Server 2012 DNS server not resolving all forward lookup zones

Question

Name resolution is failing for a handful of zones at only one site. It had been working fine, but stopped at one site recently.

We are using DNS to restrict access to Youtube (see here) so we have a forward lookup zone www.youtube.com setup to catch youtube requests and redirect them to restrict.youtube.com. This zone is AD integrated and it works fine at all sites except one. Each site has a 2012 server running DNS and DC roles. Name resolution for the domain zone works fine everywhere. This is only affecting the youtube related zones at one site.

Nslookup's return just the name, dig's return just the SOA. Tried restarting DNS and rebooting server. Verified that the zone is showing up in DNS Manager and the registry. Verified it is replicating correctly. Here's dig against both a not working and working server.

; <<>> DiG 9.9.5-9+deb8u7-Raspbian <<>> www.youtube.com @notworking
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5425
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;www.youtube.com.               IN      A

;; AUTHORITY SECTION:
www.youtube.com.        3600    IN      SOA     notworking.mydomain.com. hostmaster.mydomain.com. 10 900 600 86400 3600

;; Query time: 1 msec
;; SERVER: 192.168.0.4#53(192.168.0.4)
;; WHEN: Fri Oct 21 12:07:29 CDT 2016
;; MSG SIZE  rcvd: 114



; <<>> DiG 9.9.5-9+deb8u7-Raspbian <<>> www.youtube.com @working
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18823
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;www.youtube.com.               IN      A

;; ANSWER SECTION:
www.youtube.com.        3600    IN      DNAME   restrict.youtube.com.
www.youtube.com.        0       IN      CNAME   restrict.youtube.com.
restrict.youtube.com.   597     IN      A       216.239.38.120

;; Query time: 3 msec
;; SERVER: 192.168.0.11#53(192.168.0.11)
;; WHEN: Fri Oct 21 12:26:01 CDT 2016
;; MSG SIZE  rcvd: 128

What else can I check?

One answer is authoritative and the other is not. Are these AD integrated zones? Do you have any conditional forwarders or stub zones configured? — joeqwerty, Oct 21 '16 at 18:55

score 2 · Answer 1 · answered Oct 21 '16 at 19:23

2

I found a post ( here ) where someone was having similar problems after a MS update was installed. I couldn't find the update they referenced, but I did find that KB3185331 was installed the night before. Rolled back that update and name resolution is back to working like before.

answered Oct 21 '16 at 19:23

Jason

41
4

1

Watch KB3185259 too. Kb3185331 include it, and I seen that in that KB text; *Addressed issue that causes Wildcard CNAME queries with Domain Name System Security Extensions (DNSSEC) enabled to not return Next Secure (NSEC) records.* – yagmoth555 Oct 21 '16 at 19:56

score 0 · Answer 2 · answered Oct 22 '16 at 13:13

KB3133954
KB3161591
KB3179574
KB3185279
KB3185331
KB3192404

All these KB's cause this issue. Moving forward this looks like Microsoft's monthly quality rollup and the subsequent months preview affect DNAME forwarding in this manner, however as of October 2016 the security update has not (KB3192392).

Server 2012 DNS server not resolving all forward lookup zones

2 Answers2