none
Cannot resolve some domains correctly - internal domain added at the end of public domain RRS feed

  • Question

  • Hi,

    today I've found some emails stopped in Exchange Edge server queue with message '451 4.4.0 DNS query failed'. I’ve run nslookup on Edge Server and it showed that DNS (internal DC) could not resolve the domain name. I’ve logged on DC and also run nslookup – and it showed domain correctly.

    Many other domains are resolved correctly and e-mails for them are going out without any problems.

    The described problem was with 2 domains (so far).

    I’ve enabled debug option for DNS and logged packets into file. In logs I can see strange information, that Edge Server is adding our internal suffix domain name at the end when asking DNS for name resolution. So it looks as follows :

    2017-03-30 20:21:00 0A4C PACKET  000000B53A833FE0 UDP Rcv <internal_EDGE_ip>     0002   Q [0001   D   NOERROR] A      (5)<public_name>(2)eu(6)<internal_domain_name>(8)INTERNAL(0)

    UDP question info at 000000B53A833FE0

      Socket = 468

      Remote addr <internal_EDGE_ip>, port 61717

      Time Query=22779, Queued=0, Expire=0

      Buf length = 0x0fa0 (4000)

      Msg length = 0x002a (42)

      Message:

        XID       0x0002

        Flags     0x0100

          QR        0 (QUESTION)

          OPCODE    0 (QUERY)

          AA        0

          TC        0

          RD        1

          RA        0

          Z         0

          CD        0

          AD        0

          RCODE     0 (NOERROR)

        QCOUNT    1

        ACOUNT    0

        NSCOUNT   0

        ARCOUNT   0

        QUESTION SECTION:

        Offset = 0x000c, RR count = 0

        Name      "(5)<public_name>(2)eu(6)<internal_domain_name>(8)INTERNAL(0)”

          QTYPE   A (1)

          QCLASS  1

        ANSWER SECTION:

          empty

        AUTHORITY SECTION:

          empty

        ADDITIONAL SECTION:

          empty

    I’ve checked some other internal servers – they are resolving that domain correctly. But I’ve also checked my workstation (Windows 10) and effect is exactly the same as on EDGE server (I cannot resolve that domains).

    Can sb help me ?

    Best regards

    Jarek


    JD

    Thursday, March 30, 2017 6:31 PM

Answers

  • Hi,

    >><public name>.eu

    Is this record existed on your DNS server or Is the record resolved by forwarder?

    If not, You could try to disable IPv6 and then catch traffic on DNS server to check which the destination did DNS server sent query request to.

    According to the result of command, connection is correct between DNS server and edg server.

    When clients query <public name>.eu, the issue occurs.

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, April 3, 2017 2:41 AM

All replies

  • Hi Jarek,

    >>I’ve run nslookup on Edge Server and it showed that DNS (internal DC) could not resolve the domain name

    Please run ipconfig /flushdns and check if issue still occurs.

    You could run nslookup, and then enter set d2 to debug query process, and please provide details of result to here for further troubleshooting.

    Have you tried to resolve other records of host? How about result?

    Please enable DNS events log and check if there is related events exist.

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, March 31, 2017 8:40 AM
  • Hi John,

    I tried clearing DNS locally and on the DNS server - nothing worked. Other domains - except problematic 2 - working just fine (emails are flowing, names are resolved correctly).

    I've looked at DNS logs - there is nothing wrong with DNS (logs says so).

