none
DNS can't resolves some external domains RRS feed

  • Question

  • Hello,

    I'm in front of an issue about DNS.

    My topology is composed by 2 DC (2016 up-to-date) with built-in AD zone.

    ~ 50 users use these DC and everything works, but I was alerted by someone who don't reach a website : agenda-mlblois.com

    I try from my computer : dns time out.

    I try with nslookup from DCs : dns time out

    If I try nslookup agenda-mlblois.com 8.8.8.8 : got an answer !

    I spent many times on the web and no more support about this. I read about DNS SEC but it seems I'm not concerned.

    Ipv6 is not desactived on DCs

    In my DC's dns configuration, I tried without forwarders, with forwarders (8.8.8.8 -  8.8.4.4 -  1.1.1.1 - 194.0.2.0.50 - 194.2.0.20), I update root hints too. Ip configuration about DNS is :

    DC1 

    1/ ip DC2

    2/ 127.0.0.1

    DC2

    1/ ip DC1

    2/ 127.0.0.1

    Screen from wireshark when I launch nslookup agenda-mlblois.com :

    Screen from wireshark when I launch nslookup agenda-mlblois.com 8.8.8.8 :

    I have create a new 2016 VM and mount AD+DNS roles : domain agenda-mlblois.com is resolved without problem. So my firewall isn't blocking something and mine network peripherals seems work.

    Thanks for your help, have a nice week-end.

    Friday, May 4, 2018 3:25 PM

Answers

  • Jesus .... I think it's F-Secure Server Security ...

    I tried to install it on the fake DC : can't reach agenda-mlblois.com

    I uninstall it on my SRV-AD2 : I can now reach agenda-mlblois.com 

    I don't understand what's going on ! Why F-secure block this wesite and not google.fr for example ? And it's a servers version ....

    OK, I check on google and I saw this :

    https://community.f-secure.com/t5/Business/F-secure-blocking-DNS/td-p/103129

    solved

    Dokoh, I'm sorry for your time. But thanks to according me some time.

    • Edited by Spunamo Monday, May 7, 2018 4:41 PM
    • Marked as answer by Spunamo Monday, May 7, 2018 4:42 PM
    Monday, May 7, 2018 4:30 PM

All replies

  • Hello,

    Did you check that you don't have any conditional forwarder configured ?

    Did you check that you don't have any host file on DNS servers ?

    Best Regards,

    Sunday, May 6, 2018 5:27 PM
  • Hello,

    There is not condtional forwarder :

    Host file are empty : only # sentences.

    Any other help ?

    Regards,

    Monday, May 7, 2018 10:42 AM
  • DNS query block policy ?

    Best Regards,

    Monday, May 7, 2018 11:38 AM
  • In both DC's regedit, value of GlobalQueryBlockList is "wpad isatap". In command line :

    C:\Users\administrateur.DOMAINE>dnscmd /info /globalqueryblocklist

    Résultat de la requête :
    String :  wpad
    String :  isatap

    La commande s’est terminée correctement.

    I done the next command in order to delete all entries :

    dnscmd /config /globalqueryblocklist 

    Next, globalqueryblocklist key is empty on both DNS.

    Restart DNS on both

    try to ping agenda-mlblois.com : non-OK

    I found 2 other websites which I can't reach them : www.poly-math.com and www.forum-microsoft.org 

    It's very weird ... these 3 websites are reachable using 8.8.8.8 during nslookup 

    Monday, May 7, 2018 12:08 PM
  • Is it possible for you to add a new DC in this domain and see if you have the same issue using this new DC ?

    Best Regards,

    Monday, May 7, 2018 1:15 PM
  • I've mount a new 2016 virtual machine (using the same physical server). Join my domain, reboot, add AD+DS and DNS roles.

    I can reach agenda-mlblois.com, poly-math.com, forum-microsoft.org !

    Should I have to configure local forwarders on both DC? Ou that is not necessary ? When I added the new DCtest on the domain, it added automaticaly the two other DC as forwarders.

    • Edited by Spunamo Monday, May 7, 2018 2:57 PM
    Monday, May 7, 2018 2:30 PM
  • At least we know now that the issue is located on these 2 DC/DNS servers.

    Can you try to check DnsServerQueryResolutionPolicy :

    https://docs.microsoft.com/en-us/powershell/module/dnsserver/get-dnsserverqueryresolutionpolicy?view=win10-ps

    Best Regards,

    Monday, May 7, 2018 2:58 PM
  • Sorry, I don't know how to use this tool.

    In powershell, I tried :

    PS C:\Users\administrateur.DOMAINE> Get-DnsServerQueryResolutionPolicy -ZoneName "DOMAINE.local" | Format-List 
    PS C:\Users\administrateur.DOMAINE>

    But there is no answer ; come back to the line

    edit : I've rebooted the fake DC, and now I can't ping agenda-mlblois.com ... Very strange : I can't do Nslookup with localhost as nameserver but I got IP in the cache for agenda-mlblois.com !

    I tried to delete the cache, and next ping agenda-mlblois.com : NOK but the A entry in the cache for agenda-mlblois.com appears...

    Very strange nslookup can't resolve but A entry is present. (not the same in my real DC : don't have the entry agenda-mlblois.com in the dns cache)

    If I let IPs of mine real DC on network cards : I can't reach agenda-mlblois.com

    If I put 127.0.0.1 on primary or secondary DNS IP on network card : I can reach agenda-mlblois.com


    • Edited by Spunamo Monday, May 7, 2018 4:03 PM
    Monday, May 7, 2018 3:14 PM
  • Jesus .... I think it's F-Secure Server Security ...

    I tried to install it on the fake DC : can't reach agenda-mlblois.com

    I uninstall it on my SRV-AD2 : I can now reach agenda-mlblois.com 

    I don't understand what's going on ! Why F-secure block this wesite and not google.fr for example ? And it's a servers version ....

    OK, I check on google and I saw this :

    https://community.f-secure.com/t5/Business/F-secure-blocking-DNS/td-p/103129

    solved

    Dokoh, I'm sorry for your time. But thanks to according me some time.

    • Edited by Spunamo Monday, May 7, 2018 4:41 PM
    • Marked as answer by Spunamo Monday, May 7, 2018 4:42 PM
    Monday, May 7, 2018 4:30 PM
  • Hi,

    I am pleased to know that the issue is resolved successfully. Thanks for sharing in the forum as it would be helpful to anyone who encounters similar issues. If there is anything else we can do for you, please feel free to post in the forum.

    Highly appreciate your effort and time. 

    Have a nice day!

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, May 9, 2018 9:15 AM