none
DNSSec validation failes when intermediate resolver has no internet access RRS feed

  • Question

  • Hi there,

    I've found that DNSsec validation on a resolver needs direct internet access. I manage an enviroment where the internet access is limited, and only the central resolvers have direct internet access, domain controllers do not have direct internet access. I've made the following in an test envoronment to research the issue:


    Situation

    Clients: We have clients sending DNS requests to a Domain controller. Clients have no direct internet access.

    Domain controller DC1: Runs all 'standard' AD DC roles needed for a domain. Has a single authoritive DNS zone for the domain, and a forwarder (DNS1) configured to resolve other DNS requests. DNSsec validation enabled and the . trust anchor imported. DC1 has no direct internet access.

    DNS resolver DNS1: Has DNSSec validation enabled and the . trust anchor imported. Has direct internet access to resolve domain names to authoritative nameservers.

    The zone I am using to test is internet.nl, which is DNSSec signed.


    Issue

    Clients can not resolve external DNS records like www.internet.nl via DC1 with the command:
    Resolve-DnsName -Name www.internet.nl -Type A -DnssecOk -Server DC1

    Clients can resolve external DNS records like www.internet.nl via DNS1 with the command:
    Resolve-DnsName -Name www.internet.nl -Type A -DnssecOk -Server DNS1

    When I disable DNSsec validation on domain controllers DC1 I can resolve external DNS records in internet.nl (With or without the -DnssecOk flag)

    With a packetcapture I see that DC1 is trying to connect to the authoritative nameservers of internet.nl to validate the signature, it will not use the resolvers DNS1 to validate the signature.


    Is there a way to configure the DC to use the resolver DNS1 to validate the signature? I believe it is not necessary to connect to the authoritative nameservers of internet.nl WHEN the resolvera are configured to validate the signatures. Which can be checked by the DNS flags, if I am not mistaken.

    Best regards,
    Floris

    Tuesday, March 12, 2019 3:57 PM

All replies

  • Hi,

    Thank you for your question.

    I am currently performing research on this issue and will get back to you as soon as possible. I appreciate your patience.

    If you have any updates during this process, please feel free to let me know.<o:p></o:p>

     

    Best Regards,

    Eric


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 14, 2019 9:20 AM
  • Hi,

    Thanks for your question.

    Is there any error message when happen this issue?

    Best Regards,

    Eric


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 18, 2019 2:00 AM
  • Hi Eric,

    Thanks for looking into it, on the DNS or DC's I can not find any error, i've looked in the eventlog but all looks OK. Not sure if I should look somewhere else?

    On the client we receive:
    Resolve-DnsName -Name www.internet.nl -Type A -DnssecOk -Server 10.x.y.1
    Resolve-DnsName : www.internet.nl : DNS server failure
    At line:1 char:1
    + Resolve-DnsName -Name www.internet.nl -Type A -DnssecOk -Server 10.x ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : ResourceUnavailable: (www.internet.nl:String) [Resolve-DnsName], Win32Exception
        + FullyQualifiedErrorId : RCODE_SERVER_FAILURE,Microsoft.DnsClient.Commands.ResolveDnsName

    It doesn't matter if I remove the -DnssecOk parameter.

    Best Regards,
    Floris

    Monday, March 18, 2019 8:46 AM
  • Hi,

    Thanks for your update.

    Do you means that this issue is cause by the intermediate resolver has no internet access?

    Could you please tell me what is the intermediate resolver you referred in topic?

    Best Regards,

    Eric


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 21, 2019 9:27 AM
  • Hi Eric,

    Correct, DC1 is the intermediate resolver (Clients have DC1 configured as DNS server), DC1 has no internet access, DC1 has DNS1 configured as forwarder (In the DNS server). DNS1 has internet access.

    When we create packet captures of DC1's network traffic we see that it tries to connect to authorative DNS servers for domain lookups.

    I can create Wireshark PCAP's if needed.

    Best Regards,
    Floris

    Thursday, March 21, 2019 9:36 AM
  • Hi,

    Thanks for your reply.

    It is needed to capture and analysis packet to confirm the causes.

    Unfortunately, packet analyzing is not supported by forum.

    I suggest you contact Microsoft Customer Services and Support to get an efficient solution:

    http://support.microsoft.com/contactus/?ln=en-au  

    Best Regards,

    Eric


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, March 25, 2019 8:55 AM