none
Windows 2008 R2 DNS Root Hints

    Question

  • I have a interesting problem, I've done lots of reading on Windows 2008 R2 DNS issues. The workaround is for me to use forwarders instead of root hints, and so far it's only one site I've got the symptom with. It was working using only root hints prior to our upgrade to 2008 R2.

    Can anyone else using root hints with 2008 R2 DNS actually get to www.pdfmyurl.com ? Nslookup fails....I'm stumped why it's not working, it's not TIL Cache and it's not EDNS. As I said workaround is to use our ISP DNS with forwarders, being a uber geek I just need to know WHY ?? :)

    Strange.


    Wednesday, February 22, 2012 6:12 AM

All replies

  •  

    Hi Darryl,

    Thanks for posting here.

    Only this certain internet domain couldn’t be resolved by root hints or other internet domains would affected either? Have we got other version Windows DNS server (Windows Server 2003 perhaps )to do the same job and will it work ? Is this server directly connect to internet or going through a firewall device ?

    Please first update the latest entries for root hints list on server: http://technet.microsoft.com/en-us/library/ff807388(WS.10).aspx and make sure we can reach these servers form our DNS server . After that we can do some tests with following the workarounds in the article below and see if the root servers will return the correct results :

    Tips for nslookup

    http://blogs.technet.com/b/wsnetdoc/archive/2009/05/18/tips-for-nslookup.aspx

    Using NSlookup.exe

    http://support.microsoft.com/kb/200525

    Otherwise , I think we need to capture and analyze the DNS querying traffics on host in order to troubleshoot it accurately.

    http://www.microsoft.com/download/en/details.aspx?id=4865

    Here is my test result for reference:

    com     nameserver = a.gtld-servers.net

    > pdfmyurl.com.

    Server:  a.gtld-servers.net

    Address:  192.5.6.30

    Name:    pdfmyurl.com

    Served by:

    - ns8.zoneedit.com

              75.125.10.187

              pdfmyurl.com

    - ns17.zoneedit.com

              209.126.159.118

              pdfmyurl.com

    How DNS query works

    http://technet.microsoft.com/en-us/library/cc775637(WS.10).aspx

    Regards,

    Tiger Li

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact  tnmff@microsoft.com.


    Tiger Li

    TechNet Community Support


    • Edited by Tiger Li Thursday, February 23, 2012 5:00 AM
    Thursday, February 23, 2012 3:44 AM
  • To add to Tiger's nslookup results, DIG gave me the following for www.pdfmyurl.com:

    ; <<>> DiG 9.8.0 <<>> @4.2.2.2 www.pdfmyurl.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5672
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;www.pdfmyurl.com.              IN      A

    ;; ANSWER SECTION:
    www.pdfmyurl.com.       7200    IN      CNAME   pdf-lb3-893620590.us-east-1.elb.m.
    pdf-lb3-893620590.us-east-1.elb.amazonaws.com. 60 IN A 50.19.83.176

    ;; Query time: 142 msec
    ;; SERVER: 4.2.2.2#53(4.2.2.2)
    ;; WHEN: Wed Feb 22 23:39:43 2012
    ;; MSG SIZE  rcvd: 106

    .

    .

    And the response was the same for pdfmyurl.com:

    ; <<>> DiG 9.8.0 <<>> @4.2.2.2 pdfmyurl.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39672
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;pdfmyurl.com.                  IN      A

    ;; ANSWER SECTION:
    pdfmyurl.com.           7200    IN      CNAME   pdf-lb3-893620590.us-east-1.elb.
    pdf-lb3-893620590.us-east-1.elb.amazonaws.com. 60 IN A 50.19.83.176

    ;; Query time: 69 msec
    ;; SERVER: 4.2.2.2#53(4.2.2.2)
    ;; WHEN: Wed Feb 22 23:41:13 2012
    ;; MSG SIZE  rcvd: 102

    .

