none
Intermittent DNS on fresh SBS 2011 - "Bad packets" an issue?..

    Question

  • The scenario is a fresh install of SBS 2011 with 12 client machines.  It is 2011 Essentials, but I've made the server IP static and switched off DHCP in the router, making it more generally applicable to SBS 2011 in general - I think.

    The reason I switched from the out-of-the-box Essentials configuration is that users were experiencing intermittent but ongoing web browsing problems.   Google.com, amazon.com for instance - not available, then later resolving, only to disappear again in clients browsers.

    Suspecting the unorthodox dynamic DHCP/DNS setup in SBS 2011 Essentials, I changed the settings to the 'traditional way' (which seems a simpler setup anyway). So - turned off DHCP on router, assigned the SBS a static IP, pointed DNS to that same IP, and made the router IP the gateway.  Seemed all fixed for an hour or two - then the same problems began cropping up again.

    Scratching my head, I added the router IP to the Forwarders tab of the SBS DNS console.  Same issues continued. Facebook.com, paypal.com, social.technet.microsoft.com - many sites were unbrowsable and unpingable (FQDN) from client workstations *and also from the server*.

    The event logs look reasonably clean - and the DNS section shows no recent Errors or Warnings. But *very many* entries of the Informational Event 5501 - "DNS Server encountered bad packet from IP Address 192.168.1.1. Packet processing leads beyond packet length."  192.168.1.1 is the router IP.  Information  I can find re this Event ID gives me NT4 references and complicated discussion of EDNS0 that I'm having difficulty relating to a vanilla install of SBS 2011 . And I found this comment from Technet "This is a normal condition. No further action is required."  [http://technet.microsoft.com/en-us/library/ee783616(v=ws.10).aspx]    

    Here is an ipconfig /all of a workstation and the server

    CLIENT MACHINE

            Connection-specific DNS Suffix . : OFFICE.local
            Description . . . . . . . . . . ..........: Intel(R) WiFi Link 5100 AGN
            Physical Address. . . . . . . . . ......: 00-22-FA-E4-70-F0
            Dhcp Enabled. . . . . . . . . . .........: Yes
            Autoconfiguration Enabled . . . ..: Yes
            IP Address. . . . . . . . . . . . : 192.168.1.11
            Subnet Mask . . . . . . . . . . . : 255.255.255.0
            Default Gateway . . . . . . . . . : 192.168.1.1
            DHCP Server . . . . . . . . . . . : 192.168.1.250
            DNS Servers . . . . . . . . . . . : 192.168.1.250
            Lease Obtained. . . . . . . . . . : Monday, 20 February 2012 5:39:58 PM
            Lease Expires . . . . . . . . . . : Tuesday, 28 February 2012 5:39:58 PM

    SERVER

       Host Name . . . . . . . . . . . . : SERVER1
       Primary Dns Suffix  . . . . . . : OFFICE.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . : No
       WINS Proxy Enabled. . . . . . : No
       DNS Suffix Search List. . . . . : OFFICE.local

    Ethernet adapter Local Area Connection:
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : HP NC326i PCIe Dual Port Gigabit Server Adapter
       Physical Address. . . . . . . . . : 2C-41-38-7D-24-A8
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . : Yes
       Link-local IPv6 Address . . . : fe80::904a:5436:f35c:6333%11(Preferred)
       IPv4 Address. . . . . . . . . : 192.168.1.250(Preferred)
       Subnet Mask . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . : 192.168.1.1
       DHCPv6 IAID . . . . . . . . . . : 237781304
       DHCPv6 Client DUID. . . . . . . : 00-01-00-01-15-54-10-F8-2C-41-38-7D-24-A8

       DNS Servers . . . . . . . . . . . : ::1
                                           192.168.1.250
       NetBIOS over Tcpip. . . . . . . . : Enabled

     Router is a D-Link DSL-G604T which was chosen because it's received a Windows 'tick'.   I've found people on the web dissing these units, but the same can be said of many other consumer level modem/routers.  Right now, I'm inclined to swap it out - but I'm not sure if I'm wasting my time in this

    This Event 5501 could be a red herring - at this stage it's all I can see that's odd looking though, but I would welcome logical troubleshooting steps, as I'm not in a comfort zone here.


