2

We are having trouble with DNS. I recently switched internet providers and the problem followed us, at which point I realized our 2008 R2 Domain Controller's DDNS must be the problem.

I switch to google DNS (8.8.8.8) and sites like paypal.com, zynga.com, etc work fine. When I switch to our local DNS server it eventually times out.

There are no extra zones in for those domains in the DNS server, any ideas as to how I can diagnose the health of DNS and fix the problem? It is driving everyone crazy at the office when they cant access random sites.

Jessica Moyer
  • 69
  • 4
  • How's the domain controller's DNS forwarding configured - or is it doing recursive lookups itself? – Shane Madden Sep 28 '11 at 20:28
  • How are your internal DNS servers configured to resolve non-authoratative domains? Are they configured to use forwarders or root hints? Do all internal clients (including the DNS servers) only point to the internal DNS servers for DNS name resolution? – joeqwerty Sep 28 '11 at 20:30

2 Answers2

1

Your local DNS server should have forwarders configured to forward queries to for zones it is not responsible for. You can use ones provided by your ISP, or OpenDNS or Google. I prefer Google these days. They also have a secondary 8.8.4.4, I believe these are any-casted.

SpacemanSpiff
  • 8,733
  • 1
  • 23
  • 35
  • We use Root Hints as per Microsoft recommendation. I have tried direct Forwards though and also disabling recursion. – Jessica Moyer Sep 28 '11 at 20:50
  • In my packet sniffer I just noticed a funny line is added to the R2 2008 server that doesnt exist in the non-R2 2008 and 2003 DNS servers I have out there. – Jessica Moyer Sep 28 '11 at 20:50
  • Are you sure your border firewall is configured to allow this server out? – SpacemanSpiff Sep 28 '11 at 20:58
  • @Jessica: What's the funny line that's added in your packet sniffer? Do you see DNS queries leaving the DNS server and do you see the answers being returned in your capture? If not, what are you seeing? – joeqwerty Sep 28 '11 at 21:10
  • @joewqerty Yes I see the DNS traffic back and forth, this is the extra line that lead me to disabling probes on the DNS server... “AdditionalRecord: of type OPT on class Unknown DNSClass” I just posted the solution I found that works. – Jessica Moyer Sep 29 '11 at 22:39
1

The problem turned out to be the way 2008 R2 handles eDNS Probes. A lot of packet sniffing and log review between servers at other clients and these revealed a an extra line that got me searching.

Short story, to disable it you can login and run this from a command prompt.

dnscmd /config /EnableEDNSProbes 0

I think the issue only affects environments where you have a single domain controller that is also the single DNS server for an office. I have other clients with R2 that do not have this issue but their environment is more complex. When I get time I will try to drill down into the specifics.

In short, if you have trouble resolving random sites disable probes.

Jessica Moyer
  • 69
  • 4
  • 1
    I see reference online that indicate some firewalls are not expecting DNS traffic to have this extra information attached and incorrectly drop the traffic. Might be something that only application aware firewalls do, but worth taking a look at. What device was on the edge? – SpacemanSpiff Sep 30 '11 at 03:22
  • Thanks spaceman for that idea. Cisco 5505 in this scenario, I will try to do some mode testing to see if that is a contributing factor. – Jessica Moyer Oct 01 '11 at 05:22
  • I had no idea DNS had been extended in this manner :O thanks bringing THAT to my attention. – SpacemanSpiff Oct 01 '11 at 11:28