none
External name resolution for some external IPs not working RRS feed

  • Question

  • Hi,

    We have two TMG servers (windows installed in 2008 R2 ) in DMZ with one NIC adapter each and configured as standalone array. DNS is installed on TMG servers and it configured to forward the requests to the ISP IP.

    Internet is working but some external host names  cannot be resolved from clients or even from TMG like for example http://update.microsoft.com  even when we used google IP 8.8.8.8 as a forwarder on each TMG server it is giving the same issue. so we suspect it could be an issue with the firewall or router or internet link..I am not sure if this is true or not.

    I read that Windows 2008 R2 DNS uses DNSSEC by default so I am not sure if this incorporates in the issue we face so my question how to turn it off on DNS installe don TMGs knowing that I just installed DNS role and configured the forwarder, I did not do any configuration related to DNSSEC.

    In the other hand, I have a Cisco ESA for email routing and we configured it with google IP 8.8.8.8 as DNS server and we face same issue, some external hosts\MX\domains cannot be reached causing mail destined to the domains queued in the device queue..so does this mean the issue is most likely in the firewall or router?

    Tuesday, November 21, 2017 2:11 PM

Answers

  • Hi ,

    You might  have to check on the router/ firewall if the packets are reaching there or if they are getting dropped.

    Also check if the packet forwarded to 8.8.8.8 but there was no response coming from other side.

    In addition , please check the event log to see if there are something related for us to troubleshooting.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 23, 2017 8:34 AM
  • Hi,

    We found that some restrictions were configured in the external firewall to drop DNS traffic targeted against some Microsoft URLs like update URLs, once this is resolved, we can now resolve these URLs.

    Also it seems the ISP has some issues so we configured DNS server installed in TMG to use root hints not the ISP IP after that name resolution to all external host names is working. 

    I have to mention that we followed this link as well in our troubelshooting: https://support.microsoft.com/en-us/help/2549656/dns-server-service-randomly-cannot-resolve-external-names-and-returns but that was before we figure out it is the firewall issue  

    • Marked as answer by AhmadJY Wednesday, December 6, 2017 11:51 AM
    Wednesday, December 6, 2017 11:50 AM

All replies

  • Hi ,

    >>Internet is working but some external host names  cannot be resolved from clients or even from TMG like for example http://update.microsoft.com

    You might turn on exhaustive debugging mode of NSlookup, this will display detailed information of name resolving process.
    Open Command Prompt on client ,type nslookup and type set d2 .We could find out the problem through the process .
    >NSlookup
    >set d2
    >[name which you want to resolve]
    Here is the guide for Nslookup :

    Nslookup

    https://technet.microsoft.com/en-us/library/cc940085.aspx

    >>so does this mean the issue is most likely in the firewall or router?

    Agree with you, it seems the issue is related with firewall and router.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, November 22, 2017 8:55 AM
  • Hi ,

    >>Internet is working but some external host names  cannot be resolved from clients or even from TMG like for example http://update.microsoft.com

    You might turn on exhaustive debugging mode of NSlookup, this will display detailed information of name resolving process.
    Open Command Prompt on client ,type nslookup and type set d2 .We could find out the problem through the process .
    >NSlookup
    >set d2
    >[name which you want to resolve]
    Here is the guide for Nslookup :

    Nslookup

    https://technet.microsoft.com/en-us/library/cc940085.aspx

    >>so does this mean the issue is most likely in the firewall or router?

