Microsoft DNS Server Cannot Resolve Some Domain Names Externally
DNSWalk is a small windows application that queries all ROOT servers and all returned Top Level Domain (TLD) servers for the FQDN requested. This allows you to see what is being returned to you from all root hint servers and all Top level DNS server.
Download -> DNSWalk-1.0
If you run DNSWalk on a Windows DNS server it will automatically read in the root hints file and use that. If you want to run it on another server you can specify the root hints file to use.
To use it unzip the attachment and at the command line type DNS.exe test=www.google.com substitute www.google.com with the domain you want to test resolution of.
If you want to compare the results from a client to what were seeing, copy there root hints file to your pc and run the command like this
DNS.exe test=www.google.com hints=c:\copiedhintsfile
By default in c:\windows\system32\dns\cache.dns. The tool will output a file called report.html in the same folder it was run from. Attached is an example.
Microsoft DNS has 2 big issues I have seen with DNS
- Some DNS name queries are unsuccessful after you deploy a Windows Server 2003 or Windows Server 2008 R2-based DNS server
This issue occurs because of the Extension Mechanisms for DNS (EDNS0) functionality that is supported in Windows Server 2003 DNS. EDNS0 permits the use of larger User Datagram Protocol (UDP) packet sizes. However, some firewall programs may not permit UDP packets that are larger than 512 bytes. As a result, these DNS packets may be blocked by the firewall.To fix, Open up CMD windows and type the following -> -
dnscmd /config /enableednsprobes 0 then retry your query.
- Microsoft DNS Server Cannot Resolve Some Domain Names When External DNS has different source IP address.
This problem occurs because some implementations of DNS include a load balancing feature. In implementations such as this, the server that answers a query outside the firewall can be different than the server to which the query was originally addressed. Under these circumstances, a firewall may discard the reply from the external DNS server. The packet is discarded because the internal host (the DNS server inside the firewall) originally opened the connection to a different destination IP address than the IP address the reply was received on (the first external DNS server). This causes the reply from the external DNS server to never be received on the DNS server on the inside of the firewall.
To fix: Either add a Forwarder to your DNS or at your Firewall add NAT rul to send all port 53 traffic to internal DNS server. This will then negate the firewall blocks.
A example of the DNS report DNSWalk reports back:
DNS REPORT
Root hint servers
A.ROOT-SERVERS.NET. – 198.41.0.4
B.ROOT-SERVERS.NET. – 128.9.0.107
C.ROOT-SERVERS.NET. – 192.33.4.12
D.ROOT-SERVERS.NET. – 128.8.10.90
E.ROOT-SERVERS.NET. – 192.203.230.10
F.ROOT-SERVERS.NET. – 192.5.5.241
G.ROOT-SERVERS.NET. – 192.112.36.4
H.ROOT-SERVERS.NET. – 128.63.2.53
I.ROOT-SERVERS.NET. – 192.36.148.17
J.ROOT-SERVERS.NET. – 192.58.128.30
K.ROOT-SERVERS.NET. – 193.0.14.129
L.ROOT-SERVERS.NET. – 198.32.64.12
M.ROOT-SERVERS.NET. – 202.12.27.33
Top Level servers from A.ROOT-SERVERS.NET.
– m.gtld-servers.net
192.55.83.30
com
– l.gtld-servers.net
192.41.162.30
com
– k.gtld-servers.net
192.52.178.30
com
– j.gtld-servers.net
192.48.79.30
com
– i.gtld-servers.net
192.43.172.30
com
– h.gtld-servers.net
192.54.112.30
com
– g.gtld-servers.net
192.42.93.30
com
– f.gtld-servers.net
192.35.51.30
com
– e.gtld-servers.net
192.12.94.30
com
– d.gtld-servers.net
192.31.80.30
com
Top Level servers from B.ROOT-SERVERS.NET.
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 128.9.0.107
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
Top Level servers from C.ROOT-SERVERS.NET.
– l.gtld-servers.net
192.41.162.30
com
– g.gtld-servers.net
192.42.93.30
com
– k.gtld-servers.net
192.52.178.30
com
– f.gtld-servers.net
192.35.51.30
com
– j.gtld-servers.net
192.48.79.30
com
– i.gtld-servers.net
192.43.172.30
com
– e.gtld-servers.net
192.12.94.30
com
– d.gtld-servers.net
192.31.80.30
com
– a.gtld-servers.net
192.5.6.30
2001:503:a83e::2:30
com
– b.gtld-servers.net
192.33.14.30
2001:503:231d::2:30
com
Top Level servers from D.ROOT-SERVERS.NET.
