Re: Some DNS server names will not resolve using internal servers
- From: "Herb Martin" <news@xxxxxxxxxxxxxx>
- Date: Thu, 30 Nov 2006 20:11:43 -0600
"Brillmike" <brillmike@xxxxxxxxx> wrote in message
news:20ED5DD5-34F1-4A10-8C6E-2C3F94C2D3A8@xxxxxxxxxxxxxxxx
I did do the nslookup -time=20 www.microsoft.com to both of our internal
DNS
servers....I no longer get a time out. I get ":Server Failed". BOTH
servers
return the same message. I also did the same NSLOOKUP from the command
prompt
and the MMC Properties page on both DNS servers and I still get :Server
Failed message returned.
Server failed messages are frequently a symptom
of MUTUAL FORWARDING. You must never
set DNS-A to forward to DNS-B AND DNS-B
back to DNS-A.
This creates an infinite loop which drives the DNS
server(s) crazy.
I have checked with all of our ISP forwarders and they are not having any
issues. I also have done nslookups using the forwarder IP addresses and
they
return a code.
I dont want to reboot without fixing the issue either but I am running out
of options.
If "rebooting" would "FIX" the issue then I would agree
but it seldom does.
I need to do the debug steps next to see if that can shed some light.
Check forwarders on both DCs -- make sure that
they do not appear in each others list.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Thanks for sticking with me.
"Herb Martin" wrote:
"Brillmike" <brillmike@xxxxxxxxx> wrote in message
news:69BC97F8-701D-439C-A060-9CFAAFE7EFC0@xxxxxxxxxxxxxxxx
Thanks for expalining the DNAME information. Maybe that is not the
issue.
I have done all the nslookup commands. All of our external ISP DNS
fporwarders return the CNAMES for www.microsoft.com. When we NSLookup
to
our
internal servers we get "can't find www.microsoft.com: server failed"
nothing is logged on the DNS server application logs.
You enable DNS DEBUG logging in the Server properties
of the DNS Server MMC.
You really are doling this out -- my original message
gave you NSLookup but in the followup I suggested
you need to use -time=20 (or some long value).
If your NSLookup is failing then you have the
beginning of the info you need to determine which
server is causing the problem.
Use this (with -time) to figure out if you can get
from the Server console itself to the (same)
internal DNS server and then to the ISP (from
the same place).
I tried from workstations and from the DNS servers. No luck.
What does "no luck" mean? Without the exact
command and response I am just depending on
your analysis which would be fine except you
are the one who needs the help.
If i by pass the local DNS servers from the workstations I can get to
www.microsoft.com. So i think that would elimanate a local workstation
issue?
Perhaps. I have not been really suspecting
the workstations UNLESS you have them set
to multiple DNS server sets and are getting
random (unreliable) results.
Without giving specific DNS servers you can't
be sure and without showing me those I cannot
follow the tests.
Is there a trace i could do on the DNS server to tell me what is
happening?
Debug logging.
I am going to schedule a reboot to the DNS servers for the weekend.
Probably irrelevant. I am not in favor of prophylactic
reboots until the problem is carefully diagnosed.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
"Brillmike" <brillmike@xxxxxxxxx> wrote in message
news:69BC97F8-701D-439C-A060-9CFAAFE7EFC0@xxxxxxxxxxxxxxxx
Thanks for expalining the DNAME information. Maybe that is not the
issue.
I have done all the nslookup commands. All of our external ISP DNS
fporwarders return the CNAMES for www.microsoft.com. When we NSLookup
to
our
internal servers we get "can't find www.microsoft.com: server failed"
nothing is logged on the DNS server application logs.
I tried from workstations and from the DNS servers. No luck.
If i by pass the local DNS servers from the workstations I can get to
www.microsoft.com. So i think that would elimanate a local workstation
issue?
Is there a trace i could do on the DNS server to tell me what is
happening?
I am going to schedule a reboot to the DNS servers for the weekend.
"Herb Martin" wrote:
"Brillmike" <brillmike@xxxxxxxxx> wrote in message
news:371587CE-72FF-4E29-A74B-6DF3D747970C@xxxxxxxxxxxxxxxx
I was thinking maybe DNAME. Which is redirection to a DNS tree...
http://www.ietf.org/internet-drafts/draft-ietf-dnsext-rfc2672bis-dname-00.txt
We do not have any external zones set up and forward all request to
our
ISP's, which work fine.
That isn't even a standard so it is unlikely unless
you have some specific information that makes
you believe that your ISP is engaged in such things.
Even then it would likely be a hack/compromise of
the ISPs DNS by some employee or outside attacker
(e.g., an MS hater.)
I think this could explain why it only happens to WWW.microsoft.com,
not
SUPPORT.microsoft.com
Not really, since the DNAME would typically be used
to redirect all of Microsoft.com. Only a CNAME would
be needed for a specific name like "support.microsoft.com".
DNAME do in fact redirect queries from zone A to zone
B with the specific host name being prepending to the latter
(i.e., B) instead of the original (i.e., A).
I am not sure how to fix it, I think it is a bug in 2003 DNS. I saw
the
HOTFIX article as mentioned in this thread but want to confirm that
this
is
the issue.
What problem have you specifically identified?