    .

    As you can see the TTLs above (in bold) are vastly mismatched. The www.pdfmyurl.com CNAME record is 7200 seconds, or 2 hours, but the record it points to is only 60 seconds, or 1 minute. Therefore the A record it points to expires from cache in 1 minutes, therefore DNS will not re-query the CNAME if you query it again because the CNAME is still in cache.

    Logically, if the TTLs were the same, you wouldn't see this problem.

    The Windows 2008 R2 DNS implementation closer follows the RFCs to protect cache posoining. Up to this point, Windows DNS is a lose implementation that followed BIND v4, which was tolerant about CNAME redirection, CNAME TTL mismatches, and cache posoining, however, with the greater concern these days of protecting DNS cache from poisoning, the hatch has been tightened down a bit.

    Apparently the Forwarder you're using is not Windows 2008 R2. I *assume* the latest BIND build 9.8, may do the same thing, but I need to test it before I can ascertain that.

    There's more about this issue. This has been vastly discussed in the following links. I think you'll find them a useful read:

    .

    Good explanation of what's going on with DIG examples showing the differences in the TTLs:
    TechNet thread: "Found a bug in Server 2008 R2 DNS. it will NOT resolve a valid entry that all other DNS implementations do just fine" 2/17/2012
     http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/e4a97a9b-cb1d-43f1-aa5b-1abb34bddfa5

    Read Obi's explanations in his posts in the following thread for a greater understanding regarding cache protection from posoining. He's a DNS engineer/developer who wrote Treewalk.
    TechNet thread: "Windows 2008 R2 DNS Query Not Retrieving all Records" 7/19/2012
     http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/3f5a0947-f2a7-4d59-9eed-9fcea1df5558

    Comprehensive thread discussion on this topic:
    Windows 2008 server dns service failure to resolve cname: (8/30/2011)
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/bfe3a89f-7ff6-43c9-b387-0a240d891283

    .

    Ace


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    Thursday, February 23, 2012 4:53 AM
  • Thanks for the response, so far this is the only URL that's been reported to me but I'm sure where there is one there are others I just haven't been reported any. The problem came to light recently as we upgraded our majority of DC's to 2008 R2, with the exception of 1 DC still at 2003, and yes oddly enough the 2003 DC has no problems resolving the site using root hints. All of our servers are firewalled with Cisco ASA devices and yes I've enabled maximum message length and performed testing to ensure they've been updated to allow EDNS.....not to say it still might be a firewall issue just that I have looked at it and for now I'm satisfied with my testing that they appear to allow them.

    For my own curiosity I setup a test DC using 2008 R2 with everything pretty plain to see if I could recreate the issue, and sure enough same result and I put it outside of the firewall just to be sure. I've also cross referenced the root hints currently default with the link you provided and they appear to match perfectly as listed.

    So then from my test DC I tried to recreate what you tested, and I had a surprising result. I'll jsut paste it as it appeared so there's no mis communication.

    C:\Windows\system32>nslookup
    Default Server:  hercules.pcgods.local
    Address:  172.16.1.1

    > server a.gtld-servers.net
    Default Server:  a.gtld-servers.net
    Addresses:  2001:503:a83e::2:30
              192.5.6.30

    > pdfmyurl.com
    Server:  a.gtld-servers.net
    Addresses:  2001:503:a83e::2:30
              192.5.6.30

    *** a.gtld-servers.net can't find pdfmyurl.com: No response from server

    That surprised me, and the difference in looking at the TLD servers is that the top 2 TLD servers returned their IPv6 address....so I thought I would try again and pick one that only returned it's IPv4.