– c.gtld-servers.net
192.26.92.30
com
– a.gtld-servers.net
192.5.6.30
2001:503:a83e::2:30
com
– h.gtld-servers.net
192.54.112.30
com
– d.gtld-servers.net
192.31.80.30
com
– e.gtld-servers.net
192.12.94.30
com
– j.gtld-servers.net
192.48.79.30
com
– m.gtld-servers.net
192.55.83.30
com
– g.gtld-servers.net
192.42.93.30
com
– k.gtld-servers.net
192.52.178.30
com
– l.gtld-servers.net
192.41.162.30
com
Top Level servers from E.ROOT-SERVERS.NET.
– a.gtld-servers.net
192.5.6.30
2001:503:a83e::2:30
com
– i.gtld-servers.net
192.43.172.30
com
– k.gtld-servers.net
192.52.178.30
com
– l.gtld-servers.net
192.41.162.30
com
– f.gtld-servers.net
192.35.51.30
com
– d.gtld-servers.net
192.31.80.30
com
– j.gtld-servers.net
192.48.79.30
com
– c.gtld-servers.net
192.26.92.30
com
– e.gtld-servers.net
192.12.94.30
com
– h.gtld-servers.net
192.54.112.30
com
Top Level servers from F.ROOT-SERVERS.NET.
– m.gtld-servers.net
192.55.83.30
com
– i.gtld-servers.net
192.43.172.30
com
– e.gtld-servers.net
192.12.94.30
com
– f.gtld-servers.net
192.35.51.30
com
– d.gtld-servers.net
192.31.80.30
com
– b.gtld-servers.net
192.33.14.30
com
– a.gtld-servers.net
192.5.6.30
2001:503:a83e::2:30
com
– l.gtld-servers.net
192.41.162.30
com
– g.gtld-servers.net
192.42.93.30
com
– c.gtld-servers.net
192.26.92.30
com
Top Level servers from G.ROOT-SERVERS.NET.
– e.gtld-servers.net
192.12.94.30
com
– g.gtld-servers.net
192.42.93.30
com
– b.gtld-servers.net
192.33.14.30
com
– a.gtld-servers.net
192.5.6.30
2001:503:a83e::2:30
com
– j.gtld-servers.net
192.48.79.30
com
– h.gtld-servers.net
192.54.112.30
com
– m.gtld-servers.net
192.55.83.30
com
– d.gtld-servers.net
192.31.80.30
com
– c.gtld-servers.net
192.26.92.30
com
– l.gtld-servers.net
192.41.162.30
com
Top Level servers from H.ROOT-SERVERS.NET.
– a.gtld-servers.net
192.5.6.30
2001:503:a83e::2:30
com
– b.gtld-servers.net
192.33.14.30
com
– c.gtld-servers.net
192.26.92.30
com
– d.gtld-servers.net
192.31.80.30
com
– e.gtld-servers.net
192.12.94.30
com
– f.gtld-servers.net
192.35.51.30
com
– g.gtld-servers.net
192.42.93.30
com
– h.gtld-servers.net
192.54.112.30
com
– i.gtld-servers.net
192.43.172.30
com
– j.gtld-servers.net
192.48.79.30
com
Top Level servers from I.ROOT-SERVERS.NET.
– c.gtld-servers.net
192.26.92.30
com
– f.gtld-servers.net
192.35.51.30
com
– j.gtld-servers.net
192.48.79.30
com
– l.gtld-servers.net
192.41.162.30
com
– e.gtld-servers.net
192.12.94.30
com
– h.gtld-servers.net
192.54.112.30
com
– m.gtld-servers.net
com
– i.gtld-servers.net
192.43.172.30
com
– a.gtld-servers.net
192.5.6.30
2001:503:a83e::2:30
com
– b.gtld-servers.net
192.33.14.30
2001:503:231d::2:30
com
Top Level servers from J.ROOT-SERVERS.NET.
– a.gtld-servers.net
192.5.6.30
2001:503:a83e::2:30
com
– b.gtld-servers.net
192.33.14.30
com
– c.gtld-servers.net
192.26.92.30
com
– d.gtld-servers.net
192.31.80.30
com
– e.gtld-servers.net
192.12.94.30
com
– f.gtld-servers.net
192.35.51.30
com
– g.gtld-servers.net
192.42.93.30
com
– h.gtld-servers.net
192.54.112.30
com
– i.gtld-servers.net
192.43.172.30
com
– j.gtld-servers.net
192.48.79.30
com
Top Level servers from K.ROOT-SERVERS.NET.
