none
Dname lookup not returning an ip address RRS feed

  • Question

  • I have 3 domain controllers 2 are 2008 r2 and one is 2012 r2

    I have zones that I use to point inside traffic to the inside address of certain servers. I use Dnames to accomplish that task.

    I also have some zones that do not exist outside that I use dnames to point to internal machines

    example:

    internalonly.mydomain.com

    dname=mylocalcomputer.myinternaldomain.com

    When I query my servers I get an ip address on my 2008 r2 machines but not on the 2012 r2 machine.

    I would like to get the same response on my 2012 r2 that I get from my 2008 r2 servers.

    ex of response I want:

    nslookup internalonly.mydomain.com dc1

    Server:dc1.myinternaldomain.com

    Address: 192.168.0.2

    Name: mylocalcomputer.myinternaldomain.com

    Address: 192.168.0.25

    Aliases: internalonly.mydomain.com

    ex of response I get from my 2012 r2 server

    nslookup internalonly.mydomain.com dc3

    Server:dc3.myinternaldomain.com

    Address: 192.168.0.4

    Name: internalonly.mydomain.com

    How do I fix my windows 2012 r2 server to send back what I expect?



    • Edited by PenguinJeff Tuesday, November 14, 2017 5:33 PM
    Tuesday, November 14, 2017 5:28 PM

Answers

  • Hi ,

    Referring to the result of nslookup, the dname is responded as SOA record. After checking previous cases, this looks similar with cases that installed KB3133954, which is a design change on DNS.

    The DNS.exe version 6.3.9600.18729 should be the latest. If the server has installed one of the following updates, DNS.exe should have this version.

    4048958

    4041685

    4041693

    4038774

    4038792

    4039871

    4034663

    4034681

    4025335

    Note: the above are monthly updates for November, October, September, August and July

    If you want to lower the version DNS.exe to the version before KB3133954, you would need to uninstall other monthly updates, including KB3192404 (which is October 2016 Preview of Monthly Quality Rollup)

    Best Regards,

    Candy



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by PenguinJeff Tuesday, November 21, 2017 5:12 PM
    Tuesday, November 21, 2017 10:06 AM

All replies

  • Hi PenguinJeff,

    >>Dname lookup not returning an ip address

    First, please check if you have KB3133954 installed.

    The following link talks about changes in DNAME resolution for Windows Server 2012 R2 that were introduced in KB3133954. More specifically, if you look at the “Known issue” section of KB3133954, you will find that it states:

    After you install this update, the DNAME resolution by Microsoft DNS Servers will be changed.

    Previously, you could query for the domain (type=ANY or type=A) example.com, and get back the host (A) record for the DNAME. After you install this update, that query fails.

    This change was made for compliancy with RFC 6672.”

    For more details, please refer to the following link:

    https://blogs.technet.microsoft.com/askpfeplat/2017/06/05/what-in-the-world-happened-to-my-dname-resolution/

    DNSSEC validation fails when incorrect response to DNSKEY query is sent on Windows Server 2012 R2-based DNS server

    https://support.microsoft.com/en-us/help/3133954/dnssec-validation-fails-when-incorrect-response-to-dnskey-query-is-sen

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, November 15, 2017 2:44 AM
  • 

    C:\Windows\System32>wmic qfe list| findstr KB3133
    http://support.microsoft.com/?kbid=3133043  DC3     Security Update
      KB3133043               NT AUTHORITY\SYSTEM  8/25/2016

    http://support.microsoft.com/?kbid=3133690  DC3     Update
      KB3133690               NT AUTHORITY\SYSTEM  8/25/2016

    http://support.microsoft.com/?kbid=3133924  DC3     Update
      KB3133924               NT AUTHORITY\SYSTEM  8/25/2016


    I do not have KB3133954. Could they have named it something else?

    It is behaving like that is installed. Is there a way to get the expected behavior even if that is installed? What would I need to do to the DNAME records?


    • Edited by PenguinJeff Wednesday, November 15, 2017 2:55 PM
    Wednesday, November 15, 2017 2:44 PM
  • Hi ,

    Thanks for your updating.

    Based on my research, it seems that KB3133954 has been superseded by the other patch.

    Did the DNAME work fine before? If yes, you could check the patches during these period.

