Announcement

Collapse
No announcement yet.

windows 2012 r2 dns resolution fails and then resolves after 2 seconds

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • windows 2012 r2 dns resolution fails and then resolves after 2 seconds

    Hello everyone

    My issue is that clients and the server have slow DNS resolution. They can go to a URL and it'll have something like a dns probe error and then 2 seconds later (roughly) the page will load.

    This is Windows server standard 2012 r2 fully patched
    It is running on an HP ML350p Gen8 server with updated drivers for the NICs
    There are 4 NICs in total with only one configured. The rest are disabled.

    We have a 50 / 50 leased line currently going through a Watchguard T-70 firewall and only 10 users connected at any given time.

    The firewall is correctly configure..I'm pretty sure of that.

    DNS is setup on the server and the server is DHCP enabled

    NSLOOKUP shows the correct server name and correct IP address for the server but any lookup fails and times out after 2 seconds.
    I have forwarders configured with a forward zone named Google and then 8.8.8.8 and 8.8.4.4 used and they resolve fast first time - if I go back and check, I get an OK report but it can't resolve the FQDN

    root hints are enabled and the simple and recursive tests pass (although recursive failed a few times before deciding to pass).

    I have a forward lookup zone for xyz.local with only 2 Host(A) records for PCs showing..the server and a single client machine
    I have another forward lookup zone xyzdomainname.com with a single Host(A) record for the MAIL entry which points to the server

    I have a reverse lookup zone which is populated with a lot of PTR records of the various computer connected to the network.

    ipconfig /all shows the dns server as the correct IP address. Everything on IPCONFIG / ALL looks fine to me but here it is below:

    C:\Windows\system32>nslookup 208.67.220.220
    Server: servername.xyz.local
    Address: 192.168.11.2

    DNS request timed out.
    timeout was 2 seconds.
    *** Request to servername.xyz.local timed-out

    C:\Windows\system32>nslookup www.google.co.uk
    Server: servername.xyz.local
    Address: 192.168.11.2

    DNS request timed out.
    timeout was 2 seconds.
    DNS request timed out.
    timeout was 2 seconds.
    DNS request timed out.
    timeout was 2 seconds.
    Name: www.google.co.uk
    Address: 2a00:1450:4009:80b::2003


    C:\Windows\system32>ipconfig /all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : SERVERNAME
    Primary Dns Suffix . . . . . . . : xyz.local
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : xyz.local

    Ethernet adapter Ethernet:

    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : HP Ethernet 1Gb 4-port 331i Adapter
    Physical Address. . . . . . . . . : 9C-8E-99-66-CC-54
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes
    Link-local IPv6 Address . . . . . : fe80::179:2907:addb:79c6%12(Preferred)
    IPv4 Address. . . . . . . . . . . : 192.168.11.2(Preferred)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.11.1
    DHCPv6 IAID . . . . . . . . . . . : 312250009
    DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1C-D0-18-11-9C-8E-99-66-CC-54

    DNS Servers . . . . . . . . . . . : 192.168.11.2
    NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.{A83B43F1-F90A-47F7-9538-40C6239730F0}:

    Media State . . . . . . . . . . . : Media disconnected
    Connection-specific DNS Suffix . :
    Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
    Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
    DHCP Enabled. . . . . . . . . . . : No
    Autoconfiguration Enabled . . . . : Yes


    So, flushdns, scavenge records etc etc has no effect but I'm sure it's the DNS server settings somewhere.
    NIC is configured with static IP address and preferred dns server is loopback address of 127.0.0.1

    I'm sure it's easy..I'm sure I'm missing something simple but I can't see it.

    A magic wand please !!

    Many thanks

  • #2
    If your recursive tests fail but then pass, that's where to concentrate your efforts. Recursive lookups are your internal DNS server looking for addresses that clients have asked for, but for which your own DNS can't answer. Once it gets the answer, it passes that on to the requesting client. Ordinarily, access to the Google DNS is immediate so shouldn't be failing. Since it's not happy, you may have connectivity issues with your ISP. Am I correct assuming that your internal DNS requests are working OK (client tries to ping an internal server by name and it immediately resolves?)
    Does your ISP provide a DNS IP to connect to as part of your subscription? If so, set your forwarders to that, flush the cache on the server and try it all again. Report back.
    *RicklesP*
    MSCA (2003/XP), Security+, CCNA

    ** Remember: credit where credit is due, and reputation points as appropriate **

    Comment


    • #3
      Also check your forwarders. IMHO don't use Google's DNS for this rather your ISP's DNS servers.

      When to say with a forward zone do you mean you created a forward lookup zone called google and added the servers there??

      Your forwarders are actually added on your forward lookup zone for the relevant domain name, i.e. if your domian name is test.mydomin.local then you need to right click on that forward lookup zone and select the forwarders tab there and enter the relevant DNS servers. Again i would use your ISP rather than Google.

      If not then ignore that last bit

      Also check your firewall to ensure that you are allowing DNS out from the relevant servers, TCP port 56 IIRC.

      Comment


      • #4
        Thank you both:

        I am not on-site at moment but remoting into the server I see:

        Server can ping our backup NAS and the Router without fail.
        Running nslookup by right mouse clicking the DNS server shows no server name and incorrect IP so I then changed the adaptors listening and swapped to listening on both ipv6 and ipv4 and this made no difference. Then, I swapped back to listening on ipv4 and it shows correct server name and IP address but no lookup works and I always get a time out 2 seconds.

        I have used various dns severs including OpenDNS and the ISPs DNS server but there is no change. I'll stick with Google now for consistency's sake and so on forwarders tab...server can resolve 8.8.8.8 to the FQDN but can't resolve 8.8.4.4 but if I click EDIT then they both resolve...with 8.8.4.4 resolving a little slower than 8.8.8.8

        Simple and recursive tests generally both pass although I had a fail on recursive before going on to pass again.

