none
Small 2012r2 Server environment - Really bad DNS resolution RRS feed

  • Question

  • At a small business I support, the users have been complaining for a long while about slow web browsing; browsers giving DNS resolution errors.  When I looked myself, I found DNS resolutions for anything external was reallly poor. When a page is first visited, it almost 100% of the time fails. Try a second time immediately and it will work fine.

    Small Windows AD environment.

    • Server 01 - Server 2012 R2 Essentials, Domain controller, AD integrated DNS server, DHCP server.
    • Server 02 - Server 2012 R2 Standard, Second DC, secondary AD integrated DNS.
    • Netgear prosafe router, not handling DNS or DHCP.
    • Server 01's NIC points to itself for preferred DNS, and points to Server 02 for alternate DNS.
    • Server 02's NIC points to itself for preferred DNS and points to Server 01 for alternate DNS.
    • DHCP passes out Server 02 as preffered DNS and Server 02 as secondary for all DHCP clients.
    • Systems are VMs on ESXi 5.5

    • Both DNS servers have the following Forwarders configured:

      • 209.244.0.3 (resolver1.level3.net)
      • 156.154.70.1 (rdns.ultradns.net)
      • <isp provided primary DNS>
      • <isp provided secondary DNS>
      • 8.8.8.8 (google)
    • Forwarder timeout value set to 2 seconds.

    I found the program DNS Benchmark which shows the same issues that users are reporting:

    More than 20% of resolvers were unreliable Such a high percentage is suspicious: As you may have noticed, a relatively large number of the resolvers (2) benchmarked (more than one in every five) had apparent reliability problems. Since this is a suspiciously high number, it is more likely that the local network was busy and congested while the benchmark was running. Since this will produce unreliable timing results, you should probably attempt to re-run the benchmark at a time when the local network is quiet. Until then, you should consider these timing results to be invalid.

     

    System's nameservers are probably optimally ordered. Windows uses DNS servers in the order they are listed under the network adapter's properties, or when obtained automatically from an ISP, in the order provided by the ISP. Windows will fall back to using the second, third, and other nameservers only when the first listed nameserver fails to respond. So if the first nameserver happened to be very slow, but working, everything would be slowed down. Consequently, the order of nameserver listing should match their order of decreasing performance . . . which is probably how this system is currently configured:

     Usage Order   Nameserver IP   Speed Rank
     -----------  ---------------  ----------
           1      192.168. 16.  3      2 unreliable 
           2      192.168. 16.  2      1 unreliable 
    

     

    Final benchmark results, sorted by nameserver performance:
     (average cached name retrieval speed, fastest to slowest)
    
      192.168. 16.  2 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
      ----------------+-------+-------+-------+-------+-------+
      + Cached Name   | 0.000 | 0.000 | 0.000 | 0.000 | 100.0 |
      + Uncached Name | 0.028 | 1.988 | 8.921 | 3.833 | 100.0 |
      + DotCom Lookup | 0.060 | 5.518 | 9.002 | 4.524 |  90.0 |
      ---<-------->---+-------+-------+-------+-------+-------+
                       Server 01
                    Local Network Nameserver
    
      192.168. 16.  3 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
      ----------------+-------+-------+-------+-------+-------+
      + Cached Name   | 0.000 | 1.295 | 9.062 | 3.290 |  93.8 |
      + Uncached Name | 0.026 | 5.662 | 9.062 | 4.223 |  86.7 |
      + DotCom Lookup | 0.022 | 4.668 | 9.053 | 4.082 |  76.9 |
      ---<-------->---+-------+-------+-------+-------+-------+
                       Server 02
                    Local Network Nameserver
    
      209.244.  0.  3 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
      ----------------+-------+-------+-------+-------+-------+
      - Cached Name   | 0.013 | 0.014 | 0.016 | 0.001 | 100.0 |
      - Uncached Name | 0.014 | 0.048 | 0.274 | 0.052 | 100.0 |
      - DotCom Lookup | 0.019 | 0.031 | 0.045 | 0.009 | 100.0 |
      ---<-------->---+-------+-------+-------+-------+-------+
                      resolver1.level3.net
            LEVEL3 - Level 3 Communications, Inc., US
    
    
        8.  8.  8.  8 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
      ----------------+-------+-------+-------+-------+-------+
      - Cached Name   | 0.013 | 0.014 | 0.017 | 0.001 | 100.0 |
      - Uncached Name | 0.024 | 0.059 | 0.286 | 0.056 | 100.0 |
      - DotCom Lookup | 0.032 | 0.035 | 0.042 | 0.003 | 100.0 |
      ---<-------->---+-------+-------+-------+-------+-------+
                 google-public-dns-a.google.com
                      ··· unknown owner ···
    
    
      156.154. 70.  1 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
      ----------------+-------+-------+-------+-------+-------+
      - Cached Name   | 0.013 | 0.015 | 0.034 | 0.003 | 100.0 |
      - Uncached Name | 0.014 | 0.068 | 0.310 | 0.071 | 100.0 |
      - DotCom Lookup | 0.020 | 0.074 | 0.119 | 0.034 | 100.0 |
      ---<-------->---+-------+-------+-------+-------+-------+
                       rdns1.ultradns.net
                      ··· unknown owner ···
    
    
       <IP redacted> |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
      ----------------+-------+-------+-------+-------+-------+
      - Cached Name   | 0.019 | 0.021 | 0.024 | 0.001 | 100.0 |
      - Uncached Name | 0.027 | 0.048 | 0.254 | 0.042 | 100.0 |
      - DotCom Lookup | 0.034 | 0.035 | 0.038 | 0.001 | 100.0 |
      ---<-------->---+-------+-------+-------+-------+-------+
                       ISP1
                      ··· unknown owner ···
    

    So you can see from the above that theres definitely something screwy with my Windows AD integrated DNS, and I cannot for the life of me figure out what to do about it.

    I'm not finding any DNS related events in the system event logs and I'm unsure of where else to look for any helpful troubleshooting.

    If anyone has ANY suggestions for what I can look at for this, I would be very grateful.

    Monday, October 16, 2017 6:23 PM

All replies

  • Hi Dan Ceola,

    >>When a page is first visited, it almost 100% of the time fails. Try a second time immediately and it will work fine.

    1.Please first check your network connectivityUsing the ping command to test a TCP/IP connectivity.

    2.You may turn on exhaustive debugging mode of NSlookup, this will display detailed information of name resolving process:
    Open Command Prompt on client ,type nslookup and type set d2 .We could find out the problem through the process .
     >NSlookup
     >set d2
     >[name which you want to resolve]

    Here is the guide for Nslookup :
    Nslookup :
    https://technet.microsoft.com/en-us/library/cc940085.aspx

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, October 17, 2017 7:30 AM
  • Hi ,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 23, 2017 8:31 AM