    Agree with you, it seems the issue is related with firewall and router.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Hi, 

    Thanks for your reply, I ran the command nslookup against catalog.update.microsoft.com from a client and below is the output:

    C:\Users\adm-bi532>nslookup
    Default Server:  hq-tsn-dc01.domain.com
    Address:  10.11.0.21

    > set d2
    > catalog.update.microsoft.com
    Server:  hq-tsn-dc01.domain.com
    Address:  10.11.0.21

    ------------
    SendRequest(), len 55
        HEADER:
            opcode = QUERY, id = 2, rcode = NOERROR
            header flags:  query, want recursion
            questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
            catalog.update.microsoft.com.domain.com, type = A, class = IN

    ------------
    ------------
    Got answer (122 bytes):
        HEADER:
            opcode = QUERY, id = 2, rcode = NXDOMAIN
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0

        QUESTIONS:
            catalog.update.microsoft.com.domain.com, type = A, class = IN
        AUTHORITY RECORDS:
        ->  domain.com
            type = SOA, class = IN, dlen = 47
            ttl = 3600 (1 hour)
            primary name server = hq-tsn-dc01.domain.com
            responsible mail addr = hostmaster.domain.com
            serial  = 17173
            refresh = 900 (15 mins)
            retry   = 600 (10 mins)
            expire  = 86400 (1 day)
            default TTL = 3600 (1 hour)

    ------------
    ------------
    SendRequest(), len 55
        HEADER:
            opcode = QUERY, id = 3, rcode = NOERROR
            header flags:  query, want recursion
            questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
            catalog.update.microsoft.com.domain.com, type = AAAA, class = IN

    ------------
    ------------
    Got answer (122 bytes):
        HEADER:
            opcode = QUERY, id = 3, rcode = NXDOMAIN
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0

        QUESTIONS:
            catalog.update.microsoft.com.domain.com, type = AAAA, class = IN
        AUTHORITY RECORDS:
        ->  domain.com
            type = SOA, class = IN, dlen = 47
            ttl = 3600 (1 hour)
            primary name server = hq-tsn-dc01.domain.com
            responsible mail addr = hostmaster.domain.com
            serial  = 17173
            refresh = 900 (15 mins)
            retry   = 600 (10 mins)
            expire  = 86400 (1 day)
            default TTL = 3600 (1 hour)

    ------------
    ------------
    SendRequest(), len 46
        HEADER:
            opcode = QUERY, id = 4, rcode = NOERROR
            header flags:  query, want recursion
            questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
            catalog.update.microsoft.com, type = A, class = IN

    ------------
    DNS request timed out.
        timeout was 2 seconds.
    timeout (2 secs)
    SendRequest failed
    ------------
    SendRequest(), len 46
        HEADER:
            opcode = QUERY, id = 5, rcode = NOERROR
            header flags:  query, want recursion
            questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
            catalog.update.microsoft.com, type = AAAA, class = IN

    ------------
    DNS request timed out.
        timeout was 2 seconds.
    timeout (2 secs)
    SendRequest failed
    *** Request to hq-tsn-dc01.domain.com timed-out
    >
     
    Wednesday, November 22, 2017 10:36 AM
  • Hi ,

    You might  have to check on the router/ firewall if the packets are reaching there or if they are getting dropped.

    Also check if the packet forwarded to 8.8.8.8 but there was no response coming from other side.

    In addition , please check the event log to see if there are something related for us to troubleshooting.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 23, 2017 8:34 AM
  • Hi ,

    Did you have any updates?

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, November 24, 2017 10:03 AM
  • Hi ,

    Please note:Any private information you share in a public forum might be seen or collected by other persons, please delete the private information before you post.

    Best Regards,

    Candy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, November 29, 2017 9:32 AM
  • Hi,

    We found that some restrictions were configured in the external firewall to drop DNS traffic targeted against some Microsoft URLs like update URLs, once this is resolved, we can now resolve these URLs.

    Also it seems the ISP has some issues so we configured DNS server installed in TMG to use root hints not the ISP IP after that name resolution to all external host names is working. 

    I have to mention that we followed this link as well in our troubelshooting: https://support.microsoft.com/en-us/help/2549656/dns-server-service-randomly-cannot-resolve-external-names-and-returns but that was before we figure out it is the firewall issue  

    • Marked as answer by AhmadJY Wednesday, December 6, 2017 11:51 AM
    Wednesday, December 6, 2017 11:50 AM