none
DNS issues - clients first get DNS probe error and then resolve RRS feed

  • Question

  • Hello

    This issue is driving me a little potty.

    I have a single Windows 2012 r2 server configured with AD and acting as a DNS server.

    There is a Watchguard T-70 firewall and a dedicated 50 / 50 Internet connection so speeds should be good. However, in almost all cases, client machines can't resolve the initial request for a web page. There is some kind of DNS error message and then the page refreshes itself and proceeds to resolve.

    I have the server pointing to itself for DNS and forwarders configured to point to the DNS servers of the ISP
    When configuring the forwarders, resolving the IP addresses doesn't always work quickly but on other occasions resolves immediately.

    A quick test just now shows unable to resolve the FQDN but the IP addresses show as OK.
    I changed to 8.8.8.8 (unable to resolve) but 8.8.4.4 was able to resolve

    it doesn't matter if I use Google or OpenDNS or the suppliers DNS addresses, resolving can be hit and miss. Sometimes very fast other times it can't resolve for about 20 seconds or so.

    Root hints are configured as well.

    The Watchguard firewall has an outbound DNS proxy configured which I changed to be a Packet filter without change to services.

    Watchguard has it's own DNS configured to point to the ISP's DNS servers

    Simple and recursive tests pass quickly.

    If I launch nslookup most of the time it shows: server unknown but the correct IP address of the server but I have just launched nslookup and the server name is showing correctly.

    nslookup of 8.8.8.8 shows request time out of 2 seconds

    ipconfig /all shows dns server as IPv4 address (actually the loop back address) and no ipv6 as I disabled it from being a dns server address

    From my understanding of DNS, it is configured "correctly".

    All clients are DHCP enabled and indicate all DNS is being resolved by the server so my guess is the server is not configured correctly somewhere along the line.

    Last bit of info is that I have two forward lookup zones:

    One is set to be the local domain name which I have set similarly to: abcd.local (this contains the host(A) records of machines on the network - but funnily enough, just a few...a good number are not registered)

    The other zone is set to the domain name such as abchousing.com (this contain the host(A) records for entries such as mail / autodiscover / www )

    On all my previous domain servers, this issue does not exist but on two win 12 r2 servers, this issue is the same with one being more severe than the other.

    The forward lookup zones were created in a vain attempt to get rid of the certificate popup error for autodiscover.... that's really annoying.

    Any help will be very much appreciated.

    Monday, January 16, 2017 7:06 AM

All replies

  • Hi David Tudor,

    It's better to provide the following information:

    1. The result of ipconfig/all on the client;

    2. The DNS tree of the DNS console;

    3. The result of nslookup the website you want to visit.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 17, 2017 8:29 AM
    Moderator
  • Hello Anne

    Here it is:

    C:\Windows\system32>ipconfig /all

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : XYZSERVER
       Primary Dns Suffix  . . . . . . . : xyz.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : xyz.local

    Ethernet adapter Ethernet:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : HP Ethernet 1Gb 4-port 331i Adapter
       Physical Address. . . . . . . . . : 9C-8E-99-66-CC-54
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::179:2907:addb:79c6%12(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.11.2(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.11.1
       DHCPv6 IAID . . . . . . . . . . . : 312250009
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-D0-18-11-9C-8E-99-66-CC-54

       DNS Servers . . . . . . . . . . . : 192.168.11.2
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.{A83B43F1-F90A-47F7-9538-40C6239730F0}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Launching nslookup shows the correct server name and correct IP address

    nslookup 8.8.8.8

    request time out

    nslookup www.google.com

    request time out

    DNS tree (I can't load image for some reason)

    I have a forward lookup zone for

    xyz.local (usual folders populated below)

    xyzdomainname.co.uk (no folders populated below)
    N.B I added the above because Outlook email clients are resolving via http and I needed to add "mail.xyzdomainname.com" and point it to server address otherwise Outlook clients would not resolve their profiles and load properly

    A single reverse lookup zone based on internal IP address

    A Conditional Forwarder to
    Google  - which points to 8.8.8.8 and 8.8.4.4

    Wednesday, January 18, 2017 8:47 AM
  • Hi David Tudor,

    According to your above information, seems you post the ipconfig/all on the DNS server, which use itself as DNS server. And when you nslookup www.google.com on the DNS server, it returns request time out.

    If my understanding is correct, then, please check the network connection between the DNS server and the forwarder (8.8.8.8), since according to the result, looks like the forwarder unable to provide the resolution about www.google.com .

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 24, 2017 9:28 AM
    Moderator
  • Hello Anne

    Turns out that Kaspersky has installed a filter that does something with the kernel and this causes DNS issues.

    As soon as I removed Kaspersky (not paused it but completely removed it) then it all worked correctly and everything resolved properly.

    Thank you for the responses though.

    Monday, January 30, 2017 2:14 PM
  • Hi David Tudor,

    Glad to hear that you have found the cause and thanks for your feedback.

    Then, you may mark your reply as answer, so that this case can be closed.

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 31, 2017 1:28 AM
    Moderator
  • Hi,

    Actually this was the most common error people get all the time. I too faced this issue. I was searching on the internet to solve this issue by my own and came across various methods. Luckily one of them solved my issues and made my job easy to finish. I have written a post on How To Fix DNS Probe Finished No Internet Issue On Chrome And Android on my blog - techjurky.com. If you don't want to waste your time and ind the answer quickly, you can go through the post and try the methods.   

    Monday, September 17, 2018 12:46 PM