    >>Is there a way to get the expected behavior even if that is installed? 

    As far as I know, this behavior is by design per RFC.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 16, 2017 9:59 AM
  • I've read rfc 6672

    https://tools.ietf.org/html/rfc6672

    It is less specific than the document it replaces. The current behavior is less compliant than it was.

     I was pointing DNAME to an A record. The single A record should be equivalent of a domain with a top level A record. It should not be throwing it away. I should get an A record back.

    The reason I was using it was for dhcp assigned hosts. I have a number of internal web servers that get their ip addresses from dhcp. So that I can pop out a clone and not have to set an address.

    Because it is used to test web servers that might get moved to the dmz with an outside name. I have a script that when a new vm gets an ip from dhcp it created a zone <SameNameAsVM>.<OutsideDomain> and gave it a DNAME pointing at its A record.

    The only way I can think of now is to whittle away at my dhcp scope and staticly assign IP's at the dhcp server for all VM's and create a the zones with A records. If someone has a better way of replacing my previously awesome working method I'd like to know. Maybe I can create a linux bind server I never tried a bind server with DNAME's.

    I'm not sure how to script telling the dhcp server to reserve addresses. For the DNAME method I had a script I ran on the dc every 5 minutes with task scheduler. That I use

    netsh dhcp server \\dc1 scope 192.168.0 show clients 1 | findstr 00-50-56

    to list all vm's that got dhcp addresses.

    I use with the <name> from the previous command 

    dnscmd /zone <name:<ChopInternalDomain>>.<OutsideDomain>

    to see if an entry exists

    if not I create it with

    dnscmd dc1 //zoneadd <name:<ChopInternalDomain>>.<OutsideDomain> /dsprimary

    dnscmd dc1 /recordadd <name:<ChopInternalDomain>>.<OutsideDomain> . DNAME <name>

    And that was essentially it. I have a batch script that I have been using since I was familiar with batch.

    Maybe there is a sub command on

    netsh dhcp server \\dc1 scope 192.168.0

    that I can use to reserve the addresses.


    • Edited by PenguinJeff Thursday, November 16, 2017 4:13 PM
    Thursday, November 16, 2017 4:12 PM
  • I can add

    netsh dhcp server \\dc1 scope 192.168.0 add reservedip <IP> <MAC> <name> "VM_AutoAdd" BOTH

    to my script and I will need to add the A records of the names and ips to my internal domain as well.

    Thursday, November 16, 2017 6:03 PM
  • Hi ,

    >>If someone has a better way of replacing my previously awesome working method I'd like to know.

    Thanks for you sharing.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 17, 2017 7:48 AM
  • Awesome thank you. I do like working through instead of around issues.
    Friday, November 17, 2017 4:40 PM
  • Hi PenguinJeff,

    To have a better understanding, please provide the result of “nslookup -d2 <Dname>”

    Besides, please check the version of file:

    C:\Windows\System32\DNS.exe

    Also, check if KB3197874 and KB3185331 is installed.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 20, 2017 8:06 AM
  • Here is the nslookup -d2 output from my dc1(windows 2008r2) machine querying against my dc3(windows 2012 r2)

    C:\Users\jsadowski>nslookup -d2 machine-info.mrn.org dc3|more

    SendRequest(), len 42
        HEADER:
            opcode = QUERY, id = 1, rcode = NOERROR
            header flags:  query, want recursion
            questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
            80.100.0.10.in-addr.arpa, type = PTR, class = IN

    ------------
    ------------
    Got answer (72 bytes):
        HEADER:
            opcode = QUERY, id = 1, rcode = NOERROR
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 1,  authority records = 0,  additional = 0

        QUESTIONS:
            80.100.0.10.in-addr.arpa, type = PTR, class = IN
        ANSWERS:
        ->  80.100.0.10.in-addr.arpa
            type = PTR, class = IN, dlen = 18
            name = dc3.mind.unm.edu
            ttl = 1200 (20 mins)

    ------------
    Server:  dc3.mind.unm.edu
    Address:  10.0.100.80

    ------------
    SendRequest(), len 51
        HEADER:
            opcode = QUERY, id = 2, rcode = NOERROR
            header flags:  query, want recursion
            questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
            machine-info.mrn.org.mind.unm.edu, type = A, class = IN

