1

I'm wondering if there is a way to control the time required before an NXDOMAIN response is given. It seems to me that if a query is made for a record that doesn't exist, it takes 3 seconds before the server replies with NXDOMAIN. This appears to be the case in both Windows Server 2008 R2 and Windows Server 2012 R2. I have a packet capture below. For the purposes of my question, my server is authoritative for example.com and example2.com:

09:13:06.846116 IP 10.200.242.165.49505 > 10.200.1.13.53:  33831+ A? asr-1.example.com. (46)
09:13:09.855028 IP 10.200.1.13.53 > 10.200.242.165.49505:  33831 NXDomain* 0/1/0 (112)

I pinged a host that I knew did not exist, but it seems to have taken a full 3 seconds before telling me it didn't exist (from 09:13:06 to 09:13:09). Lest you think it's forwarding somewhere to resolve asr-1.example.com, I get the same result if I do nslookup -norecurse asr-1.example.com.

Just to show you that the server is indeed fast, here's a packet capture output from where I looked up the host on its actual domain:

09:13:09.855416 IP 10.200.242.165.49542 > 10.200.1.13.53:  47128+ A? asr-1.example2.com. (46)
09:13:09.855889 IP 10.200.1.13.53 > 10.200.242.165.49542:  47128* 1/0/0 (62)

That is a 0.4 millisecond response... so it's not that my DNS server is slow.

So... is there a way to configure the DNS server to not wait so long to return an NXDOMAIN response for a domain that it's authoritative for?

theglossy1
  • 301
  • 2
  • 7

2 Answers2

0

Notice that an authoritative name server can reply with NXDOMAIN immediately because it doesn't have to wait for the forwarders or iterative queries. Your Windows Server in this situation is a recursive dns server. Therefore, there is always some delay, but it can be adjusted a little.

It's possible to configure the number of seconds before forward queries time out.

  1. Open dnsmgmt.msc.
  2. Right-click over the name of the DNS server and choose Properties.

  3. On the Forwarders tab, click Edit....

    Edit Forwarders

  4. Choose the amount of seconds.

    • Default is 3.
    • Minimum should be 2, or queries could time out before all the iterations are finished.
    • >10 seconds isn't recommended either as client could timeout before the response.

Command line equivalent is dnscmd /resetforwarders:

dnscmd <ServerName> /ResetForwarders <MasterIPaddress ...> [/TimeOut <Time>] [/Slave]
Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • I can't see how it would return a false `NXDOMAIN`, as that would be lying about data seen from authoritative servers. I think it's far more likely that this would cause the server to quickly respond with `SERVFAIL`, as it was unable to get the needed data within the timeout interval. This is probably not a desirable scenario. – Andrew B May 18 '17 at 17:39
  • It is authoritative for those domains I mentioned in my question, so there is no reason for it to even refer to its forwarders. I found the answer though, which I just posted. – theglossy1 May 18 '17 at 17:41
0

I found the issue. I am the network engineer, not the AD guy, so I didn't originally set up the DNS--they just graciously give me access to it. The problem was that the WINS tab of the domain was configured for "Use WINS forward lookup." If you click "Advanced" there is a "Looukp time-out" setting, which is set to 2 seconds. If I disable WINS forwarding, it returns the NXDOMAIN instantly as would be expected. yay!

theglossy1
  • 301
  • 2
  • 7