none
WinCore 2016 DNS Server: Forwarders and Root Hints Failing RRS feed

  • Question

  • I have a DC (Server 2016 Core) setup with DHCP and DNS roles (let's call it DC3).  I have 2 other DCs (Server 2012s) configured similarly (let's call them DCs 1 and 2).  DNS on DCs 1 and 2 works wonderfully for both internal and external requests (I have several forwarders configured, including opendns and google).  DNS on DC3 works great for internal requests but fails over to the next NS (D1 then DC2) for all external requests (forwarders and root hints all fail and timeout).  All DCs point to themselves for DNS and have the other DCs listed as additional NS. 

    DCDiag test:/DNS on DC3 passes everything except for forwarders and root hints, which both fail.  NSLookups to external requests fail on DC3.

    Things I've tried:

    • Disabled Windows Firewall (already had DNS ports open, but figured I'd go all in to mark this variable off)
    • Removed SEP (opened ports here too, but again, wanted to rule this out entirely)
    • Removed and readded DNS role
    • ASA doesn't appear to be blocking the traffic 

    I can post any info/configs needed.  The event logs don't appear to provide any insight or useful information, but I very well could be overlooking something in them.

    A few other notes:

    • I can ping forwarders and any external address by IP and by name on DC3.
    • The forwarders are not validating in the DNS forwarders config window.  The FQDN's are populating, but each forwarder lists "A timeout occurred during validation."
    • Both simple query and recursive query tests on the DNS server pass.

    I did assign a workstation within that LAN a public DNS address (8.8.8.8) to see if it would resolve behind the ASA, and it is working.

    Friday, August 18, 2017 12:04 PM

Answers

  • And of course, I finally decide to post the problem here after 2 days of troubleshooting, and as soon as I do I find the solution!

    I did a "no no" and placed a 3rd party av/firewall on our host, of which DC3 is a guest.  The host was blocking traffic to DC3 (on a whim, I opened up all traffic to the host and wa la! DC3 can resolve external queries).

    • Marked as answer by kylebeaulieu Friday, August 18, 2017 12:20 PM
    Friday, August 18, 2017 12:20 PM