none
DNS Conditional Forwarder returns name without IP address or error RRS feed

  • Question

  • Hi,

     I have a conditional forwarder on my DC (DC1, IP = 10.0.0.10) pointing at 51.8.8.8 for DNS zone "gsi.gov.uk", I've noticed some odd behaviour:

    -If I do an nslookup on DC1 for gsi.gov.uk I get a response  as follows:

    Server DC1.contoso.com
    Address: 10.0.0.10

    Name: gsi.gov.uk

    In fact, I get the same response if I do an nslookup for any sub domain of that domain, e.g. nonexistent23.gsi.gov.uk

    Server DC1.contoso.com
    Address: 10.0.0.10

    Name: nonexistent23.gsi.gov.uk

    I would have expected the conditional forwarder to error and respond no domain, but that doesn't happen. Why doesn't the forwarding DNS server respond with an IP address or error for the query?

    The reason why I'm asking is that we use mail checking to check for existent SMTP domains, some valid domains are being accepted such as "dwp.gsi.gov.uk" other domains are not e.g. "homeoffice.gsi.gov.uk", I'm thinking of creating a new internal DNS zone called "homeoffice.gsi.gov.uk" with an SOA record of my DNS server and an Nameserver record of 51.8.8.8 to ensure my mail appliance check passes on the domain lookup.

    Thank you


    • Edited by EuroTechie2013 Monday, January 30, 2017 11:46 AM more info
    Monday, January 30, 2017 11:17 AM

All replies

  • Hi Euro,

    >>Why doesn't the forwarding DNS server respond with an IP address or error for the query?

    Have you tried to ping gsi.gov.uk to check if gsi.gov.uk could be ping correctly?

    You could use Debug Logging tools that was in DNS server to check if DNS server has accepted query result from conditional forwarder.

    Here is information about Debug Logging for your reference:

    DNS Logging and Diagnostics

    https://technet.microsoft.com/en-us/library/dn800669(v=ws.11).aspx

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, January 31, 2017 8:36 AM
  • Hi,

     The server isn't pingable, only port 53 is open. The DNS debug logs are partially helpful, maybe I'm just not good at interpreting the results

    I do see NXDOMAIN in the detailed logs and searches for AAA, A, plus multiple DNS lookups such as gsi.gov.uk, as well as gsi.gov.uk.contoso.local and gov.uk.contoso.local

    I'm still not sure why the standard nslookup doesn't return an IP address or error though.

    Thursday, February 2, 2017 1:13 PM