– a.gtld-servers.net
192.5.6.30
2001:503:a83e::2:30
com
– b.gtld-servers.net
192.33.14.30
com
– c.gtld-servers.net
192.26.92.30
com
– d.gtld-servers.net
192.31.80.30
com
– e.gtld-servers.net
192.12.94.30
com
– f.gtld-servers.net
192.35.51.30
com
– g.gtld-servers.net
192.42.93.30
com
– h.gtld-servers.net
192.54.112.30
com
– i.gtld-servers.net
192.43.172.30
com
– j.gtld-servers.net
192.48.79.30
com
Top Level servers from L.ROOT-SERVERS.NET.
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 198.32.64.12
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
Top Level servers from M.ROOT-SERVERS.NET.
– l.gtld-servers.net
192.41.162.30
com
– g.gtld-servers.net
192.42.93.30
com
– j.gtld-servers.net
192.48.79.30
com
– a.gtld-servers.net
192.5.6.30
2001:503:a83e::2:30
com
– b.gtld-servers.net
192.33.14.30
com
– c.gtld-servers.net
192.26.92.30
com
– d.gtld-servers.net
192.31.80.30
com
– k.gtld-servers.net
192.52.178.30
com
– m.gtld-servers.net
192.55.83.30
com
– f.gtld-servers.net
192.35.51.30
com
Third Level servers
192.55.83.30
192.41.162.30
192.52.178.30
192.48.79.30
192.43.172.30
192.54.112.30
192.42.93.30
192.35.51.30
192.12.94.30
192.31.80.30
192.5.6.30
192.33.14.30
192.26.92.30
Third Level servers from 192.55.83.30
– ns2.google.com
216.239.34.10
google.com
– ns1.google.com
216.239.32.10
google.com
– ns3.google.com
216.239.36.10
google.com
– ns4.google.com
216.239.38.10
google.com
Third Level servers from 192.41.162.30
– ns2.google.com
216.239.34.10
google.com
– ns1.google.com
216.239.32.10
google.com
– ns3.google.com
216.239.36.10
google.com
– ns4.google.com
216.239.38.10
google.com
Third Level servers from 192.52.178.30
– ns2.google.com
216.239.34.10
google.com
– ns1.google.com
216.239.32.10
google.com
– ns3.google.com
216.239.36.10
google.com
– ns4.google.com
216.239.38.10
google.com
Third Level servers from 192.48.79.30
– ns2.google.com
216.239.34.10
google.com
– ns1.google.com
216.239.32.10
google.com
– ns3.google.com
216.239.36.10
google.com
– ns4.google.com
216.239.38.10
google.com
Third Level servers from 192.43.172.30
– ns2.google.com
216.239.34.10
google.com
– ns1.google.com
216.239.32.10
google.com
– ns3.google.com
216.239.36.10
google.com
– ns4.google.com
216.239.38.10
google.com
Third Level servers from 192.54.112.30
– ns2.google.com
216.239.34.10
google.com
– ns1.google.com
216.239.32.10
google.com
– ns3.google.com
216.239.36.10
google.com
– ns4.google.com
216.239.38.10
google.com
Third Level servers from 192.42.93.30
– ns2.google.com
216.239.34.10
google.com
– ns1.google.com
216.239.32.10
google.com
– ns3.google.com
216.239.36.10
google.com
– ns4.google.com
216.239.38.10
google.com
Third Level servers from 192.35.51.30
– ns2.google.com
216.239.34.10
google.com
– ns1.google.com
216.239.32.10
google.com
– ns3.google.com
216.239.36.10
google.com
– ns4.google.com
216.239.38.10
google.com
Third Level servers from 192.12.94.30
– ns2.google.com
216.239.34.10
google.com
– ns1.google.com
216.239.32.10
google.com
– ns3.google.com
216.239.36.10
google.com
– ns4.google.com
216.239.38.10
google.com
Third Level servers from 192.31.80.30
– ns2.google.com
216.239.34.10
google.com
– ns1.google.com
216.239.32.10
google.com
– ns3.google.com
216.239.36.10
google.com
– ns4.google.com
216.239.38.10
google.com
Third Level servers from 192.5.6.30
– ns2.google.com
216.239.34.10
google.com
– ns1.google.com
216.239.32.10
google.com
– ns3.google.com
216.239.36.10
google.com
– ns4.google.com
216.239.38.10
google.com
Third Level servers from 192.33.14.30
– ns2.google.com
216.239.34.10
google.com
– ns1.google.com
216.239.32.10
google.com
– ns3.google.com
216.239.36.10
google.com
– ns4.google.com
216.239.38.10
google.com
Third Level servers from 192.26.92.30
– ns2.google.com
216.239.34.10
google.com
– ns1.google.com
216.239.32.10
google.com
– ns3.google.com
216.239.36.10
google.com
– ns4.google.com
216.239.38.10
google.com