    Below is d2 option results :

    Server:  <internal dns>.internal
    Address:  <internal ip>
    ------------
    SendRequest(), len 42
        HEADER:
            opcode = QUERY, id = 2, rcode = NOERROR
            header flags:  query, want recursion
            questions = 1,  answers = 0,  authority records = 0,  additional = 0
        QUESTIONS:
            <public name>.eu.<internal domain>.INTERNAL, type = A, class = IN
    ------------
    ------------
    Got answer (113 bytes):
        HEADER:
            opcode = QUERY, id = 2, rcode = NXDOMAIN
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0
        QUESTIONS:
            <public name>.eu.<internal domain>.INTERNAL, type = A, class = IN
        AUTHORITY RECORDS:
        ->  <internal domain>.internal
            type = SOA, class = IN, dlen = 44
            ttl = 3600 (1 hour)
            primary name server = <internal dns>.internal
            responsible mail addr = <internal address>.internal
            serial  = 526318
            refresh = 900 (15 mins)
            retry   = 600 (10 mins)
            expire  = 86400 (1 day)
            default TTL = 3600 (1 hour)
    ------------
    ------------
    SendRequest(), len 42
        HEADER:
            opcode = QUERY, id = 3, rcode = NOERROR
            header flags:  query, want recursion
            questions = 1,  answers = 0,  authority records = 0,  additional = 0
        QUESTIONS:
            <public name>.eu.<internal domain>.INTERNAL, type = AAAA, class = IN
    ------------
    ------------
    Got answer (113 bytes):
        HEADER:
            opcode = QUERY, id = 3, rcode = NXDOMAIN
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0
        QUESTIONS:
            <public name>.eu.<internal domain>.INTERNAL, type = AAAA, class = IN
        AUTHORITY RECORDS:
        ->  <internal domain>.internal
            type = SOA, class = IN, dlen = 44
            ttl = 3600 (1 hour)
            primary name server = <internal dns>.internal
            responsible mail addr = <internal address>.internal
            serial  = 526318
            refresh = 900 (15 mins)
            retry   = 600 (10 mins)
            expire  = 86400 (1 day)
            default TTL = 3600 (1 hour)
    ------------
    ------------
    SendRequest(), len 26
        HEADER:
            opcode = QUERY, id = 4, rcode = NOERROR
            header flags:  query, want recursion
            questions = 1,  answers = 0,  authority records = 0,  additional = 0
        QUESTIONS:
            <public name>.eu, type = A, class = IN
    ------------
    DNS request timed out.
        timeout was 2 seconds.
    timeout (2 secs)
    SendRequest failed
    ------------
    SendRequest(), len 26
        HEADER:
            opcode = QUERY, id = 5, rcode = NOERROR
            header flags:  query, want recursion
            questions = 1,  answers = 0,  authority records = 0,  additional = 0
        QUESTIONS:
            <public name>.eu, type = AAAA, class = IN
    ------------
    DNS request timed out.
        timeout was 2 seconds.
    timeout (2 secs)
    SendRequest failed
    *** Request to <internal dns>.internal timed-out


    JD

    Friday, March 31, 2017 9:05 AM
  • Hi,

    >><public name>.eu

    Is this record existed on your DNS server or Is the record resolved by forwarder?

    If not, You could try to disable IPv6 and then catch traffic on DNS server to check which the destination did DNS server sent query request to.

    According to the result of command, connection is correct between DNS server and edg server.

    When clients query <public name>.eu, the issue occurs.

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, April 3, 2017 2:41 AM
  • Hi,

    Thank you for your help - after digging up more (as you suggested) - I've found the cause.

    This was done by F-Secure Network Filter - that is part of Web Threat Protection module (this is not a F-Secure firewall). It has default option to block unsafe DNS queries.

    I've found that one of my staff is to blame - as he installed all additional F-Secure components on that server and connected it to F-Secure Policy Manager. And that's why only this server and my workstation (and probably all the rest of them) have problems with these 2 domains.

    After uninstalling F-Secure Web Threat Protection module Edge server can again resolve domain names correctly.

    Thank you again for your time and helping me to find the right way.

    Best Regards

    Jarek


    JD

    Monday, April 3, 2017 5:24 AM
  • Hi,

    Glad to hear that your issue is successfully resolved.

    Best Regards

    John


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 3, 2017 6:08 AM