        From the server I opened Google Chrome, typed in Fox News and Google came up fairly quickly with the links. I then clicked the URL for Fox News and it took at least 10 seconds to show the page and this was without anyone in the office and on a 50 / 50 line.

        I have my watchguard configured with dns records for Google as well, so forwarders are forwarding to Google and the firewall has DNS forwarding to Google. Is this correct..could it cause issues ?

        Comment


        • #5
          Still not convinced you haven't got a traffic issue thru your ISP. If DNS is mis-configured, it tends to not work at all. If your is working but in fits & starts, that sounds more like a traffic issue, not a path-not-known issue. Have a look at your Watchguard traffic monitoring and try test pings for web sites from a PC. See if you can identify any delays in the DNS request traffic going out vs the responses coming back in. If they're not almost immediate, that could be your issue. You'll have to ensure that the rule on your Watchguard which lets out DNS traffic (should be for port 53, both TCP and UDP) has logging turned on to see the events.
          *RicklesP*
          MSCA (2003/XP), Security+, CCNA

          ** Remember: credit where credit is due, and reputation points as appropriate **

          Comment


          • #6
            i have a simple out bound and inbound DNS rule on the firewall and it is not a proxy.

            The line is a 100 / 100 line that has been divided into two offices. The other office isn't having issues, just us, which is why I think there is an issue with the DNS server.

            Is there a way to delete it and redo it from scratch ? I just don't know what to look for now. All tests seem to work except nslookup which always times out and never resolves

            Comment


            • #7
              Did you look at your Watchguard firewall logging as requested? Since you're reliant on that outside traffic, and that's where the problem appears to be, either change your DNS forwarders to something other than what they are now and repeat, or supply some logging responses which either prove or disprove your comms to the outside world. The fact that you're 'sharing' your outside traffic with another office introduces even more variables to the question of why your side isn't working. Our assumptions originally were that your link to your ISP was solely between your Watchguard and their portal. There could easily be issues with your ISP such that traffic meant to come back to you is going to the other office, which wouldn't show up as a failure, except in exactly the symptoms you've described. So instead of 2 end points with a straight line between them, now we appear to have a triangle.

              Have a long talk with the other office and your ISP to try and resolve this, at least until all can prove there's nothing wrong with the traffic routing. Then you can resolve your DNS server settings, if things still aren't working.
              *RicklesP*
              MSCA (2003/XP), Security+, CCNA

              ** Remember: credit where credit is due, and reputation points as appropriate **

              Comment


              • #8
                Right click your DNS server and select properties and then the Forwarders tab. Do you have the correct servers in there for your ISP?? Or Google if you really want to use them.

                I'm wondering if you are resorting to root hints servers.

                Comment


                • #9
                  In fact just show us the powershell results for this command

                  get-DnsServerForwarder -ComputerName YourServerName

                  Comment


                  • #10
                    I have 208.67.222.222 and 208.67.220.220 as my forwarders

                    I have tried running the command you suggested but I get errors so I need to be sure I'm running the command exactly as it should be.

                    You suggest: get-DnsServerForwarder -ComputerName YourServerName

                    If I use: get-DnsServerForwarder it tells me I am using the IP addresses shown above.

                    If I tried to use the comman you sent (word for word) I get an error
                    If I try subsituting "computer name" and "your server name" for the name of my server etc, then I still get an error. I have also tried putting spaces before the "-" of "-ComputerName" etc and still get erros such as:

                    PS C:\Users\Administrator> get-DnsServerForwarder -ComputerName ServerName
                    get-DnsServerForwarder : Failed to get information for server ServerName.
                    At line:1 char:1
                    + get-DnsServerForwarder -ComputerName ServerName
                    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                    + CategoryInfo : NotSpecified: (ServerName:root/Microsoft/...ServerForwarder) [Get-DnsServerForwarder], C
                    imException
                    + FullyQualifiedErrorId : WIN32 1722,Get-DnsServerForwarder

                    So I'm either taking you too literally or there is an error.

                    Comment


                    • #11
                      RicklesP: Thank you for your assistance. I'll do as suggested and report back.

                      Comment


                      • #12
                        For wullieb1's example, the value of YourServerName is supposed to be replaced with the name of the DNS server you want to run the query against (assuming you're not running the command on that server). But if you log onto your DNS server directly as an admin and run that command, the only thing you need is the first part of that command, itself: 'Get-DNSServerForwader' (without the single quotes, and case is not important). Whatever result you get after you press 'Enter', even if it's an error, give us that result. If you want to know a bit more about this command have a read here: https://technet.microsoft.com/en-us/...ps.630%29.aspx
                        *RicklesP*
                        MSCA (2003/XP), Security+, CCNA

                        ** Remember: credit where credit is due, and reputation points as appropriate **

                        Comment


                        • #13
                          To everyone who offered assistance - Thank You

                          The issue has been resolved by Microsoft and it turned out to be Kaspersky Internet which had installed a filter that did something to the filter.

                          I had considered Kaspersky as a possible issue and so "paused protection" but this didn't remove the filter. As soon as the filter was removed, everything resolved perfectly.

                          Thank you all for your efforts. It's always appreciated.

                          Comment


                          • #14
                            We certainly appreciate the feedback, and that is a weird one from my point of view. I've never heard of an AV product doing that. That's one to remember.
                            *RicklesP*
                            MSCA (2003/XP), Security+, CCNA

                            ** Remember: credit where credit is due, and reputation points as appropriate **

                            Comment

                            Working...
                            X