PDA

View Full Version : W2K DNS server fails recursive query

DVNT1
02-07-2003, 10:45 AM
After a restart of the AD integrated DNS server (Print Spooler problem), DNS fails to resolve Internet names. When I check via DNS MMC it still passes a simple query but fails recusive query tests. No obvious changes were done. Some Windows updates may have been done previously (since last restart) but I'm not sure. Currently has SP2.

I tried:
* removing DNS root hints (and also re-added them)
* removing all forwarder entries and re-adding them
* disabled forwarders (and also re-added them)

Network connectivity is good. I can ping all DNS server IP addresses.

I can telnet to the DNS port on any of the DNS IPs listed in the Forwarders.

I also tried an app (WS_Ping ProPack) that directly makes DNS requests to any DNS server... it always times out when ran on this DNS server.
I tried the same tool (and same attributes) on another W2K server with a public IP and it always works.

Suggestions?
Mntsnow
02-07-2003, 1:33 PM
Is this box beind a firewall and have you double checked to make sure the required ports are getting passed? Is this box running on a private ip or public? Is this box a Primary or secondary DNS box?

Just a couple more questions to help start the process
Mntsnow
02-07-2003, 1:42 PM
couple of sites I like to use when working on dns stuff

http://www.dnsreport.com/
http://www.dnsstuff.com/
http://us.mirror.menandmice.com/cgi-bin/DoDig
http://www.dns.net/dnsrd/tools.html
DVNT1
02-07-2003, 1:53 PM
It is behind a transparent firewall (Netscreen-10 device) but no outbound restrictions. I double check port access by telneting to port 53 on an Internet DNS server (and it made a conenction).

Both private & public IP (two NICs).

Primary DNS, and currently the only internal DNS.
Mntsnow
02-07-2003, 2:56 PM
was a "reverse zone" setup on that box? If so maybe remove it, reboot and reinstall the reverse zone. Is there a wins server on this "internal" network?
DVNT1
02-07-2003, 3:22 PM
I got it working finally.

I put a packet sniffer in front of this machine and saw that DNS replies were going to it. But in the DNS logs, no RCVs were being seen.

After I lot of trial and error, I ended up disabling the WAN NIC's TCP/IP Properties|Advanced|Options|TCP/IP filtering (it was set to "Permit Only" for all protocols with no ports defined). The odd thing is, this used to work fine.
Mntsnow
02-07-2003, 10:17 PM
Interesting.....Thanks for letting us know what finally got you going