none
DNS Can't Resolve ORG and GOV Top-Level Domain with Root Hint Servers RRS feed

  • Question

  • I am having a problem where DNS in my network cannot resolve the ORG and GOV top-level domains. COM and EDU domains are resolved fine, but anything in the ORG or GOV domain is not resolved. My setup is as follows:

    1) Windows Server 2012 R2
    2) Two domain controllers running DNS, DC1 and DC2
    3) DC1 points to DC2 then itself for DNS, DC2 does the opposite
    4) All other servers point to DC1 then DC2 for DNS
    5) Both DCs are configured to allow recursive queries and use root hint servers only - no forwarders
    6) All of the standard root hint servers are properly configured in DNS
    7) My internal zone uses DNSSEC

    I see my problem described almost exactly here and here, but the suggested solution of setting the MaxCacheTTL did not help.

    If I add a public DNS server such as Google public DNS on a client server, then the symptoms go away which makes me think this is not related to my firewall or any other problem that would be blocking DNS lookups in general for these domains.

    Using nslookup, it appears that queries for ORG and GOV domains are simply not being passed to the root hint servers. Does anyone have any ideas on what might be going on here? Thank you.

    Tuesday, July 5, 2016 12:49 PM

Answers

  • Thanks for the information. I am using a Cisco ASA perimeter firewall and there is no firewall running directly on any of my servers. I cannot disable the firewall because it is the key protection for my network. However, I followed the procedures outlined by Cisco at this link to verify that EDNS0 is not being blocked and I'm all good.

    I tried disabling EDNS0 on my DNS servers following the information in the link you provided: https://support.microsoft.com/en-us/kb/832223

    However, when I did this DNS stopped working completely. So I turned EDNS0 back on and now I'm back where I started with DNS partially working.

    Any additional ideas?

    • Marked as answer by SOFL_Admin Wednesday, July 6, 2016 2:36 PM
    Wednesday, July 6, 2016 12:46 PM
  • I found my problem. It turns out the problem was with my firewall. The EDNS0 settings were fine, but my firewall was configured to not allow fragmented packets on the outside interface. Some DNS responses require fragmentation so this was stopping DNS from working. I found this out using this forum link and watching the ASA logs. To fix the problem I enabled fragments on the outside interface.
    • Marked as answer by SOFL_Admin Wednesday, July 6, 2016 2:36 PM
    Wednesday, July 6, 2016 2:35 PM

All replies

  • Update: I went through each and every root hint server on both of my DCs and clicked "resolve". This populated the IPv4 addresses of several root hint servers that previously only had IPv6 addresses listed. After doing this I can now reach some GOV sites but I still can't reach any ORG sites and cannot reach many GOV sites. So things seem to have improved slightly but I am still having problems.
    Tuesday, July 5, 2016 1:59 PM
  • None of the the IPv6 addresses for the root hint servers will validate. They all display a message that says the validation timed out. Could this indicates some misconfiguration of IPv6 on my DNS servers that is causing this behavior where ORG and GOV sites won't resolve?
    Tuesday, July 5, 2016 9:28 PM
  • Hi,

    >>7) My internal zone uses DNSSEC

    It may be related to DNSSEC. DNS service by default specifies DNSSEC when submitting DNS requests, while nslookup will not. Some  default setting of  firewall is to block DNS messages larger than 512 bytes and since DNSSEC messages typically exceed this size, they will be blocked.Please check this.

    >>They all display a message that says the validation timed out.

    If timeout occurs, it means that firewall or some other similar device block the DNS traffic. Please disable the firewall and try again.

    Also this link for your reference:

    Some DNS name queries are unsuccessful after you deploy a Windows-based DNS server

    https://support.microsoft.com/en-us/kb/832223

    ________________________________________
    Best Regards,
    Cartman
    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, July 6, 2016 7:27 AM
  • Thanks for the information. I am using a Cisco ASA perimeter firewall and there is no firewall running directly on any of my servers. I cannot disable the firewall because it is the key protection for my network. However, I followed the procedures outlined by Cisco at this link to verify that EDNS0 is not being blocked and I'm all good.

    I tried disabling EDNS0 on my DNS servers following the information in the link you provided: https://support.microsoft.com/en-us/kb/832223

    However, when I did this DNS stopped working completely. So I turned EDNS0 back on and now I'm back where I started with DNS partially working.

    Any additional ideas?

    • Marked as answer by SOFL_Admin Wednesday, July 6, 2016 2:36 PM
    Wednesday, July 6, 2016 12:46 PM
  • I found my problem. It turns out the problem was with my firewall. The EDNS0 settings were fine, but my firewall was configured to not allow fragmented packets on the outside interface. Some DNS responses require fragmentation so this was stopping DNS from working. I found this out using this forum link and watching the ASA logs. To fix the problem I enabled fragments on the outside interface.
    • Marked as answer by SOFL_Admin Wednesday, July 6, 2016 2:36 PM
    Wednesday, July 6, 2016 2:35 PM