27 October 2011

Windows DNS unable to resolve some external DNS names

I ran into this issue recently and it only happened for a few public DNS names.  Overall things were working pretty normally.

DNS Basics
Typically a corporate domain joined machine is configured with a local DNS server for that domain.  All queries are sent to that DNS server.  If it cannot resolve the name it will pass it onto the DNS Forwarder servers.  If no forwarders are available the Root hint servers will be used.

In a larger organisation you might have loads of internal servers that forward to one another.  For server not able to do DNS queries externally you should disable "Use root hints if no forwarders are available."  This chain can continue until one or more servers are allowed to query out to the internet.  If no external forwarder servers are specified it would then use the root hints servers.

My recommendation here is to use one or more external forwarders on these servers.  Typically these would by the ones supplied by your ISP.  Very common now is to also use the Google public DNS service operating on 8.8.8.8 and 8.8.4.4

Do not specify the Google Public DNS service servers as a root hint. Because they are not authorative for any domain as they do not operate as Top Level Domain (TLD) name service

Root hint serves are authorative servers operated by various bodies.  For instance the l.root-servers.net. is operated by ICANN and j.root-servers.net is operated by Verisign.  These are hosted on multiple redundant servers published using anycast routing.  These are distributed world wide.




If you look at the nslookup result you will see the difference. Using nslookup hostname will resolve according to your specified IP / DHCP settings.  Using nslookup name DNSserver will for the use of the specified DNS server

Here I am resolving against the Google public DNS service



Here I am resolving against a root server




Troubleshooting
First I had to track down the servers that were allowed to query out to the internet.  The test for this was to do an nslookup form that server to a public DNS server.  If the connection failed like the image below you can deduce that no public DNS look up is allowed.


Internal servers like this one should all eventually point to the internal server(s) that are allowed to resolve externally.  Once all the internal configuration is correct we can start troubleshooting the outside.

When I checked the configuration of the DNS servers I found the following. The Root Hints servers for
l.root-servers.net & m.root-servers.net had unknown IP addresses.


Resolving these completed the list.
l.root-servers.net. is 199.7.83.42
m.root-servers.net. is 202.12.27.33

For more info check out http://root-servers.org/

I also discovered that one of the last internal DNS forwarder servers had no external forwarders specified.
This would in theory mean that this server would not be able to resolve any domain name that is hosted by the ICANN or WIDE Project organisations.

Conclusion
Trouble shooting public DNS name resolution starts at home.  Follow the chain of DNS server from the DCHP scopes down to the root hint servers as the problem could reside anywhere along the chain.


More Info
This useful table comes from http://en.wikipedia.org/wiki/Root_name_server there is some more interesting bids of info there too.



Letter
IPv4 address
IPv6 address
Old name
Operator
Location
#sites (global/local)
[4]
Software
A
198.41.0.4
2001:503:ba3e::2:30
ns.internic.net
Distributed using anycast
6/0
B
192.228.79.201 (since January 2004; originally was 128.9.0.107)[5]
2001:478:65::53 (not in root zone yet)
ns1.isi.edu
C
192.33.4.12
2001:500:2::c (not in root zone yet)
c.psi.net
Distributed using anycast
6/0
D
128.8.10.90
2001:500:2d::d
terp.umd.edu
E
192.203.230.10
N/A
ns.nasa.gov
F
192.5.5.241
2001:500:2f::f
ns.isc.org
Distributed using anycast
2/47
G
192.112.36.4
N/A
ns.nic.ddn.mil
Distributed using anycast
6/0
H
128.63.2.53
2001:500:1::803f:235
aos.arl.army.mil
I
192.36.148.17
2001:7fe::53
nic.nordu.net
Distributed using anycast
36
J
192.58.128.30 (since November 2002; originally was 198.41.0.10)
2001:503:c27::2:30
Distributed using anycast
63/7
K
193.0.14.129
2001:7fd::1
Distributed using anycast
5/13
L
199.7.83.42 (since November 2007; originally was 198.32.64.12)[8]
2001:500:3::42
Distributed using anycast
37/1
M
202.12.27.33
2001:dc3::35
distributed using anycast
5/1






No comments:

Post a Comment