(I don't actually believe, or at least don't understand,
that you have identified any specific problem.)
Until you can show the actual NSLookup responses
to specific servers to be giving different answers you
haven't even approach the level of explicitness you
need to declare a bug.
[I am saying this as someone who has discovered
significant bugs in Cisco, Netware, IBM, Microsoft,
and Apple software that had previously gone
unreported -- almost always I find that the problems
are NOT bugs and these were all the exceptions.]
I cant find a virus/trojan and all other sites appear to be working.
What ISP and which DNS servers are you using?
We can try to check them directly.
It might be interesting for you to learn (or discover
for yourself) that Support.Microsoft.com is a completely
different ZONE from Microsoft.com, and that this zone
is managed by an entirely (apparently) different set of
servers, perhaps at a completely different company.
msft.net vs. akamai.com
nslookup -q=microsoft.com
nslookup -q=soa support.microsoft.com
(you will actually discover this is a CNAME and
that you must re-issue the request as:)
nslookup -q=soa support.microsoft.akadns.net
Here is an article I found too might be some interest. I will keep
looking
for an answer. http://cr.yp.to/djbdns/killa6.html. Hope someone at
MS
can
help too.
I suggest you very carefully perform all of the required
NSLookup tests (that I have been suggesting all along
and that would derive from the results of those tests)
and post that explicitly.
You must include tests from the command line of the actual
DNS server (to prove that there is not some weird interaction
for just this server) as well as the full list of Forwarders
and whether "Do Not use Recursion" is checked or not.
You might also consider using Debug logging to document
the requests and responses.
Proving a bug (by eliminating all of the other variables)
is actually quite involved.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
"Herb Martin" wrote:
"Brillmike" <brillmike@xxxxxxxxx> wrote in message
news:CA651CFC-5640-4195-947B-DC2B3E562550@xxxxxxxxxxxxxxxx
Could this have something do do with a DNAME. I have run accross
an
article
concerning a HOTFIX...KB920162.
Do you mean CNAME?
Why would you have ANY records for the
external sites?
If you do have the zone for any external sites
then your (internal) version of that zone must
be absolutely correct.
--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
I see DNS events, informational, for Event ID 5504 on myu domain
controller.
They look harmless but look related to me doing nslookups on the
domain
names
that fail. Both of these names seem to have multiple IP addresses
associated
with the name....no a typical cname.
Can you shed some light, am i on to something?
"Herb Martin" wrote:
"Brillmike" <brillmike@xxxxxxxxx> wrote in message
news:DF3F6728-90EF-4312-BA00-AD24BF258691@xxxxxxxxxxxxxxxx
www for microsoft is working again. I did not change anything
but
now
the
site is coming up fine.
BUT...LOGIN.gsionline.com is still not working.
www.gsionline.com
is.
When
i
do the nslookup on our ISP server i get this.
Address: 66.28.0.45
Non-authoritative answer:
Name: login.gsionline.com
Addresses: 167.68.27.53, 167.68.27.54, 167.68.27.55,
167.68.27.11
So the ISP is working and can be reached.
ON our own DNS server, which have the above addresses as
FORWARDERS.
I
get
this response.
Address: 10.10.0.202
DNS request timed out.
timeout was 2 seconds.
*** Request to sfdc1.howardrice.local timed-out
Your server didn't answer. You should play with
timeout value to ensure it is true failure and not just
slow:
nslookup -time=20 login.gsionline.com 10.10.0.202
[You should also try these FROM the actual Server's
command line too -- this will tell you if this is just
some problem with THIS server failing to reach a
particular resolution which the client can resolve
directly.]
But the forwarding is working for everything else
(www.microsoft.com
is
sketchy)
C:\Documents and Settings\mab>nslookup www.gsionline.com
10.10.0.202
Server: sfdc1.howardrice.local
Address: 10.10.0.202
Non-authoritative answer:
Name: www.gsionline.com
Addresses: 167.68.27.18, 167.68.27.47
C:\Documents and Settings\mab>nslookup www.gsionline.com
10.10.0.203
Server: sfdc2.howardrice.local
Address: 10.10.0.203
Non-authoritative answer:
Name: www.gsionline.com
Addresses: 167.68.27.47, 167.68.27.18
We have not rebooted the DNS server yet. Could this be a
caching
issue.
I
see entries for gsionline, but nothing the references
LOGIN.gsionline.com
Not likely a caching issue since the resolution itself
is not failing (the DNS server is TIMING OUT
.
- Follow-Ups:
- References:
- Re: Some DNS server names will not resolve using internal servers
- From: Brillmike
- Re: Some DNS server names will not resolve using internal servers
- From: Herb Martin
- Re: Some DNS server names will not resolve using internal servers
- From: Brillmike
- Re: Some DNS server names will not resolve using internal servers
- From: Herb Martin
- Re: Some DNS server names will not resolve using internal servers
- From: Brillmike
- Re: Some DNS server names will not resolve using internal servers
- Prev by Date: Re: DNS Name Space Design Question
- Next by Date: Re: Cannot ping but can browse!
- Previous by thread: Re: Some DNS server names will not resolve using internal servers
- Next by thread: Re: Some DNS server names will not resolve using internal servers
- Index(es):
Relevant Pages
|
