problems with recursive queries
Ken Blankenship
to be capable of resolving names outside of my domain (eg.
yahoo.com, slashdot.org, microsoft.com). Using nslookup
with the debug option set, I have noticed that my domain
name is appended to the tail end of every query. For
instance a lookup for "microsoft.com" shows a question in
debug for "microsoft.com.domain.edu".
I have also noticed that in the DNS MMC, with advanced
viewing options, the Cached Lookups list only has an
entry for .->net->root-servers, but that root-servers
folder is always empty. When my DNS servers were operating
correctly, I had numerous listings there.
I have tried replaced the cache.dns, but that did not help.
Ken Blankenship
Kevin D. Goodknecht Sr. [MVP]
Ken Blankenship <kenr...@utm.edu> posted their concerns
Then Kevin made his reply below:
I have not heard of SP4 causing DNS to stop resolving external names.
So far as the behavior of adding you domain name on queries that is expected
and is designed that way when you have those names in your search order in
TCP/IP properties. That is how DNS searches when you just do a hostname
lookup.
As for not being able to do external lookups, I assume you don't have
recursion disabled on the advanced tab, that you you don't have a "."
Forward Lookup Zone.
Can you ping your gateway from the DNS machine?
--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================
http://www.lonestaramerica.com/
============================
--
When responding to posts, please "Reply to Group" or
"Reply All" via your newsreader so that others may learn
and benefit from your issue
==========================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
==========================================
Keep a back up of your OE settings and folders with
OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
==========================================
Herb Martin
Nslookup always does the "add the domain suffix(es)" to
the name given -- if it's not terminated with a "." (dot.)
This is the client side resolver and is only accidently (through
your setup) related to what your DNS server does (to help
this client resolver.)
--
Herb Martin
Nathan Zaugg
NS1.PRONETHOST.COM. When I do a lookup for any domain it
returns the IP address the DNS server is on. If I do a
nslookup on google.com it will return 166.70.205.185
twice. www.Microsoft.com returns 166.70.205.185 many
times. If I use the "set vc" command in nslookup it will
resolve the external and internal names correctly. Also,
the server is running behind a NAT based firewall so if
from my local network I do a nslookup to 10.0.0.3 for
example it will return correct information without having
to use the "set vc" command in nslookup.
Any information on how to fix this would be GREATLY
appreciated!
>.
>
Ken Blankenship
were resolving just fine, but quit just after patching to
Service Pack 4 which may just be a coincidental thing. It
just really disturbs me that DNS resolved without fail for
over a year, but now can't resolve anything.
To take care of resolution for my Dorm network, I ended up
firing up the DNS service on the current DHCP box and set
it up with secondary zones pointed at the original (no
longer resolving external addresses) primary server. It is
resolving externals (with SP4) and taking zone transfers.
The strange thing is that the settings for each of the
servers is identical. I don't have 'Disable Recursive'
checked on any of the systems.
Right now I am debating the idea of rebuilding my original
DNS boxes, but would rather understand the real cause of
the DNS problem.
Ken Blankenship
Ace Fekay [MVP]
don't belong in there? 127.0.0.1 localhost shoud be the only thing in there
unless you added something else in the past.
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================
"Nathan Zaugg" <Nat...@PCfxComputers.com> wrote in message
news:5d8a01c3774c$f16abd30$a501...@phx.gbl...
Nathan Zaugg
ideas?
>.
>
Ace Fekay [MVP]
Nathan Zaugg <Nat...@PCfxComputers.com> posted their thoughts, then I
offered mine
> HOSTS file looks fine. Hasen't been changed. Any other
> ideas?
>
Can you provide an example of the nslookup output in your next response?
Just copy if out of the command prompt and paste it here as text. That's
easier than attaching it.
Thanks
Jonathan de Boyne Pollard
NZ> 166.70.205.185 twice. www.Microsoft.com returns
NZ> 166.70.205.185 many times. [...]
This appears to be the "my NAT box is rewriting all DNS/UDP traffic" problem.
But more information is needed to be sure.
What are the results of the following commands ?
dnsquery -n 195.117.6.25 -t a a.root-servers.orsc.
dnsquery -n 216.239.32.10 -t a www.google.com.
dnsquery -n 193.45.1.76 -t a a562.cd.akamai.net.
(If you don't have either "dnsquery" or "dig", get them from ISC.)
