query is:
> "dcserver1.domain.com.au.com.au"
> This query is the stopper because "domain.com.au.com.au." is so your DNS
> forwards this query because "com.au.com.au." is an unknown domain and it has
> to wait until the "com.au." parent server returns its SOA record, nslookup
> doesn't stop because it is still using an appended suffix so it goes on
> again this time by sending the name without an appended suffix, (both
> nslookup and the DNS client only append down to the last two levels before
> the root, (the root is the ".") in the search list, which is com.au.
>
> 3rd query is:
> dcserver1.domain.com.au. which resolves.
>
> so if you look at only what it appends it looks like this:
> domain.com.au.
> com.au.
>
> Which when added to the domain name , it searches these domains:
> domain.com.au.domain.com.au.
> domain.com.au.com.au
> domain.com.au
> Notice that neither nslookup nor the DNS client will append the TLD "au" it
> stops appending at "com.au"
> Its the domain.com.au.com.au that times out.
>
> Do this, in TCP/IP properties, select the DNS tab, then clear the check box
> for "append parent suffixes of the primary DNS suffix".
> Doing this stops nslookup and the DNS client from appending "com.au" (the
> parent suffix), so that only "domain.com.au" is appended, which your DNS
> server can handle without forwarding.
>
> If you will add a trailing "." to your query, neither nslookup nor the DNS
> client service will append DNS suffixes and will send only names before the
> "." to DNS.
> Example:
> "dcserver1.domain.com.au."
>
> The reason why this doesn't happen with the root zone is because since it
> has the root zone, DNS "assumes" that is knows every TLD name below the root
> and does not have to forward to find that domain.com.au.com.au. doesn't
> exist.
>
> This is further complicated if you also have a Connection specific DNS
> suffix (the one labeled "DNS suffix for this connection") because it is
> added the DNS suffix search list, too. Although, it does not append parent
> suffixes of the connection suffix.
>
> As you see, it is not a simple answer, it is just the way nslookup (and the
> DNS client service) appends suffixes from TCP/IP properties. And this does
> not include nslookup's "stupid" behavior of doing a reverse lookup on the IP
> of every DNS server it queries.
>
> --
> Best regards,
> Kevin D. Goodknecht Sr. [MVP]
> Hope This Helps
> ===================================
> When responding to posts, please "Reply to Group"
> via your newsreader so that others may learn and
> benefit from your issue, to respond directly to
> me remove the nospam. from my email address.
> ===================================
> http://www.lonestaramerica.com/
> http://support.wftx.us/
> https://secure.lsaol.com/
> ===================================
> Use Outlook Express?... Get OE_Quotefix:
> It will strip signature out and more
> http://home.in.tum.de/~jain/software/oe-quotefix/
> ===================================
> Keep a back up of your OE settings and folders
> with OEBackup:
> http://www.oehelp.com/OEBackup/Default.aspx
> ===================================
>
>
>
.
- Follow-Ups:
- Re: Windows 2003 DNS: Recursive query fails when looking its own d
- From: Kevin D. Goodknecht Sr. [MVP]
- Re: Windows 2003 DNS: Recursive query fails when looking its own d
- From: Ace Fekay [MVP]
- Re: Windows 2003 DNS: Recursive query fails when looking its own d
- References:
- Re: Windows 2003 DNS: Recursive query fails when looking its own domai
- From: Kevin D. Goodknecht Sr. [MVP]
- Re: Windows 2003 DNS: Recursive query fails when looking its own domai
- Prev by Date: Re: DNS Forwarders working for clients, not Server
- Next by Date: Re: DNS resolution order with multihomed host
- Previous by thread: Re: Windows 2003 DNS: Recursive query fails when looking its own domai
- Next by thread: Re: Windows 2003 DNS: Recursive query fails when looking its own d
- Index(es):
Relevant Pages
|
