DNS Issues

[initroot]

Currently having some DNS issues with a client.

Some background:
Client uses mailserver and active directory each seperate VM.
The computers connected and authenticated with the AD all receive their DNS automatically.
The AD acts as DNS server with configuration as such: on IP for the network controller IPv4 DNS is set as 196.168.0.5 (IP of AD) and then 127.0.0.1

The DNS server is configured to forward to the ISP DNS (i've tried google dns as well).

What happens are the internet DNS timeouts for the workstation computers. Changing the DNS to google DNS on each workstation individually solves the issue. I've browsed on the AD for hour and the DNS timeout on the AD itself.

How to troubleshoot this further?

 

[ubercal]

Maybe the clients pcs have been configured to query hostnames by netbios 1st then DNS 2nd.Not sure just throwing out some ideas.I vaguely remmember you can check a registry key on the client machine which shows the shows order.

 

[ubercal]

Actually rereading it , it sounds like there is a DNS problem on the dns server.The DNS server cant resolve external hostnames correctly.What happends if you configure the DNS forwarder addresses as the google dns servers ?

 

[initroot]

Actually rereading it , it sounds like there is a DNS problem on the dns server.The DNS server cant resolve external hostnames correctly.What happends if you configure the DNS forwarder addresses as the google dns servers ?

The same happens. I've tried the forwarders as GOOGLE DNS and ISP DNS.
Same issue!

 

[initroot]

The same happens. I've tried the forwarders as GOOGLE DNS and ISP DNS.
Same issue!

Anyone able to assist?
If in CPT perhaps we could setup meet, name your price.

 

[DMNknight]

Sounds very much like your queries are not hitting your ISP or Google.
Have you opened the outbound DNS ports for your DC on your firewall? (don't allow inbound)

 

[ubercal]

I think go back to basics ... try telnet into port 53 from the internal DNS to the external dns server .See if the port is open or if it times out.Also try using nslookup and query external dns servers.If its timming out then it must be a firewall rule that is either blocking or doing extensive checks on the packets traversing the firewall and causing the long delays/timeouts

 

[DoringDraad]

Hi Fransh, a few random questions come to mind,
1) from the DNS server, are you able to ping any of the internet DNS ips ? 8.8.8.8 / 8.8.4.4 (google) ? If so, does the ping drop from time to time or is it continuous and is the latency low or does it fluctuate ?
2) have you perhaps considered using a different network cable to a different port on the switch ? (several possible issues can be identified here)

I will post more questions if I can think of any, not knowing what the setup looks like exactly it makes it a bit hard to guess.

 

[initroot]

Hi Fransh, a few random questions come to mind,
1) from the DNS server, are you able to ping any of the internet DNS ips ? 8.8.8.8 / 8.8.4.4 (google) ? If so, does the ping drop from time to time or is it continuous and is the latency low or does it fluctuate ?
2) have you perhaps considered using a different network cable to a different port on the switch ? (several possible issues can be identified here)

I will post more questions if I can think of any, not knowing what the setup looks like exactly it makes it a bit hard to guess.

Hi,

Ping always work, only reason ping timeout is due to the firewall seeing it as ping of death virus. Ping is not issue.
I've run the ping directly from the server, as well as the firewall.

PM me let's have a chat.

 

[DMNknight]

Fransh

You have to establish exactly where the DNS is failing to lookup:
-nslookup from workstation (the replying DNS server will be listed, more than likely one of your listed DNS servers in IPconfig)
-nslookup from workstation using your ISP primary and secondary addresses
-nslookup from workstation using the google DNS (8.8.8.8 should reply, if not open the FW and try again)
-nslookup from workstation using DC IP

-nslookup from DC
-nslookup from DC using your ISP primary and secondary addresses
-nslookup from DC using the google DNS

Use NetMon or similar to watch a DNS query and see what it does when talking to your DC.
If the query dies at your DC, make sure you don't have a root level domain listed as a primary or secondary zone.
Make sure that DNS is bound to the internet facing adapter.

If anything fails at any level, fix it before moving on.

 

[initroot]

Thanks gfmalan,
got the issue sorted misconfig on the ipv6 for the AD