Nathan
> server ns1.pronethost.com
Default Server: ns1.pronethost.com
Address: 166.70.205.185
> google.com
Server: ns1.pronethost.com
Address: 166.70.205.185
Name: google.com
Addresses: 166.70.205.185, 166.70.205.185
> set vc
> google.com
Server: ns1.pronethost.com
Address: 166.70.205.185
Non-authoritative answer:
Name: google.com
Addresses: 216.239.53.100, 216.239.37.100
>
Also, I have tried forwarders and they seem to make no
difference.
>.
>
Ace Fekay [MVP]
> server ns1.pronethost.com
Default Server: ns1.pronethost.com
Address: 166.70.205.185
> google.com
Server: ns1.pronethost.com
Address: 166.70.205.185
Name: google.com
Addresses: 216.239.53.100, 216.239.37.100
>
Try enabling Secure Cache Against Pollution in DNS properties. Also like to
see the output from what Jonathan requested. If not familiar with dnsquery,
just use the DIG tool. It's part of the BIND installation. Just download it,
but don't install it as a service. Just want to use the DIG tool out of the
folder.
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================
"Nathan" <Nathan@PCfxComputers> wrote in message
news:086901c37884$369f1f80$a001...@phx.gbl...
Nathan
this from neumerous other clients from a variety of
different networks and providers. Perhaps you have a
special configuration that required auth lookups.
I am not familiar with dnsquery or dig. I can find dig in
BIND installations but I can't find dnsquery anywhere!
Some more spcific information would be helpful. Do you
want me to run this from the server, another computer in
the network, or externally?
I am very intrested in the theory of the NAT firewall
changing my dns packets. It just makes sense logically
except for the fact that I can get a correct response when
I "set vc".
Thanks for your help!
Nathan
>.
>
Ace Fekay [MVP]
Nathan <Nat...@PCfxComputers.com> posted their thoughts, then I offered mine
> Thats weird that you got a correct response. I have tried
> this from neumerous other clients from a variety of
> different networks and providers. Perhaps you have a
> special configuration that required auth lookups.
>
> I am not familiar with dnsquery or dig. I can find dig in
> BIND installations but I can't find dnsquery anywhere!
> Some more spcific information would be helpful. Do you
> want me to run this from the server, another computer in
> the network, or externally?
>
> I am very intrested in the theory of the NAT firewall
> changing my dns packets. It just makes sense logically
> except for the fact that I can get a correct response when
> I "set vc".
>
> Thanks for your help!
> Nathan
>
I wouldn't say it's weird, just that there are no restrictions on DNS
traffic with my network.
Without going into detail, I have allowed the necessary ports opened to my 2
public DNS servers, including UDP 1024 to 65534. Yes, that is a WIDE range.
But that's how MS DNS works. There's a reg entry to change that, but haven't
had much luck with it as of yet.
I don't understand why you would need to set vc (use a virtual circuit) when
you're doing it. This command FORCES a TCP connection instead of UDP (which
is the normal default initial attempt). So that says you don't have certain
ports opened to the machine(s) you are trying this from. So that may be your
answer because I need to set that at my workstation when using nslookup
since I don't have that wide UDP range open to it. This way it forces it to
use TCP and I get the response back using nslookup.
NAT complicates it a bit. Normally NAT will allow all established back in,
so when you do queries or anything else, the response comes back. So
nslookup just works. Initial connection attempts aren't allowed in (like
running mail or DNS servers, etc) unless you create a port-remap to allow
that back in. But only one port to one internal IP is allowed. Can't have
mutliple IPs to one port, which is a restriction saying you can only run one
of a kind service internally. Only exception is web services only if using a
Proxy or ISA server and iwth that you can port remap by host header. So if
you're running a public DNS server, you can only run one if behind a NAT.
Dnsquery is something Jonathan wrote and works on OS2Warp and I believe on
*nix versions, but not Windows. Dig is a nice tool as an alternative to
nslookup. No matter what you're running as a tool, you should still get some
sort of response unless something is being BLOCKED!!!
Jonathan de Boyne Pollard
No. _My_ tool is DNSQRY (note the spelling). "dnsquery" is one of the
several DNS diagnosis tools that comes with ISC's BIND. (It's under "bin" in
version 8. I vaguely recall that it was under "contrib" in version 4. I
haven't checked version 9.)
I've given the "dig" equivalents of the "dnsquery" commands in another post.
Jonathan de Boyne Pollard
JdeBP*> dig @216.239.32.10 www.google.com. a
JdeBP*> dig @193.45.1.76 a562.cd.akamai.net. a
N> Do you want me to run this from the server, another
N> computer in the network, or externally?
