|
|
I have two Windows 2003 Servers, one is the the PDC and the other is
the domain member. I've configured DNS service on both.
Neither of them can resolve a few sites, most notably
download.microsoft.com. Other names are resolved fine. There are no
errors in the event log. I've checked the root hints twice and
compared them to those on Internic.
I've got all the updates, virus checks, hijackthis etc. The machines
are clean.
Doing an NSLOOKUP gives the result:
[Quoted Text] > download.microsoft.com.
Server: xxx
Address: 192.168.0.1
------------
SendRequest(), len 40
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0,
additional = 0
QUESTIONS:
download.microsoft.com, type = A, class = IN
------------
DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
SendRequest failed
------------
SendRequest(), len 40
HEADER:
opcode = QUERY, id = 3, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0,
additional = 0
QUESTIONS:
download.microsoft.com, type = AAAA, class = IN
------------
DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
SendRequest failed
*** Request to 192.168.0.1 timed-out
I can resolve www.microsoft.com, for example.
Any ideas?
Misc info:
I have multiple ISP's DSL lines connecting to a Cisco 877 router. I've
enabled DNS server on the router. If I set the router as the server in
nslookup then download.microsoft.com resolves correctly. So, no
problem up to that end.
|
|
Hi there, can you resolve any other websites for example www.google.co.uk?
What do your servers have set as their dns servers in the network card tcp/ip
properites, just having dns installed wont cause them to use it.
James.
--
James Yeomans, BSc, MCSE
Ask me directly at: http://www.justaskjames.co.uk
"Hussain" wrote:
[Quoted Text] > I have two Windows 2003 Servers, one is the the PDC and the other is
> the domain member. I've configured DNS service on both.
>
> Neither of them can resolve a few sites, most notably
> download.microsoft.com. Other names are resolved fine. There are no
> errors in the event log. I've checked the root hints twice and
> compared them to those on Internic.
>
> I've got all the updates, virus checks, hijackthis etc. The machines
> are clean.
>
> Doing an NSLOOKUP gives the result:
>
> > download.microsoft.com.
> Server: xxx
> Address: 192.168.0.1
>
> ------------
> SendRequest(), len 40
> HEADER:
> opcode = QUERY, id = 2, rcode = NOERROR
> header flags: query, want recursion
> questions = 1, answers = 0, authority records = 0,
> additional = 0
>
> QUESTIONS:
> download.microsoft.com, type = A, class = IN
>
> ------------
> DNS request timed out.
> timeout was 2 seconds.
> timeout (2 secs)
> SendRequest failed
> ------------
> SendRequest(), len 40
> HEADER:
> opcode = QUERY, id = 3, rcode = NOERROR
> header flags: query, want recursion
> questions = 1, answers = 0, authority records = 0,
> additional = 0
>
> QUESTIONS:
> download.microsoft.com, type = AAAA, class = IN
>
> ------------
> DNS request timed out.
> timeout was 2 seconds.
> timeout (2 secs)
> SendRequest failed
> *** Request to 192.168.0.1 timed-out
>
> I can resolve www.microsoft.com, for example.
>
> Any ideas?
>
> Misc info:
> I have multiple ISP's DSL lines connecting to a Cisco 877 router. I've
> enabled DNS server on the router. If I set the router as the server in
> nslookup then download.microsoft.com resolves correctly. So, no
> problem up to that end.
>
>
|
|
Can you post your IPCONFIG/ALL result here
--
Rahisuddin Shah
MCSE - MCSA - ITIL
"Hussain" <hussainakbar[ at ]gmail.com> wrote in message
news:ff43f85b-71cb-4f40-aa0f-b8344a0d9313[ at ]l33g2000pri.googlegroups.com...
[Quoted Text] >I have two Windows 2003 Servers, one is the the PDC and the other is
> the domain member. I've configured DNS service on both.
>
> Neither of them can resolve a few sites, most notably
> download.microsoft.com. Other names are resolved fine. There are no
> errors in the event log. I've checked the root hints twice and
> compared them to those on Internic.
>
> I've got all the updates, virus checks, hijackthis etc. The machines
> are clean.
>
> Doing an NSLOOKUP gives the result:
>
>> download.microsoft.com.
> Server: xxx
> Address: 192.168.0.1
>
> ------------
> SendRequest(), len 40
> HEADER:
> opcode = QUERY, id = 2, rcode = NOERROR
> header flags: query, want recursion
> questions = 1, answers = 0, authority records = 0,
> additional = 0
>
> QUESTIONS:
> download.microsoft.com, type = A, class = IN
>
> ------------
> DNS request timed out.
> timeout was 2 seconds.