    ------------
    ------------
    Got answer (113 bytes):
        HEADER:
            opcode = QUERY, id = 2, rcode = NXDOMAIN
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0

        QUESTIONS:
            machine-info.mrn.org.mind.unm.edu, type = A, class = IN
        AUTHORITY RECORDS:
        ->  mind.unm.edu
            type = SOA, class = IN, dlen = 38
            ttl = 3600 (1 hour)
            primary name server = dc3.mind.unm.edu
            responsible mail addr = hostmaster
            serial  = 719946
            refresh = 900 (15 mins)
            retry   = 600 (10 mins)
            expire  = 86400 (1 day)
            default TTL = 3600 (1 hour)

    ------------
    ------------
    SendRequest(), len 51
        HEADER:
            opcode = QUERY, id = 3, rcode = NOERROR
            header flags:  query, want recursion
            questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
            machine-info.mrn.org.mind.unm.edu, type = AAAA, class = IN

    ------------
    ------------
    Got answer (113 bytes):
        HEADER:
            opcode = QUERY, id = 3, rcode = NXDOMAIN
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0

        QUESTIONS:

    -- More  --

            machine-info.mrn.org.mind.unm.edu, type = AAAA, class = IN
        AUTHORITY RECORDS:
        ->  mind.unm.edu
            type = SOA, class = IN, dlen = 38
            ttl = 3600 (1 hour)
            primary name server = dc3.mind.unm.edu
            responsible mail addr = hostmaster
            serial  = 719946
            refresh = 900 (15 mins)
            retry   = 600 (10 mins)
            expire  = 86400 (1 day)
            default TTL = 3600 (1 hour)

    ------------
    ------------
    SendRequest(), len 46
        HEADER:
            opcode = QUERY, id = 4, rcode = NOERROR
            header flags:  query, want recursion
            questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
            machine-info.mrn.org.unm.edu, type = A, class = IN

    ------------
    ------------
    Got answer (99 bytes):
        HEADER:
            opcode = QUERY, id = 4, rcode = NXDOMAIN
            header flags:  response, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0

        QUESTIONS:
            machine-info.mrn.org.unm.edu, type = A, class = IN
        AUTHORITY RECORDS:
        ->  unm.edu
            type = SOA, class = IN, dlen = 41
            ttl = 808 (13 mins 28 secs)
            primary name server = ns1.unm.edu
            responsible mail addr = host-request.unm.edu
            serial  = 2014048901
            refresh = 10800 (3 hours)
            retry   = 3600 (1 hour)
            expire  = 2419200 (28 days)
            default TTL = 900 (15 mins)

    ------------
    ------------
    SendRequest(), len 46
        HEADER:
            opcode = QUERY, id = 5, rcode = NOERROR
            header flags:  query, want recursion
            questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
            machine-info.mrn.org.unm.edu, type = AAAA, class = IN

    ------------
    ------------
    Got answer (99 bytes):
        HEADER:
            opcode = QUERY, id = 5, rcode = NXDOMAIN
            header flags:  response, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0

        QUESTIONS:
            machine-info.mrn.org.unm.edu, type = AAAA, class = IN
        AUTHORITY RECORDS:
        ->  unm.edu
            type = SOA, class = IN, dlen = 41
            ttl = 808 (13 mins 28 secs)
            primary name server = ns1.unm.edu
            responsible mail addr = host-request.unm.edu
            serial  = 2014048901
            refresh = 10800 (3 hours)
            retry   = 3600 (1 hour)
            expire  = 2419200 (28 days)
            default TTL = 900 (15 mins)

    ------------
    ------------
    SendRequest(), len 38
    -- More  --    ->  unm.edu
            type = SOA, class = IN, dlen = 41
            ttl = 721 (12 mins 1 sec)
            primary name server = ns1.unm.edu
            responsible mail addr = host-request.unm.edu
            serial  = 2014048901
            refresh = 10800 (3 hours)
            retry   = 3600 (1 hour)
            expire  = 2419200 (28 days)
            default TTL = 900 (15 mins)