    C:\Windows\system32>nslookup
    Default Server:  hercules.pcgods.local
    Address:  172.16.1.1

    > server f.gtld-servers.net
    Default Server:  f.gtld-servers.net
    Address:  192.35.51.30

    > pdfmyurl.com
    Server:  f.gtld-servers.net
    Address:  192.35.51.30

    Name:    pdfmyurl.com
    Served by:
    - ns8.zoneedit.com
              75.125.10.187
              pdfmyurl.com
    - ns17.zoneedit.com
              209.126.159.118
              pdfmyurl.com

    So my result there was the same as yours however the first 2 would not work.....so is this an IPv6 thing ? I can try and fully disable IPv6 on the test DC and try, but I'm very curious as to why ?? I hope this helps.

    Thanks again.

    Thursday, February 23, 2012 5:06 AM
  • I got the same results using a.gtld-servers.net (192.5.6.30).

    Did you update your Root Hints as Tiger suggested? If so, does this IP still show up in the Roots list? If so, just as a test, remove that Root hint from the list, clear the DNS server cache, and go back to a client machine, or from the DNS server itself, clear the client-side cache, then try to resolve that name using your DNS from a browser.


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    Friday, February 24, 2012 12:33 AM
  •  

    Hi Darryl,


    Thanks for update.

    So could we try to first run the Microsoft fix 50410 on server in order to set the system to first use IPv4 name resolution ? or just try to temporarily disable IPv6 on this server in proper way by running the fix 50409 where listed in the KB article below:

    How to disable IP version 6 (IPv6) or its specific components in Windows 7, in Windows Vista, in Windows Server 2008 R2, and in Windows Server 2008

    http://support.microsoft.com/kb/929852

    Regards,

    Tiger Li

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact  tnmff@microsoft.com.


    Tiger Li

    TechNet Community Support

    Friday, February 24, 2012 2:59 AM
  • Ok, I've double checked and the root hints are verified as listed from internic, I also systematically removed root hints a & b leaving c at the top and still the problem persisted from a browser. Re-added the a & b root hints, then ran fix 50410 to prefer IPv4 first, restarted the server and tested both using nslookup and the browser same results as nslookup above and browser also didn't work. I then disabled IPv6 by running 50409, and same results again.

    I've downloaded Microsoft Network Monitor 3.4 but not sure how to use it well, I'm going to play with it and see if I can figure out how to use it.

    Also to note I'm doing all the testing from the Windows 2008 test server, including browsing etc that way it's much more controled environment for results.

    If you can think of anything else please keep the suggestions coming.

    Saturday, February 25, 2012 5:27 AM
  •  

    Hi Darryl,

    Thanks for update.

    >I then disabled IPv6 by running 50409, and same results again.

    That’s weird, have we restarted server after this procedure ? cos no IPv6 addresses would be received if we’ve disabled this component on server .

    Regards,

    Tiger Li

    TechNet Subscriber Support in forum

    If you have any feedback on our support, please contact  tnmff@microsoft.com.


    Tiger Li

    TechNet Community Support

    Monday, February 27, 2012 6:28 AM
  • Here's a hotfix that should address this issue. If you install it, please post back with your results.

    .

    DNS Server service does not use root hints to resolve external names in Windows Server 2008 R2 - HOTFIX available.
    Article ID: 2616776 - Last Review: October 12, 2011, APPLIES TO •Windows 2008 R2 Datacenter •Windows 2008 R2 Ent •Windows 2008 R2 Std
    "Consider the following scenario:
    •You install the Domain Name System (DNS) Server role on a computer that is running Windows Server 2008 R2.
    •You configure the DNS server to use root hints to resolve external names.
    In this scenario, the DNS server does not use root hints to resolve external names and causes name resolution issues.
    This issue occurs because the DNS Server service in Windows Server 2008 R2 does not allow CNAME records and NS records to coexist. When the DNS Server service receives a response that has two kinds of records, it ignores the CNAME record.
    In lieu of installing the HOTFIX: "To work around the issue, configure the DNS server to use forwarders instead of root hints to resolve external names."
    http://support.microsoft.com/kb/2616776

    .


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    Thursday, July 12, 2012 11:58 PM