> timeout (2 secs)
> SendRequest failed
> ------------
> SendRequest(), len 40
> HEADER:
> opcode = QUERY, id = 3, rcode = NOERROR
> header flags: query, want recursion
> questions = 1, answers = 0, authority records = 0,
> additional = 0
>
> QUESTIONS:
> download.microsoft.com, type = AAAA, class = IN
>
> ------------
> DNS request timed out.
> timeout was 2 seconds.
> timeout (2 secs)
> SendRequest failed
> *** Request to 192.168.0.1 timed-out
>
> I can resolve www.microsoft.com, for example.
>
> Any ideas?
>
> Misc info:
> I have multiple ISP's DSL lines connecting to a Cisco 877 router. I've
> enabled DNS server on the router. If I set the router as the server in
> nslookup then download.microsoft.com resolves correctly. So, no
> problem up to that end.
>
|
|
Yes, the servers can resolve almost every other domain. Perhaps they
can't resolve a few, but none come to mind at the moment. As
download.ms.com is needed by my programmers to download stuff from,
this is what I am focusing on.
The two servers's DNS in their own TCP setup are themselves. i.e.
their IP's are 192.168.0.1 & ....2 which is what is set as the DNS.
The two are AD primary & member servers.
If I add any other server in DNS settings, e.g. my router or ISP's DSL
router, then that particular server can resolve the problem host but
all my other LAN computers can't.
At the moment, I've bypassed the problem by setting a forwarder for
ms.com and forwarded queries to my router.
|
|
Shall do so tomorrow morning when I get in to work.
|
|
In news:7284e23a-1e66-410b-9924-222779c818fb[ at ]g1g2000pra.googlegroups.com,
Hussain <hussainakbar[ at ]gmail.com> requesting assistance, typed the following:
[Quoted Text] > Yes, the servers can resolve almost every other domain. Perhaps they
> can't resolve a few, but none come to mind at the moment. As
> download.ms.com is needed by my programmers to download stuff from,
> this is what I am focusing on.
>
> The two servers's DNS in their own TCP setup are themselves. i.e.
> their IP's are 192.168.0.1 & ....2 which is what is set as the DNS.
> The two are AD primary & member servers.
>
> If I add any other server in DNS settings, e.g. my router or ISP's DSL
> router, then that particular server can resolve the problem host but
> all my other LAN computers can't.
>
> At the moment, I've bypassed the problem by setting a forwarder for
> ms.com and forwarded queries to my router.
If you configure a Forwarder on the two DNS servers, does it work?
I have a feeling it may have something to do with EDNS0. A forwarder will
get around that. Your firewall could be blocking EDNS0. What type of
firewall is in place?
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
Microsoft Certified Trainer
For urgent issues, you may want to contact Microsoft PSS directly.
Please check http://support.microsoft.com for regional support phone
numbers.
|
|
Yes, forwarder does work. What I have done at the moment is forwarded
microsoft.com domain queries to my router. Otherwise, the server could
resolve www.microsoft.com but not download.microsoft.com. Wierd, eh?
The router is a Cisco877 model. If it blocks DNS requests, then it
should be blocking for all, no? Why this particular domain? Is it
something to do with aliases or that download.microsoft.com requires
queries from some other NS? i.e. some recursive query? No idea. Has me
stumped.
I don't know what EDNS is. Shall google for it.
|
|
IPCONFIG/ALL on both the servers show:
Host name: S1
Primary Dns suffix: <my local domain, not my Internet one>
Node type: Hybrid
IP routing: No
WINS proxy: No
DHCP enabled: No. <These are the only two machines with fixed IP's,
other than my router of course>
IP: 192.168.0.1
Subnet: 255.255.255.0
Gateway: 192.168.0.8 <router>
DNS Servers: 192,168.0.1 & 192.168.0.2
WINS server: 192.168.0.1
That's it. Nice & clean.
As I said, I've put in a forwarder on one of the servers, doing an
NSLOOKUP from the other shows:
[Quoted Text] > download.microsoft.com.
Server: converges2.karachi.converget.com
Address: 192.168.0.2
------------
SendRequest(), len 40
HEADER:
opcode = QUERY, id = 3, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0,
additional = 0
QUESTIONS:
download.microsoft.com, type = A, class = IN
------------
------------
Got answer (161 bytes):
HEADER:
opcode = QUERY, id = 3, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 4, authority records = 0,
additional = 0
QUESTIONS:
download.microsoft.com, type = A, class = IN
ANSWERS:
-> download.microsoft.com
type = CNAME, class = IN, dlen = 34
canonical name = download.microsoft.com.nsatc.net
ttl = 0 (0 secs)
-> download.microsoft.com.nsatc.net
type = CNAME, class = IN, dlen = 20
canonical name = main.dl.ms.akadns.net
ttl = 0 (0 secs)
-> main.dl.ms.akadns.net
type = CNAME, class = IN, dlen = 7
canonical name = intl.dl.ms.akadns.net
ttl = 0 (0 secs)
-> intl.dl.ms.akadns.net
type = CNAME, class = IN, dlen = 12
canonical name = dl.ms.d4p.net
ttl = 0 (0 secs)
------------
Non-authoritative answer:
Name: download.microsoft.com
That's it. No IP is retrieved.
|
|
|
|
In news:7c7430ef-9e4e-4777-a449-b6b86712d6a5[ at ]t39g2000prh.googlegroups.com,
Hussain <hussainakbar[ at ]gmail.com> requesting assistance, typed the following:
[Quoted Text]
Thanks for the link.