    ------------
    ------------
    SendRequest(), len 38
        HEADER:
            opcode = QUERY, id = 6, rcode = NOERROR
            header flags:  query, want recursion
            questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
            machine-info.mrn.org, type = A, class = IN

    ------------
    ------------
    Got answer (101 bytes):
        HEADER:
            opcode = QUERY, id = 6, rcode = NOERROR
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0

        QUESTIONS:
            machine-info.mrn.org, type = A, class = IN
        AUTHORITY RECORDS:
        ->  machine-info.mrn.org
            type = SOA, class = IN, dlen = 51
            ttl = 3600 (1 hour)
            primary name server = dc3.mind.unm.edu
            responsible mail addr = hostmaster.mind.unm.edu
            serial  = 8
            refresh = 900 (15 mins)
            retry   = 600 (10 mins)
            expire  = 86400 (1 day)
            default TTL = 3600 (1 hour)

    ------------
    ------------
    SendRequest(), len 38
        HEADER:
            opcode = QUERY, id = 7, rcode = NOERROR
            header flags:  query, want recursion
            questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
            machine-info.mrn.org, type = AAAA, class = IN

    ------------
    ------------
    Got answer (101 bytes):
        HEADER:
            opcode = QUERY, id = 7, rcode = NOERROR
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0

        QUESTIONS:
            machine-info.mrn.org, type = AAAA, class = IN
        AUTHORITY RECORDS:
        ->  machine-info.mrn.org
            type = SOA, class = IN, dlen = 51
            ttl = 3600 (1 hour)
            primary name server = dc3.mind.unm.edu
            responsible mail addr = hostmaster.mind.unm.edu
            serial  = 8
            refresh = 900 (15 mins)
            retry   = 600 (10 mins)
            expire  = 86400 (1 day)
            default TTL = 3600 (1 hour)

    ------------
    Name:    machine-info.mrn.org



    C:\Users\jsadowski>

    I logged into my dc3 and right clicked on the C:\windows\system32\dns.exe file and selected properties

    under Details it says the File and product version is 6.3.9600.18729

    C:\Windows\System32>wmic qfe list| findstr KB3197874

    C:\Windows\System32>

    C:\Windows\System32>wmic qfe list| findstr KB3185331

    C:\Windows\System32>

    both came back empty

    Monday, November 20, 2017 5:07 PM
  • Hi ,

    Referring to the result of nslookup, the dname is responded as SOA record. After checking previous cases, this looks similar with cases that installed KB3133954, which is a design change on DNS.

    The DNS.exe version 6.3.9600.18729 should be the latest. If the server has installed one of the following updates, DNS.exe should have this version.

    4048958

    4041685

    4041693

    4038774

    4038792

    4039871

    4034663

    4034681

    4025335

    Note: the above are monthly updates for November, October, September, August and July

    If you want to lower the version DNS.exe to the version before KB3133954, you would need to uninstall other monthly updates, including KB3192404 (which is October 2016 Preview of Monthly Quality Rollup)

    Best Regards,

    Candy



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Marked as answer by PenguinJeff Tuesday, November 21, 2017 5:12 PM
    Tuesday, November 21, 2017 10:06 AM
  • Thank you, I am going to uninstall all of those updates to see if I get back to the desired behavior.

    C:\Windows\System32>wmic qfe list| findstr 4048958

    C:\Windows\System32>wmic qfe list| findstr 4041685

    C:\Windows\System32>wmic qfe list| findstr 4041693
    http://support.microsoft.com/?kbid=4041693  DC3     Security Update
      KB4041693               NT AUTHORITY\SYSTEM  11/14/2017


    C:\Windows\System32>

    found one uninstalling and looking for the rest.

    Tuesday, November 21, 2017 5:07 PM
  • I didn't find any others.

    C:\Windows\System32>wmic qfe list |findstr 4038774
    C:\Windows\System32>wmic qfe list |findstr 4038792
    C:\Windows\System32>wmic qfe list |findstr 4039871
    C:\Windows\System32>wmic qfe list |findstr 4034663
    C:\Windows\System32>wmic qfe list |findstr 4034681
    C:\Windows\System32>wmic qfe list |findstr 4025335
    C:\Windows\System32>wmic qfe list |findstr 3133954
    C:\Windows\System32>wmic qfe list |findstr 3192404

    Yet I still have the undesirable behavior.

