none
DNS timeout issues

    Question

  • Hi guys,

    My DNS server is set to forward out to an ISP.  I noticed that if I run nslookup and connect to my server all my internal queries are perfect.  I then run my external queries and even if I query something that is probably cached I always get (2)timeouts and then a non-authoritative answer, as show below.  I also notice that if I use nslookup to connect directly to the ISP and run the same command there are no timeouts.  Everything is IPv4 and I did upcheck IPv6 on all my DCs


    H:\>nslookup
    Default Server:  dca.domain.com
    Address:  10.5.66.4

    > www.google.com
    Server:  dca.domain.com
    Address:  10.5.66.4

    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    Non-authoritative answer:
    Name:    www.google.com
    Addresses:  2607:f8b0:400f:801::1013
              74.125.225.212
              74.125.225.209
              74.125.225.210
              74.125.225.211
              74.125.225.208


    Dan Heim

    Friday, September 14, 2012 6:03 PM

All replies

  • please send the below command output

    nslookup 

    > set debug

    >www.google.com

    This will help us to know what exactly happening


    Regards, Nidhin.CK

    Friday, September 14, 2012 6:08 PM
  • Please crosscheck below mandatory things

    How we should Configuere DNS on our DC :-->

    Every DNS server should Point to its own IP as a primary DNS and DNS located in remote site as a secondary DNS in TCP/IP properties
    All the unused NIC's to be disabled
    Valid DNS Ip from ISP to be configuered in DNS forwarders Do not configuere local DNS in forwarders
    Public DNS IP's Should not be used at any NIC Card except Forwarders
    Domain Controllers should not be multi-homed
    Running VPN server and RRas server makes the DC multihomed refer http://support.microsoft.com/default.aspx?scid=kb;en-us;272294


    If anything above is incorrect please correct it and run "ipconfig /flushdns & ipconfig /registerdns " and restart DNS service using "net stop dns & net start dns"

    DNS best practices
    http://technet.microsoft.com/en-us/library/cc778439(v=WS.10).aspx

    Checklist: Deploying DNS for Active Directory
    http://technet.microsoft.com/en-us/library/cc757116(v=ws.10)


    Hope it helps __________________________ Best regards Sarang Tinguria MCP, MCSA, MCTS Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Friday, September 14, 2012 7:24 PM
  • If issue with NSLOOKUP only then it seems that your firewall does not support EDNS0 traffic, please try to disable this feature.To disable it, you can run this command: dnscmd /config /EnableEDNSProbes 0

    EDNS0 (Extension mechanisms for DNS)
    http://msmvps.com/blogs/acefekay/archive/2010/10/11/edns0-extension-mechanisms-for-dns.aspx

    DNS Forwarders Problems in Windows 2008 R2 DNS Services
    http://blogs.technet.com/b/hishamb_msft/archive/2010/09/02/dns-forwarders-problems-in-windows-2008-r2-dns-services.aspx

    Also ensure the correct dns setting on DC as below.
    http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

    If still issue persist post the ipconfig /all and dcdiag /q output of DC.Please use skydrive to post the logs.

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Proposed as answer by Abhijit Waikar Saturday, September 15, 2012 1:38 AM
    • Marked as answer by dheim Saturday, September 15, 2012 7:43 PM
    • Unmarked as answer by dheim Monday, September 17, 2012 6:05 AM
    Saturday, September 15, 2012 1:27 AM
  • Hi,

    Agree with Sandesh, see this similar thread:
    NSlookup i am getting request timed out.
    http://social.technet.microsoft.com/Forums/en-NZ/winserverDS/thread/8a996d15-1e45-49b2-a3fd-2552024eff20


    Best regards,

    Abhijit Waikar.
    MCSA | MCSA:Messaging | MCITP:SA | MCC:2012
    Blog: http://abhijitw.wordpress.com
    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees and confers no rights.

    Saturday, September 15, 2012 1:40 AM
  • I think Sandesh had the correct answer.  I made the change on my DNS server, but still not supporting 512 with the nslookup test so that seems to indicate that my ISP(forwarder) still has an issue.  My firewall is open for me to go to the root hints and test that method with ednso disabled, but I am pretty sure this has to be the problem.  Thanks for your help.

    Dan


    Dan Heim

    Saturday, September 15, 2012 7:43 PM
  • I thought Sandesh had the correct answer, but then I realized that if I did run dnscmd /config /EnableEDNSProbes 0 then I should not have issues, even when using my ISP as a forwarder.  I did turn off my ISP as a forwarder and went straight to the root hints, and still have the exact same issue where I get (2)timeouts and then non-authoritative answers as shown at the beginning of this thread.  I appreciate all the help and here is what I am seeing

    1. Every DNS server does point to itself as primary and then to a secondary DNS server in different site

    2. All unused NICs disabled

    3. I do have one local DNS server as a "Conditional" forwarder.  I know that is not best practice, but our security guys are more concerned with controlling that traffic instead of having fault tolerance.  It is only for a specific domain and I do not hink it is coming into play on this.

