none
DNSSEC lookups takes incredibly long time (Windows Server) RRS feed

  • Question

  • Hello,
    I would like to ask for help. I have Windows Server 2016 with the DNS server installed. That server is a DC too. The server works like a recursive DNS server for the network and has DNSSEC validation enabled. This server has public IPv4 and public routable IPv6 address. Problem is, that DNSSEC validation takes incredibly long time. Most of the websites server can not resolve at first. Dig is returning to SERVFAIL and nslookup gives me: 

         *** UnKnown can not find website.com: Server failed 

    When I'm trying to resolve that hostname and get to the website, it suddenly starts working. It takes approx. 5 minutes. After that, the website is reachable.

    I think, that most likely DNSSEC validation takes too long time. When I'm looking into the servers cache, there are some records for that particular domain from the begining of the lookup, but not all. I think, that last RR Signature (RRSIG) appears there after really long time and when it's finally there, lookup is finished and I can view that website.

    Could someone help me please? Any help would be appreciated.. Thank you.


    Saturday, January 27, 2018 2:26 PM

All replies

  • Hi ,

    You might turn on exhaustive debugging mode of NSlookup, this will display detailed information of name resolving process:

    >NSlookup

    >set d2

    >[name which you want to resolve]

    Also, please take a screenshot of the error and upload the images in our forum directly. This will help us understand your issue better.

    Note:Any private information you share in a public forum might be seen or collected by other persons, please delete/black the private information before you post.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 29, 2018 5:39 AM
  • Hi,
    thank you very much for responding!

    Here is nslookup output:

    C:\Windows\system32>nslookup
    Default Server:  UnKnown
    Address:  ::1

    > set d2
    > nic.cz
    Server:  UnKnown
    Address:  ::1

    ------------
    SendRequest(), len 34
        HEADER:
            opcode = QUERY, id = 2, rcode = NOERROR
            header flags:  query, want recursion
            questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
            nic.cz.domain.local, type = A, class = IN

    ------------
    ------------
    Got answer (97 bytes):
        HEADER:
            opcode = QUERY, id = 2, rcode = NXDOMAIN
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0

        QUESTIONS:
            nic.cz.domain.local, type = A, class = IN
        AUTHORITY RECORDS:
        ->  domain.local
            type = SOA, class = IN, dlen = 42
            ttl = 3600 (1 hour)
            primary name server = server.domain.local
            responsible mail addr = hostmaster.domain.local
            serial  = 2955
            refresh = 900 (15 mins)
            retry   = 600 (10 mins)
            expire  = 86400 (1 day)
            default TTL = 3600 (1 hour)

    ------------
    ------------
    SendRequest(), len 34
        HEADER:
            opcode = QUERY, id = 3, rcode = NOERROR
            header flags:  query, want recursion
            questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
            nic.cz.domain.local, type = AAAA, class = IN

    ------------
    ------------
    Got answer (97 bytes):
        HEADER:
            opcode = QUERY, id = 3, rcode = NXDOMAIN
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0

        QUESTIONS:
            nic.cz.domain.local, type = AAAA, class = IN
        AUTHORITY RECORDS:
        ->  domain.local
            type = SOA, class = IN, dlen = 42
            ttl = 3600 (1 hour)
            primary name server = server.domain.local
            responsible mail addr = hostmaster.domain.local
            serial  = 2955
            refresh = 900 (15 mins)
            retry   = 600 (10 mins)
            expire  = 86400 (1 day)
            default TTL = 3600 (1 hour)

    ------------
    ------------
    SendRequest(), len 24
        HEADER:
            opcode = QUERY, id = 4, rcode = NOERROR
            header flags:  query, want recursion
            questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
            nic.cz, type = A, class = IN

    ------------
    ------------
    Got answer (24 bytes):
        HEADER:
            opcode = QUERY, id = 4, rcode = SERVFAIL
            header flags:  response, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
            nic.cz, type = A, class = IN

    ------------
    ------------
    SendRequest(), len 24
        HEADER:
            opcode = QUERY, id = 5, rcode = NOERROR
            header flags:  query, want recursion
            questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
            nic.cz, type = AAAA, class = IN

    ------------
    ------------
    Got answer (24 bytes):
        HEADER:
            opcode = QUERY, id = 5, rcode = SERVFAIL
            header flags:  response, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
            nic.cz, type = AAAA, class = IN

    ------------
    *** UnKnown can't find nic.cz: Server failed
    >

    Monday, January 29, 2018 7:53 AM
  • I have problems especially with these websites: standardkonektivity.cz, dnssec.cz, nic.cz, mojeid.cz, turris.cz, jaknainternet.cz, domenovyprohlizec.cz, jaknainternet.cz which all are on few of these nameservers: a.ns.nic.cz, b.ns.nic.cz, c.ns.nic.cz, d.ns.nic.cz.

    Issue appears on all installations of the Windows Server 2016. It looks like Windows Server 2016 issue. I have no problems with the same config on the Windows Server 2012 R2

    I tried multiple internet connections, so it shouldn't be a fw/gw issue.

    I have no problems with domains without DNSSEC

    Problem persists when IPv6 is disabled.

    Network configuration should be ok. I have tested this on multiple systems with different configurations

    Clock is ok on the server.

    Tuesday, February 6, 2018 1:19 PM
  • Dobrý den,

    Mám stejný problém (WinSrv2016, DNSsec). Nalezl jste nějaké řešení?

    Děkuji

    Kvěch

    Monday, September 9, 2019 6:35 PM
  • Dobrý den,
    toto jsem bohužel nevyřešil. Tlačil mě čas a tak jsem nakonec vytvořil malý virtuální server s Linuxem kde jsem během pár minut nakonfiguroval DNS resolver Unbound a vše funguje bez problémů...

    Kdybyste řešení našel, moc by mě to zajímalo...

    Hezký den přeji.

    Tuesday, September 10, 2019 6:36 AM