    Looking at C:\windows\system32\dns.exe

    is at version

    6.3.9600.18659

    I tried rebooting twice once for the updates a second to see if it might have needed a second reboot. Still no ip returned when I query off my windows 2012 r2 machine. 2008 r2 responds with the name where the dname points the address and alias of the original name which is the desired behaviour I'd like to get from windows 2012 r2

    • Edited by PenguinJeff Tuesday, November 21, 2017 5:36 PM
    Tuesday, November 21, 2017 5:24 PM

  • Hi ,

    That’s true.

    Here is a list of DNS.exe versions corresponding to the KB number. 6.3.9600.18659 is still the higher version compared to KB3133954 (version 6.3.9600.18227).

    To revert the version of DNS.exe, it needs to uninstall the KBs referring to the list.

    6.3.9600.18659

    4025336

    [MSRC] Security Monthly Quality Rollup for Windows 8.1 - KB4025336 - 2017.07 B

    6.3.9600.18659

    4022720

    Preview of Monthly Quality Rollup for Windows 8.1 - KB4022720 - 2017.06 C

    6.3.9600.18659

    4022726

    [MSRC] Security Monthly Quality Rollup for Windows 8.1 - KB4022726 - 2017.06 B

    6.3.9600.18659

    4019217

    [Non-Sec] Preview Rollup Update for Win 8.1 & Server 2012 R2 KB4019217 (2017.05 C)

    6.3.9600.18659

    4019215

    [MSRC] Monthly Rollup Update for Win 8.1 & Server 2012 R2 KB4019215 (2017.05 B)

    6.3.9600.18659

    4019213

    [MSRC] Security Only Update for Win 8.1 & Server 2012 R2 KB4019213 (2017.05 B)

    6.3.9600.18623

    4015553

    [3] April 2017 Preview of Monthly Quality Rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2

    6.3.9600.18469

    4015550

    April 2017 Security Monthly Quality Rollup for Windows 8.1 and Windows Server 2012 R2 SP1

    6.3.9600.18469

    4012219

    March 2017 Preview of Monthly Quality Rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2

    6.3.9600.18469

    4012216

    March 2017 Security Monthly Quality Rollup for Windows 8.1 and Windows Server 2012 R2 SP1

    6.3.9600.18469

    3205401

    [2]: December 2016 Security Monthly Quality Rollup for Windows 8.1 and Windows Server 2012 R2 SP1

    6.3.9600.18469

    3197875

    [3] November 2016 Preview of Monthly Quality Rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2

    6.3.9600.18469

    3197874

    [2]: [MSRC] Security RollUp for Win 8.1 & Server 2012 R2 (2016.10 B)

    6.3.9600.18469

    3192404

    [3] [Non-Sec] Preview RollUp for Win 8.1 and Win Server 2012 R2 (2016.10 C)

    6.3.9600.18436

    3185331

    [2]: [MSRC] Security RollUp for Win 8.1 & Server 2012 R2 (2016.10 B)

    6.3.9600.18436

    3185279

    [3] Windows 8.1 and Windows Server 2012 R2 monthly rollup: September 2016

    6.3.9600.18404

    3179574

    [3] Windows 8.1 and Windows Server 2012 R2 monthly rollup: August 2016

    6.3.9600.18340

    3161951

    [2] [MSRC 32766] [UAF] DNS server crash while processing query for a node with a short TTL

    6.3.9600.18227

    3133954

    B Release for [3] DNAME behavior is for DNSKEY queries causes DNSSEC validation to fail

    6.3.9600.18191

    3133717

    B Release for [3]: 1602 SNaP DNS.exe fixes (4398470, 5025010, 5439375)

    Besides, you may test the following configuration and check if DNAME works:

    1. Create a new DNS zone (such as “dname.local”)
    2. Add a DNAME record, with empty host name and pointing to another DNS zone (such “dname.com”)
    3. Try “nslookup host.dname.local”
    4. Check if it can reply the IP address of “host.dname.com”

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 23, 2017 1:23 AM
  • Hi ,

    If you have any updates during this process, please feel free to let me know.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 24, 2017 7:05 AM
  • Hi ,

    Did you have any updates?

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, November 28, 2017 1:20 AM