Run them on the machine that is running your DNS server.
N> I am very intrested in the theory of the NAT firewall
N> changing my dns packets.
Ace Fekay [MVP]
Jonathan de Boyne Pollard <J.deBoyn...@Tesco.NET> posted their
thoughts, then I offered mine
Oops. Sorry, another one of my misspellings!
Ace Fekay [MVP]
Nathan <Nat...@ProNetHost.com> posted their thoughts, then I offered mine
>> JdeBP*> dig @195.117.6.25 a.root-servers.orsc. a
>> JdeBP*> dig @216.239.32.10 www.google.com. a
>> JdeBP*> dig @193.45.1.76 a562.cd.akamai.net. a
>
> C:\Documents and Settings\Administrator\Desktop\New
> Folder>dig @195.117.6.25 a.r
> oot-servers.orsc. a
>
> ; <<>> DiG 8.3 <<>> @195.117.6.25 a.root-servers.orsc. a
> ; (1 server found)
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3,
> ADDITIONAL: 4
> ;; QUERY SECTION:
> ;; a.root-servers.orsc, type = A, class = IN
>
> ;; ANSWER SECTION:
> a.root-servers.orsc. 2D IN A 199.166.24.12
>
> ;; AUTHORITY SECTION:
> ORSC. 2D IN NS ns1.vrx.net.
> ORSC. 2D IN NS mejac.palo-
> alto.ca.us.
> ORSC. 2D IN NS ns1.jerky.net.
>
> ;; ADDITIONAL SECTION:
> ns1.vrx.net. 2D IN A 199.166.24.1
> ns1.vrx.net. 2D IN A 199.166.27.6
> mejac.palo-alto.ca.us. 5m18s IN A 192.147.236.1
> ns1.jerky.net. 12H IN A 204.57.55.100
>
> ;; Total query time: 1000 msec
> ;; FROM: neo to SERVER: 195.117.6.25 195.117.6.25
> ;; WHEN: Sun Sep 14 13:44:26 2003
> ;; MSG SIZE sent: 37 rcvd: 205
<snip>
> --Nathan
The Digs look fine. Here's my result for the first query below. Notice, that
since I don't have UDP 1024 to 65534 open to this workstation, so I had to
use the +vc option.
===================================
; <<>> DiG 9.2.2rc1 <<>> @195.117.6.25 a.root-servers.orsc. a +vc
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 4
;; QUESTION SECTION:
;a.root-servers.orsc. IN A
;; ANSWER SECTION:
a.root-servers.orsc. 172800 IN A 199.166.24.12
;; AUTHORITY SECTION:
ORSC. 172800 IN NS ns1.vrx.net.
ORSC. 172800 IN NS mejac.palo-alto.ca.us.
ORSC. 172800 IN NS ns1.jerky.net.
;; ADDITIONAL SECTION:
ns1.vrx.net. 172800 IN A 199.166.24.1
ns1.vrx.net. 172800 IN A 199.166.27.6
mejac.palo-alto.ca.us. 318 IN A 192.147.236.1
ns1.jerky.net. 43200 IN A 204.57.55.100
;; Query time: 296 msec
;; SERVER: 195.117.6.25#53(195.117.6.25)
;; WHEN: Sun Sep 14 21:04:00 2003
;; MSG SIZE rcvd: 205
===================================
So that kind of tells me that your ports are fine, at least to this machine
you did the query on.
By chance, did you ever enable the "Secure Cache Against Pollution" option?
Ace Fekay [MVP]
Nathan <Nat...@PCfxComputers.com> posted their thoughts, then I offered mine
>> By chance, did you ever enable the "Secure Cache Against Pollution"
>> option?
>
> exploring the possibility of ports not being open because
> thats the best lead I have so far. Though, it doesn't
> explain a lot. I guess I am still looking for a solution.
>
> --Nathan
So it's still giving you back the 166.x.x.x numbers?
Also, see if you can open up your firewall just for a few minutes and try it
again.
Jonathan de Boyne Pollard
JdeBP*> dig @216.239.32.10 www.google.com. a
JdeBP*> dig @193.45.1.76 a562.cd.akamai.net. a
Good. They weren't mangled.
Now ensure that your DNS server (running on that machine) isn't forwarding
queries, and then run the same commands, on that same machine, but without the
'@' arguments. You can then compare the answers obtained via your proxy DNS
service with the answers obtained directly from the content DNS servers.