    4. Domain Controllers are not multi-homes, but a few of them do have NPS on them for some radius clients

    5.  The dcdiag /q and dcdiag in general are clean.  We do get the NTSecDesc error, but that is standard because our schema is not prepped for RODCs.

    5. Here is the ipconfig /all and then deb of the nslookup

    IPConfig /all


    Windows IP Configuration

       Host Name . . . . . . . . . . . . : DC-A3
       Primary Dns Suffix  . . . . . . . : contoso.com
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : contoso.com
                                           alpha.com
                                           beta.net
                                           charlie.net

    Ethernet adapter Local Area Connection:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : HP NC373i Multifunction Gigabit Server Adapter #41
       Physical Address. . . . . . . . . : 00-23-7D-EF-89-04
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::14b1:ca85:f625:70df%11(Preferred)
       IPv4 Address. . . . . . . . . . . : 10.2.66.6(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.254.0
       Default Gateway . . . . . . . . . : 10.2.66.1
       DHCPv6 IAID . . . . . . . . . . . : 234890109
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-15-B9-3F-58-00-23-7D-EF-89-04
       DNS Servers . . . . . . . . . . . : 10.2.66.6
                                           10.5.66.4
                                           10.4.66.50
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.{629AC1D8-97DB-430B-9A7E-F711146C75E8}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Tunnel adapter Teredo Tunneling Pseudo-Interface:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    NSlookup www.google.com with debug on
    H:\>nslookup
    Default Server:  dc-a3.contoso.com
    Address:  10.2.66.6

    > set debug
    > www.google.com
    Server:  dc-a3.contoso.com
    Address:  10.2.66.6

    ------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 2, rcode = NXDOMAIN
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0

        QUESTIONS:
            www.google.com.contoso.com, type = A, class = IN
        AUTHORITY RECORDS:
        ->  contoso.com
            ttl = 3600 (1 hour)
            primary name server = dc-a3.contoso.com
            responsible mail addr = admin.contoso.com
            serial  = 7271548
            refresh = 900 (15 mins)
            retry   = 600 (10 mins)
            expire  = 86400 (1 day)
            default TTL = 900 (15 mins)

    ------------
    ------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 3, rcode = NXDOMAIN
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0

        QUESTIONS:
            www.google.com.contoso.com, type = AAAA, class = IN
        AUTHORITY RECORDS:
        ->  contoso.com
            ttl = 3600 (1 hour)
            primary name server = dc-3.contoso.com
            responsible mail addr = admin.contoso.com
            serial  = 7271548
            refresh = 900 (15 mins)
            retry   = 600 (10 mins)
            expire  = 86400 (1 day)
            default TTL = 900 (15 mins)

    ------------
    DNS request timed out.
        timeout was 2 seconds.
    timeout (2 secs)
    DNS request timed out.
        timeout was 2 seconds.
    timeout (2 secs)
    ------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 6, rcode = NOERROR
            header flags:  response, want recursion, recursion avail.
            questions = 1,  answers = 5,  authority records = 0,  additional = 0

        QUESTIONS:
            www.google.com, type = A, class = IN
        ANSWERS:
        ->  www.google.com
            internet address = 74.125.225.209
            ttl = 222 (3 mins 42 secs)
        ->  www.google.com
            internet address = 74.125.225.208
            ttl = 222 (3 mins 42 secs)
        ->  www.google.com
            internet address = 74.125.225.212
            ttl = 222 (3 mins 42 secs)
        ->  www.google.com
            internet address = 74.125.225.211
            ttl = 222 (3 mins 42 secs)
        ->  www.google.com
            internet address = 74.125.225.210
            ttl = 222 (3 mins 42 secs)

    ------------
    Non-authoritative answer:
    ------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 7, rcode = NOERROR
            header flags:  response, want recursion, recursion avail.
            questions = 1,  answers = 1,  authority records = 0,  additional = 0

        QUESTIONS:
            www.google.com, type = AAAA, class = IN
        ANSWERS:
        ->  www.google.com
            AAAA IPv6 address = 2607:f8b0:400f:801::1013
            ttl = 54 (54 secs)

    ------------
    Name:    www.google.com
    Addresses:  2607:f8b0:400f:801::1013
              74.125.225.209
              74.125.225.208
              74.125.225.212
              74.125.225.211
              74.125.225.210

    >

     

     


    Dan Heim

    Monday, September 17, 2012 6:56 AM
  • Configure IPv6 to dynamic (Automatically) as below and run "ipconfig /flushdns & ipconfig /registerdns", restart DNS and NETLOGON service.

    Check NIC binding the NIC which is online and has ip details should be in first order.If multiple NIC are present then disabled the unrequired NIC.
    http://theregime.wordpress.com/2008/03/04/how-to-setview-the-nic-bind-order-in-windows/

    Once done run nslookup and see how does it work.