    I should add - this same router worked fine under SBS 2003 with a similar static setup, for a couple of years at least.  Only recent change I can think of has been to update the device's firmware before the SBS 2011 install.
    Monday, February 20, 2012 12:28 PM

Answers

  • Putting in a more 'business-oriented' router solved this issue, with standard out-of-the-box settings applied on router and server..

    As did the previously mentioned change of settings in the old router to switch off the router's 'Autodiscover DNS' and manually patch in the addresses of the exact same 2 ISP DNS servers that it was 'autodiscovering'. (!..)

    So I do not recommend the use of a Windows DNS server behind a D-Link DSL-G604T modem-router.

    I can honestly say that every comment made here has been helpful - both for thinking this one through, and potentially for future DNS issues.

    Travis - helpful line of thought - thanks.

    Robert - thanks for your blog - one of the few out there with a focus on SBS2011 Essentials. Was of great help in preparing my first Essentials install & integration. 

    SuperGumby - thanks for your in-depth knowledge that you seem to tirelessly share on forums - it is appreciated, and has helped me out of more tight jams than just this one.

    Cheers!




    Friday, February 24, 2012 8:59 AM

All replies

  • Just to rule out if its a server issue can you connect a laptop to router directly when issue occurs and check if you can browse websites?
    Monday, February 20, 2012 2:01 PM
  • I have a single basic testing tool on the router - a ping facility in the GUI. My experience so far has been that the same websites that clients stopped connecting to would respond to ping from the router - after which they 'appeared again' in the client's browsers.

    Of course some of the sites (amazon.con, microsoft.com) will not respond to any ping at any time - so observation above may be slighly limited.

    Plugging direct into router is difficult for physical-location reasons.  However, I will try that today.

    How about performing just the same test suggested if I give a workstation a static IP, specifying the router as DNS server as well as the default gateway ? That's effectively the same as plugging in directly to the router isn't it?

    If this problem were not intermittent I would be so much happier...     

    Monday, February 20, 2012 9:27 PM
  • though this was originally Server08 we have seen it also having effect on R2.

    http://blogs.technet.com/b/sbs/archive/2009/01/29/cannot-resolve-names-in-certain-top-level-domains-like-co-uk.aspx

    and yes, testing internet access with the router as DNS would possibly work, but you'll then get AD query problems. The reg change from the article is simple and can be expected to have impact.

    Monday, February 20, 2012 11:12 PM
  • Thanks SuperGumby. Yes I've seen that one on SBS 2008 before certainly - I did not know it persisted onto R2.

    RE the blog page - It's not pretty is it? (Even the last 2 comments there on the blog from 'Nigel Ainscoe' and 'SBS Bloggers' about decimal and hex aren't that pretty are they?..)

    I have not yet applied that regedit yet.

    I went to the router and in the DNS section of the config page changed 'Use Auto Discovered DNS Only' to 'Use User Discovered DNS Only'. The ISPs DNS servers that it autodiscovers are the exact same two that are manually entered, but still ....

    Then went back to the DNS console on the server and observed that the 5501 "DNS Server encountered bad packet from IP Address 192.168.1.1." events immediately ceased.

    4 hours later, no client has had any name resolution issues yet - so I'm hoping that has nailed it. Touching wood. Internet becomes slow - but usable.

    Current thoughts -

    the router was incorrectly forwarding DNS packets to the SBS DNS server?

    Why didn't this issue show up under SBS 2003 (same router)? Dont know.

    Maybe DNS Server has changed between 2003 and 2008R2. ?

    Maybe firmware update caused this behaviour?

    Have any others had any issues with this "DNS Server encountered bad packet " event ?    Evidence seems to suggest that it is either not that common, or not that serious for others ...

    Tuesday, February 21, 2012 3:36 AM
  • What other DNS forwarders do you have beside the Router? Have you tried your ISP DNS Servers? Or another service like GoogleDNS or OpenDNS?

    Robert Pearman SBS MVP (2011) | www.titlerequired.com | www.itauthority.co.uk

    Tuesday, February 21, 2012 1:30 PM
    Moderator
  • "Some DNS name queries are unsuccessful after you deploy a Windows Server 2003 or Windows Server 2008 R2-based DNS server"
    http://support.microsoft.com/kb/832223

    Excerpt:
    This issue occurs because of the Extension Mechanisms for DNS (EDNS0) functionality that is supported in Windows Server 2003 DNS.