I would suggest to not disable EDNS0 on the Windows boxes (it has to be done
on every DNS server), but rather allow it on the Cisco firewall to allow it
to pass. If the forwarder does work, that is telling me the Cisco firewall
is blocking it.
If the Cisco 877 is running version 6.3(2) or later, you can run the
following command on the Cisco firewall to enable it.
fixup protocol dns maximum-length 1280
The above command instructs the firewall to allow a DNS packet size up to
1280 bytes, instead of the legacy 512 bytes. If not sure how to do it in the
command line, in the Cisco GUI, I believe it is under system configuration,
you will see a list of protocols. In the DNS protocol property, change the
max length.
You can change the max length up to 4096 bytes, but I've found 1280 works
fine.
http://homepages.tesco.net/J.deBoynePollard/FGA/dns-edns0-and-firewalls.html
I would also renable it on the Windows machines by running:
dnscmd /config /enableednsprobes 1
Let us know how you make out.
Ace
|
|
Ace
Ok, I understand what you mean.
Doing a "show version" shows:
ROM: System Bootstrap, Version 12.3(8r)YI4
ROM: Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M)
Version 12.4(4) XC4
etc.
So the IOS version I have is 12.4, apparently.
When I use the command line interface, after using "conf t" it shows
that there is no command named fixup. Entering "f?" shows that the
only commands starting with 'f' are file, flow-sampler-map, frame-
relay and ftp-server.
Using the SDM GUI, there is no option for the protocol fixing.
Hmm.... Do I need a new CISCO IOS?
|
|
In news:956e3bcb-8a8c-4af2-8fb8-3e53a9ced90a[ at ]o40g2000prn.googlegroups.com,
Hussain <hussainakbar[ at ]gmail.com> requesting assistance, typed the following:
[Quoted Text] > Ace
>
> Ok, I understand what you mean.
>
> Doing a "show version" shows:
> ROM: System Bootstrap, Version 12.3(8r)YI4
> ROM: Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M)
> Version 12.4(4) XC4
> etc.
>
> So the IOS version I have is 12.4, apparently.
>
> When I use the command line interface, after using "conf t" it shows
> that there is no command named fixup. Entering "f?" shows that the
> only commands starting with 'f' are file, flow-sampler-map, frame-
> relay and ftp-server.
>
> Using the SDM GUI, there is no option for the protocol fixing.
>
> Hmm.... Do I need a new CISCO IOS?
I'm not sure with that version. This sounds like a router and not a PIX
firewall. Does the router have the firewall added on? Do you have a support
contract with Cisco for your router? If so, you can easily put in a TAC
ticket at Cisco's site. They can help you immediately.
Is there another firewall device or proxy server after or before the router?
My feeling for right now is that I would rather use a forwarder anyway than
the Root hints. If the forwarder works, set the forwarder to your ISP's DNS
server, and contact Cisco on how to configure to permit EDNS0.
Ace
|
|
Ace
Yes, it is a Cisco 877 router, not PIX. It has 4 ethernet ports; one
is connected to my LAN while the other 3 are connected to the DSL
routers of three different ISP's.
No, I don't have a support contract with Cisco.
|
|
In news:6edb0621-45da-4b36-b9bf-d76621dc99e5[ at ]k24g2000pri.googlegroups.com,
Hussain <hussainakbar[ at ]gmail.com> requesting assistance, typed the following:
[Quoted Text] > Ace
>
> Yes, it is a Cisco 877 router, not PIX. It has 4 ethernet ports; one
> is connected to my LAN while the other 3 are connected to the DSL
> routers of three different ISP's.
>
> No, I don't have a support contract with Cisco.
If download.microsoft.com does not work, that means it definitely is an
EDNS0 issue.
You said Forwarding works. I would suggest to configure a Forwarder on both
of your DNS servers, but do NOT forward to your router. That is not a best
practice. Bersdies, forwarding to your router adds an additional resolution
step and increase the response delay.
Forward to your ISP's DNS servers. Do not use conditional forwarding in this
case, since you want it to resolve everything outside. You can also use
4.2.2.2 as a forwarder, which works fine.
Ace
|
|
|