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, September 17, 2012 7:08 AM
  • Thanks Sandesh, but still having issues.  Here is what I did

    1. IPv6 is enabled on the network adapter and everything is set to obtain as shown above.

    2. I flushed my dns, registered it and restarted the DNS client, DNS server, and netlogon services

    3. I checked my nic order and even though the nic#2 was disabled it was still listed higher priority and it had checks in it, which I unchecked.  I also moved it lower below the NIC which is enabled.

    4.  I reran nslookup and same results

    Any other ideas?

    Dan


    Dan Heim


    • Edited by dheim Monday, September 17, 2012 7:23 AM
    Monday, September 17, 2012 7:22 AM
  • When you do tracert google.com what is the result.If you have firewall ensure that both udp/tcp port 53 is not blocked.I would also recommend to contact network team to check the router/firewall for any misconfig configuration .Also ensure that valid forwarder is configured on the server.

    See similar thread.
    http://www.winvistatips.com/nslookup-request-timeout-windows-dns-accessing-externaldomain-t736613.html
    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/028d6c08-884c-4804-8f1d-1e9111b8207f

    Also Create a DWORD called EnableEDNSProbes and set to 0 in HKLM\SYSTEM\CurrentControlSet\services\DNS\Parameters and reboot the server and check.
    http://weblogs.asp.net/owscott/archive/2009/09/15/windows-server-2008-r2-dns-issues.aspx

    Disable local windows firewall service, by default it is enabled in vista/windows 2008 and above. Check the network connectivity and latency.
    Disable Windows Firewall: http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

    Also disable the Antivirus antivirus software.


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.



    Monday, September 17, 2012 7:57 AM
  • Hi,

    Any update here?

    Regards,
    Cicely

    Thursday, September 20, 2012 8:25 AM
  • I was out of town for the week.  I just checked and the regkey DWORD called EnableEDNSProbes is set to 0 in HKLM\SYSTEM\CurrentControlSet\services\DNS\Parameters.  I have restarted the services since I made that change, but I have not restarted the server.  I have scheduled that for tonight and will let you guys know tomorrow.  Just to sum things up.

    1. All DNS servers have the problem described at the beginning of this thread.

    2. The servers have this problem even when going directly to the root hints

    3. regkey DWORD called EnableEDNSProbes is set to 0 in HKLM\SYSTEM\CurrentControlSet\services\DNS\Parameters

    4. I do have IPv6 enabled and configured for dynamic

    5. All other NICs are disabled and my binding order looks good

    Based on that information, do you think it could be the firewall?  I always finally do get resolution, but after a couple of timeouts. 

    Thanks,

    Dan


    Dan Heim


    • Edited by dheim Monday, September 24, 2012 3:08 PM
    Monday, September 24, 2012 2:58 PM
  • We also have a DNS "timeout" issue  - and it's not due to firewalls, etc. - I've run the debug logs on the DNS servers (which are also our DCs)

    I open the DNS client log on a Windows 7 computer, note the exact time - it states "timeout after DNS.........did not respond"

    HOWEVER, in the DNS server debug logs, at the exact same second, it records receiving the request from my computer for www.widgets.com at 1:55:00, since this is an outside URL, it forwarded the request up to the Forest level DNS server, which responded back at 1:55:00. Then our DNS forwards the response back to my computer - the total time - 1 second!

    I've seen this all happen in under 1 second (verified by wireshark). I've seen it take 2 seconds. Now, running a MANUAL lookup using NSLOOKUP will indeed timeout. The default timeout for NSLOOKUP is 2 seconds. So when you seek resolution and manually use NSLOOKUP, set the timeout in your request - and you won't get a NSLOOKUP timeout error.

    But I regress and get sidetracked here - the REAL issue is that Windows 7 will claim there was no DNS server response when the DNS debug logs CLEARLY show exactly what happened, and that it all happened in 2 seconds or less, often 1 second or less.  I have multiple other examples, my computer requested www.solarwinds.com at 1:55:55 and the DNS logs the request at 1:55:55. DNS forwards my computer's request at 1:55:55 to the forest DNS which responds at 1:55:56, our DNS forwards back to me at 1:55:56 and yet again my computer says "...timeout after.....no DNS server responded"

    No, this isn't any sort of firewall issue - I've checked that with sniffs, and we DO get a response, it's not blocked. Further, the queries in question were within the old DNS size criteria. W7 is just claiming there was no response when indeed there was. Besides, there's no firewalls between me and the DNS server, and the firewall between our DNS and the forest level DNS is wide open back and forth to such repsonses and fully supports the packet sizes of the extended DNS standards.

    I've been looking into this, checked wireshark traces, firewall logs, and run the DNS servers in DEBUG LOGGING constantly, and over and over - timeout, no DNS server responds, and typically in 1 second.
    If W7 can't wait a single second for a response, it's incredibly impatient now, isn't it?!

    Wednesday, April 10, 2013 4:37 PM
  • Wednesday, October 09, 2013 10:31 AM