    EDNS0 permits the use of larger User Datagram Protocol (UDP) packet sizes. However, some firewall programs may not permit UDP packets that are larger than 512 bytes. As a result, these DNS packets may be blocked by the firewall.

    Tuesday, February 21, 2012 2:39 PM
  • I haven't seen problems relating to EDNS0 in recent times, but it's possible.

    If you follow the link to MS describing the problem from my original link, expand the 'applies to':

    • Windows Server 2008 R2 Standard
    • Windows Small Business Server 2011 Essentials
    • Windows Small Business Server 2011 Standard
    Tuesday, February 21, 2012 8:23 PM
  • Reading SuperGumby's MS referenced KB, http://support.microsoft.com/default.aspx?scid=kb;EN-US;968372 "Windows Server 2008 and Windows Server 2008 R2 DNS Servers may fail to resolve queries for some top-level domains" states:

    "This problem does not happen if DNS Server is configured to use forwarders for Internet name resolution instead of root hints."

    Specifying a forwarder, which has been done to no resolution, should rule this TLD issue out.  I personally would not query the server and then forward to the router; I'd forward to the ISP's DNS server or other.

    To rule out EDNS0, from a cmdline: "dnscmd /config /enableednsprobes 0" per KB832223.  It's easy enough to rule out both thoughts and to revert if of no avail.

    Tuesday, February 21, 2012 10:45 PM
  • I'm on record as to questioning whether the use of forwarders really matters.
    Tuesday, February 21, 2012 11:58 PM
  • Thanks for input.

    " "This problem does not happen if DNS Server is configured to use forwarders for Internet name resolution instead of root hints."

    Specifying a forwarder, which has been done to no resolution, should rule this TLD issue out. "

    That was my thinking as well.

    Also, having seen the root hints problem previously elsewhere, on SBS2008, my experience has been that it has rarely manifested in resolving straight TLD '.com' addresses.  The users back then had problems with '.co.uk' , 'com.au', and maybe '.cn' - but never any .coms that I recall.

    In this current scenario, I have both a forwarder configured, and intermittent failures with amazon.com, google.com, hotmail.com etc - in fact apparently only the largest of '.com' sites.  The data in the 5501 (bad packet) events shows the DNS names of these sites appearing in the 'bad packet' information.

    If I make the assumption for a moment that those large .coms may be utilising EDNS0 - then my suppositions are

    1. The router is not blocking these packets (as per KB832223), but is truncating or otherwise mangling them before forwarding them to the Windows DNS server
    2. That in this scenario - as Robert and Travis have pointed out - using the ISP DNS servers or public DNS as forwarders on the server (rather than the router LAN IP) is the way to go - for troubleshooting, and more generally I guess.

    Changing the setting I have on the router to alleviate the issue has me further questioning this piece of hardware. That setting, as I understand it, is essentially just a switch between a) Use ISP DNS   or  b) Specify your DNS servers.  The fact that I have switched from a) to b) - specifying the exact 2 ISP DNS servers that it was autodiscovering - has me smelling a rat.    Does my logic hold up ?

    As soon as I can get back there, I can run the command to turn of EDNSO handling, or regedit DNS fix as indicated. I'm not going to change DNS settings remotely after the user clamour of 2 days ago - too risky...

    Thanks again all for input thus far

    ---------------------------------------

    SuperGumby - by 'really matters' - you mean forwarders are fine to use for most, and not a screaming security hole they’re sometimes made out to be? Or you mean something else?..


    Wednesday, February 22, 2012 12:35 AM
  • I'm suggesting that I _believe_ the problems described regarding 'uk top level domains' have absolutely nothing to do with 'uk top level domains' (it was noticed there 1st, maybe) and happen regardles of the use of forwarders.
    Wednesday, February 22, 2012 3:25 AM
  • Hmm - ok, got ya.   Then the issue is 'worse' than that outlined you believe - on 2 fronts.  (1. Any domains  2.Fowarders not relevant)

    Which would bring me back to your first post re the registry edit to resolve this. 