If they are essentially the same, the next stop is to ensure that your other
machines receive the same responses that you receive locally. Run the
commands, still without the '@' arguments, on one of your other machines.
If they are essentially different, the next stop is to look carefully at your
DNS server's configuration.
Nathan Zaugg
>public DNS servers, including UDP 1024 to 65534. Yes,
that is a WIDE range.
>But that's how MS DNS works. There's a reg entry to
change that, but haven't
>had much luck with it as of yet.
I tried opening up that port range for a while and it
didn't seem to have any effect. I also ran the DIG tool
with the parameters specified and here are the results,
which are incorrect.
C:\>dig @166.70.205.185 www.google.com a
; <<>> DiG 8.3 <<>> @166.70.205.185 www.google.com a
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0,
ADDITIONAL: 0
;; QUERY SECTION:
;; www.google.com, type = A, class = IN
;; ANSWER SECTION:
www.google.com. 1H IN CNAME
www.google.akadns.net.
www.google.akadns.net. 0S IN A 166.70.205.185
;; Total query time: 0 msec
;; FROM: neo to SERVER: 166.70.205.185 166.70.205.185
;; WHEN: Sun Sep 21 20:50:46 2003
;; MSG SIZE sent: 32 rcvd: 83
Ace Fekay [MVP]
this:
==================================================
C:\bind>dig @166.70.205.185 www.google.com a +vc
; <<>> DiG 9.2.2rc1 <<>> @166.70.205.185 www.google.com a +vc
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 3097 IN CNAME www.google.akadns.net.
www.google.akadns.net. 293 IN A 216.239.53.99
;; Query time: 125 msec
;; SERVER: 166.70.205.185#53(166.70.205.185)
;; WHEN: Sun Sep 21 22:53:14 2003
;; MSG SIZE rcvd: 83
==================================================
TCP and UDP 53 and the UDP 1024 and above range are all wide open as you
mentioned, so you should have received an answer.
What are you using for NAT?
--
Regards,
Ace
Please direct all replies to the newsgroup so all can benefit.
Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================
"Nathan Zaugg" <Nat...@ProNetHost.com> wrote in message
news:057c01c380b4$44b977e0$a401...@phx.gbl...
Jonathan de Boyne Pollard
On 2003-09-15 I gave you a whole list of other tests to
run, and where then to proceed based upon their results.
Jonathan de Boyne Pollard
AF> www.google.com, such as this:
He did. He just erroneously word-wrapped it when posting.
Ace Fekay [MVP]
<J.deBoyn...@Tesco.AllYourDomainAreBelongToVerisign.NET> wrote in
message news:3F70F7B4...@Tesco.AllYourDomainAreBelongToVerisign.NET...
> AF> Strange that you didn't get a answer for the IP for
> AF> www.google.com, such as this:
>
> He did. He just erroneously word-wrapped it when posting.
But my results showed the A record, where his didn't, unless I missed
something since I didn't see any wrapping.
Mine:
;; ANSWER SECTION:
www.google.com. 3097 IN CNAME www.google.akadns.net.
www.google.akadns.net. 293 IN A 216.239.53.99
His:
;; ANSWER SECTION:
www.google.com. 1H IN CNAME
www.google.akadns.net.
www.google.akadns.net. 0S IN A 166.70.205.185
Ace
Jonathan de Boyne Pollard
AF> But my results showed the A record, where his didn't,
AF> unless I missed something since I didn't see any wrapping.
AF> Mine:
AF> ;; ANSWER SECTION:
AF> www.google.com. 3097 IN CNAME www.google.akadns.net.
AF> www.google.akadns.net. 293 IN A 216.239.53.99
AF>
AF> His:
AF> ;; ANSWER SECTION:
AF> www.google.com. 1H IN CNAME
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
AF> www.google.akadns.net.
^^^^^^^^^^^^^^^^^^^^^^^^^^
AF> www.google.akadns.net. 0S IN A 166.70.205.185
There's the word-wrapping, right there.
Nathan
My apoligies, I am using the web version of this newsgroup
and it never let me access that post. It says "Message
unavailable". Could you re-post that information? Also,
can you reccomend a good windows based news reader
(Outlook Express is a very poor news reader, i prefer the
web over that)
Thanks!
Nathan
Jonathan de Boyne Pollard
Google Groups is your friend.
<URL:http://groups.google.com/groups?selm=3F65B1E4...@Tesco.NET>
N> Also, can you reccomend a good windows based news reader [...?]
I leave that to others. I've mainly used Netscape Communicator
on Windows.