Domain Controller not able to do external DNS resolution
Solution 1
Thanks all for the answers.
Ended up being our firewall not allowing EDNS packets through.
I disabled EDNS using the below command and all is working now. Our firewall at production must allow these packets, just not the firewall in our office. I will need to investigate this further with our firewall manufacturer.
dnscmd /config /EnableEDNSProbes 0
Solution 2
Does the new DC have root hints set?
Solution 3
Does the dns server have an entry for . ? If so delete it.
Related videos on Youtube
09 : 21
02 : 55
06 : 25
06 : 11
01 : 57
Grzesiek
Computer tech that likes to play with various languages and technologies.
Updated on September 18, 2022Comments
-
Grzesiek almost 2 years
We have two DC's on our internal network (one old and one new) we are trying to migrate to the new DC but the only thing stopping us is external DNS resolution does not work with the new DC unless under the DNS mmc we set it to forward to our old DC.
The firewall is open for DNS. We know this because on the new server when we do a nslookup and use "server 8.8.8.8" (google dns) it works. Set it back to itself and it does not work.
The old DC has been demoted and all internal DNS and DHCP has been moved to the new DC, only thing not working is external resolution. Any ideas of things i could try?
-
duenni about 13 yearsIs a DNS Forwarder set?
-
Grzesiek about 13 yearsold DC does not have forwarder set (it works) new DC only works if forwarder set to old DC.. does not work on its own like the old DC does. But also works if i set forwarder to Google public DNS. Just not without any forwarder (root names)
-
duenni about 13 yearsIf your DNS Server can't resolve a DNS query it will forward the query to the server you set as forwarder, if this server does not respond it will ask the root entries. So I ask myself why it works on your old server without forwarder set....The usual practice is to set a forwarder for zones the server itself can't resolve.
-
-
Grzesiek about 13 yearsAn ever further fix for the device itself. Problem: Cisco and Juniper firewalls by default limits DNS UDP packets to a maximum size of 512 bytes. Windows Server 2008 by default ships with EDNS enabled, which utilizes DNS packets larger than 512 bytes. How do I enable support for this? Solution:
set security alg dns maximum-message-length 1500This adjusts the maximum UDP message size for DNS packets to 1500 bytes. If you allow even bigger packets (check MTU/MRU) then adjust the number accordingly.