    For the minute, for arguments sake, and because I don't have screaming users breathing down my neck ATM. I'm going to run with my 'problem router - not server' theory - although I recognize I could be wrong.  A quick search for "DSL-G604T DNS Issues" brings many quirky-looking results back.  It's true that any cheap consumer router will have thousands of people complaining that it wont work / port-forward / connect /  whatever  - when often they've just forgotten to connect the LAN cable etc etc...   So you have to allow for filtering out a lot of static      But all the same, some of the user expeiences seem very specific to DNS issues.

    What my theory still doesn't explain is why the "bad router' would work fine under SBS 2003 , where the server was configured for DNS .   Oh wait, yes it would - SBS 2003 default install was to provide your ISPs DNS servers and to use them as forwarders wasn't it?    And 2008 default is just use root hints yes?

    Wednesday, February 22, 2012 4:02 AM
  • it _may_ be that the 'level' of information returned from a forwarder affects the problem.

    Also, the regedit concerns the 'maxttl' (maximum time to live) for a record and it is valid for a DNS Server to 'rewrite' the TTL.

    'Router as forwarder' has a few variables: The router (linux based?) may run a full DNS server, or a DNS proxy, or may automatically NAT DNS queries to the ISP DNS server(s).

    Your ISP DNS also has a few variables: Do they ignore TTL? Act as a 'caching DNS server'? Windows? Linux? Unix(BSD variants)? (or even do they use EDNS0 and something 'upstream' from them truncates the returned information?)

    I've been 'more than a little' interested in the problem from the day I 1st heard 'most DNS queries work fine, but I can't query .uk', and subsequently 'I'm seeing similar symptoms but it has nothing to do with .uk'.

    DNS is a very simple system, the RFC that describes it is only a few thousand words.

    ;-)

    Wednesday, February 22, 2012 5:21 AM
  • Interesting.

    There are plenty of variables there - if memory serves SuperGumby, you have discussed the 3 main DNS router options elsewhere ? Including the difficulty of determining if it does proxying or NAT forwarding. I'm sure I read somthing like that recently - I think under your byline . Pls excuse if wrong. 

    I checked my notes re one of the sites where I saw the "certain top level domains like .co.uk DNS Issue" occuring.

    The reported issue at that time was inability to access only '.com.au' - everything else was reportedly fine. This was SBS2008 (not R2) . Adding forwarders resolved this.

    Purely anecdotal and just one experience you understand.

    Are there any known negatives to turning off EDNSO on your server?  

    "DNS is a very simple system"  - that causes a lot of folk a lot of heartache ! .............

    Wednesday, February 22, 2012 6:03 AM
  • Turning off EDNS was actually part of the SBS 03 BPA - you can always enable it again if you notice any negative.

    Robert Pearman SBS MVP (2011) | www.titlerequired.com | www.itauthority.co.uk

    Wednesday, February 22, 2012 7:40 PM
    Moderator
  • Putting in a more 'business-oriented' router solved this issue, with standard out-of-the-box settings applied on router and server..

    As did the previously mentioned change of settings in the old router to switch off the router's 'Autodiscover DNS' and manually patch in the addresses of the exact same 2 ISP DNS servers that it was 'autodiscovering'. (!..)

    So I do not recommend the use of a Windows DNS server behind a D-Link DSL-G604T modem-router.

    I can honestly say that every comment made here has been helpful - both for thinking this one through, and potentially for future DNS issues.

    Travis - helpful line of thought - thanks.

    Robert - thanks for your blog - one of the few out there with a focus on SBS2011 Essentials. Was of great help in preparing my first Essentials install & integration. 

    SuperGumby - thanks for your in-depth knowledge that you seem to tirelessly share on forums - it is appreciated, and has helped me out of more tight jams than just this one.

    Cheers!




    Friday, February 24, 2012 8:59 AM
  • I encountered the same problem with an old ASUS WL-500g router. When I use my ISP DNS instead of my router's DNS, then the problems are gone. The only problem is that SBS 2011 adds my router's DNS as the first forwarder after each reboot. I will buy another router, but I think this is a weird issue...
    Wednesday, May 02, 2012 9:46 PM
  • I beleive that is only the case if you are running UPnP, or are not telling the RWA wizard you want to configure the router manually.

    My Essentials server next to me has only one forwarder set, which is an ISP DNS Server.


    Robert Pearman SBS MVP (2011) | www.titlerequired.com | www.itauthority.co.uk

    Thursday, May 03, 2012 8:07 AM
    Moderator