2

I manage hundreds of servers for many customers. Most are SMB segment, having 1 to 3 servers per customer max. In past few weeks I get more and more frequent DNS errors on random domain controllers, from 2008R2 to 2016. Simply put, DC does not resolve DNS anymore. This happened on some dozen of servers lately, and I haven't figured out the cause yet.

Weird is, that for example, on same premises, 2 VMs, 2 domain controllers for 2 different companies, each with 15 users. Same ISP, same router, same switch. 1 DC works OK, no problems, while 2nd DC cannot resolve DNS anymore:

On server 1 problem local DNS... but nslookup to 8.8.8.8 works!?:

C:\Users\Administrator>nslookup
Default Server:  UnKnown
Address:  ::1

> www.google.com
Server:  UnKnown
Address:  ::1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out
> server 8.8.8.8
Default Server:  google-public-dns-a.google.com
Address:  8.8.8.8

> www.google.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    www.google.com
Addresses:  2a00:1450:4001:81c::2004
          172.217.16.68

>

On server 2 no problems:

C:\Users\Administrator>nslookup www.google.com
Server:  localhost
Address:  ::1

Non-authoritative answer:
Name:    www.google.com
Addresses:  2a00:1450:4006:802::2004
          216.58.206.132

Both are AD DC in single-domain setup, DNS configured with public forwarders, DC DNS points to itself only. IPv4 and IPv6 enabled on servers, but IPv6 is disabled on router. Did not touch any of those servers for past few months.

Did MS change anything? I do not remember DNS ever before switched to IPv6....why did it switch now? And why it works on one server and not on the other, still they are both the same (actually, same deployment, just configured for 2 different domains).

Labsy
  • 53
  • 1
  • 8
  • The switch to IPv6 began with Server 2008/Vista. It's not new at all. Since then, localhost has been ::1 and used IPv6 unless the system was explicitly misconfigured by the admin. – Michael Hampton Jul 25 '18 at 21:50
  • `DC DNS points to itself only` - If there are two DC/DNS servers then this configuration is incorrect. Each DC/DNS server should use it's "partner" DC/DNS server for primary DNS, itself for secondary DNS, and 127.0.0.1 for tertiary DNS. – joeqwerty Jul 26 '18 at 01:01
  • @joequerty - both servers are standalone single DC's, each for it's own domain. – Labsy Jul 26 '18 at 06:16
  • Does the DNS service *actually work* on those DCs? Do you have any error in the Event Log about it and/or Active Directory (on which DNS depends)? First of all, you should make sure your DNS server is working, since it doesn't seem to be willing to answer queries. – Massimo Dec 25 '20 at 00:38

3 Answers3

1

You should definitely NOT use a public DNS server. It can't possibly know about your Domain Controllers and which is the right server to ask anything about your domain.

Massimo
  • 70,200
  • 57
  • 200
  • 323
1

It appears as though the local DNS server isn't listening on IPv6. Right-click on the server in the list on the left in DNS Server, select properties and on the Interfaces tab ensure that the server's local IPv6 address is checked or that All IP Addresses radio button is selected.

If the IPv6 address or All IP Addresses is already selected, I'd check outbound filtering to make sure that the network's firewall isn't restricting outbound IPv6 traffic. On the network I manage, we block all DNS traffic in or out of our firewall, with the exception of our AD servers (who operate as the internal resolvers and need to connect to Quad9 DNS and can only access 9.9.9.9 and 149.112.112.112).

Christopher H
  • 368
  • 2
  • 18
1

There are two possible reasons for a timeout.

  • The request is sent to the wrong address.
  • The request doesn't arrive at the DNS server, or the DNS response doesn't get back because of network problem.

Use ipconfig /all to list the DNS servers. If they are different, correct them. If they are the same, use a packet sniffer on the server and on the router to find out what packets are sent.

RalfFriedl
  • 3,108
  • 4
  • 13
  • 17
  • Both servers are on SAME subnet, SAME router, SAME switch. Both use forwarders to 8.8.8.8. If I look at router, the problematic server's DNS requests most of the time do not reach the router from inside out... BUT some (rare) DNS requests from this same server somehow still pass through. For example, trying nslookup www.google.com does not pass, but when I lounch Check for updates, I can see DNS request for MS update service goes through. – Labsy Jul 26 '18 at 00:28
  • EDIT: There are NO lost DNS packets. All DNS requests are passing correctly from local server's IP to 8.8.8.8 and back. They are obviously lost when they arrive back to server. – Labsy Jul 26 '18 at 00:42
  • 2
    ADDING: manually selecting 8.8.8.8 server with NSLOOKUP works without any problems from problematic server. While using ::1 or localhost or local server's IP as DNS does not. – Labsy Jul 26 '18 at 00:49
  • I understood that the configuration is the SAME, but if it stopped working, there must be some reason. You should add that `nslookup www.google.com 8.8.8.8` works to the question, not everybody reads all the comments. It seems there is something wrong with the local resolver. Check the services whether it is running and the event log for possible problems. – RalfFriedl Jul 26 '18 at 05:20
  • Thank you, I edited OP question with nslookup details. I've checked DNS and DNS server logs, and there's no errors or warnings. All needed services are up & running. Monit is configured the same for both servers, and if I compare services one-by-one, on both servers all is the same. I also cleared DNS cache, rebooted multiple times, flushed cache, checked hosts file....hmmm, running out of ideas slowly. – Labsy Jul 26 '18 at 06:19
  • How about lookup of names that should be known to the DNS server without consulting outside servers, like the name of the server or the address 127.0.0.1? – RalfFriedl Jul 26 '18 at 16:25