2008R2: MX records fail to resolve. A Records can be resolved. No external DNS server

Question

_{Tuesday, April 2, 2013 6:32 PM}

Hi all,

I have found similar problems mentioned on this site, but nothing resolved my issue.

While using nslookup, I am able to resolve A records that are not local. The DNS server is configured to use root hints for any external domains.

When using nslookup for MX records, I receive the following:

C:\Windows\system32>nslookup -q=mx yahoo.com
Server: localhost
Address: 127.0.0.1

*** localhost can't find yahoo.com: Server failed

C:\Windows\system32>nslookup -q=mx microsoft.com
Server: localhost
Address: 127.0.0.1

DNS request timed out.
timeout was 2 seconds.
*** Request to localhost timed-out

C:\Windows\system32>nslookup -q=mx microsoft.com
Server: localhost
Address: 127.0.0.1

DNS request timed out.
timeout was 2 seconds.
*** Request to localhost timed-out

C:\Windows\system32>nslookup -q=mx microsoft.com
Server: localhost
Address: 127.0.0.1

DNS request timed out.
timeout was 2 seconds.
*** Request to localhost timed-out

C:\Windows\system32>nslookup -q=mx microsoft.com
Server: localhost
Address: 127.0.0.1

*** localhost can't find microsoft.com: Server failed

If I point nslookup to a specific external DNS server (8.8.8.8 or a.root-servers.net) it works. This resolves the issue until the cache is cleared.

C:\Windows\system32>nslookup -q=mx microsoft.com 8.8.8.8
Server: google-public-dns-a.google.com
Address: 8.8.8.8

Non-authoritative answer:
microsoft.com MX preference = 10, mail exchanger = microsoft-com.mail.protecti
on.outlook.com

C:\Windows\system32>nslookup -q=mx microsoft.com a.root-servers.net
Server: a.root-servers.net
Address: 198.41.0.4

Non-authoritative answer:
microsoft.com MX preference = 10, mail exchanger = microsoft-com.mail.protecti
on.outlook.com

Any help is greatly appreciated.

-AD

All replies (10)

_{Saturday, April 6, 2013 5:05 AM ✅Answered | 1 vote}

I'm posting from my phone, so please excuse any typos. I'll post back with the nslookup examples.

But the one thing that stands out is if forwarders work, then it clearly indicates the firewall is blocking necessary traffic. Roots uses the iterative process to resolve involving back and forth traffic that an application level firewall may view as a possible threat, whereas forwarders are a direct recursive process to an external DNS, the same as what nslookup is using. I suggest contacting Bluecoat support and report your findings if for nothing else, to at least eliminate that as a cause. And since they are allowing EDNS0, it really does point to an app layer protection algorithm causing it to block traffic.

In the meantime, I recommend using a forwarder until you find out more info from their support.

Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Wednesday, April 3, 2013 3:33 AM | 1 vote}

It's by design for MX records:

Nslookup times out on MX records, it's by design:
NSLOOKUP Returns Time-out Error When Query for an MX Record
http://support.microsoft.com/kb/198551/en-us

As a best practice, just to make sure everything else is up to date, let's take a look at the following. But just an FYI, it will not fix MX lookups. That's due to the RFCs, as the link shows.

If the hotfix is already installed or it doesn't apply due to service pack level or operating system version, no fret, the installer will tell you right away. Some of them require restarts.

DNS Server service does not use root hints to resolve external names in Windows Server 2008 R2
Post Windows 2008 R2 SP1 HOTFIX available.
APPLIES TO •Windows 2008 R2 Datacenter •Windows 2008 R2 Ent •Windows 2008 R2 Std.
Requires a restart.
http://support.microsoft.com/kb/2616776

Windows 2008 -
DNS queries for external domains are not resolved when you use Conditional Forwarding in Windows Server 2008
Post Windows 2008 SP2 Hotfix available
Requires a restart.
http://support.microsoft.com/kb/2625735/

DNS server stops responding to DNS queries from client computers in in Windows Server 2003, in Windows Server 2008 or in

Windows Server 2008 R2 - Post Service Pack Hotfix available.
Does not require a restart.
http://support.microsoft.com/kb/2655960

DNS Server service does not resolve some external DNS names after it works for a while in Windows Server 2008 R2
Hotfix release - (released 4/15/2011)
http://support.microsoft.com/kb/2508835

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Thursday, April 4, 2013 2:21 PM}

Thanks for the reply.

I am a little confused with the MX records being timed out. The article you mentioned looks like that is for internal MX records. My issue is with external MX record resolution. From the looks of it, the major domains I am trying to resolve use host names for the MX record.(Which I would do for my MX records as well)

So the confusion is, my Mail server is attempting to send mail to users at various domains (gmail.com and optonline.net). The Mail stays in the queue until the MX records can be resolved. The only way, right now, is to run nslookup while pointing to an external DNS server(8.8.8.8 or a.root-servers.net). This when I followed the DNS trail and found out the DNS servers use root hints, but seems to fail based on the nslookup results in my original post.

As for your suggestions, I ran the four updates, only one of the packages were installed(Windows6.1-KB2508835-x64). This as you mentioned, did not fix the error.

If I am unclear in describing the exact issue, please let me know and I will see if I can explain it better.

Thanks,

_{Thursday, April 4, 2013 3:25 PM | 1 vote}

I don't know what you mean. MX records are not used internally unless you have a partner organization with a trust established. The article was just using private IPs for illustration purposes.

If you're having problems resolving Gmail, optonline, Yahoo, Hotmail, etc, it could be due to EDNS0 restrictions in your firewall, and/or the firewall is not allowing both UDP 53 and TCP 53.

What kind of perimeter firewall do you have? Is there an AV installed on the Exchange server or

To find out if EDNS0 is blocked, run this from the Exchange server, and from one of your DCs, and post the results:
nslookup -type=TXT rs.dns-oarc.net

Optionally, you can also configure Exchange to directly use an external DNS, too.

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Friday, April 5, 2013 8:09 PM}

Thanks the private address threw me off.

There is a bluecoat the all internet outbound traffic travels through. IT is currently confgiured to allow the DCs access outbound on TCP/UDP53 without limitation.

===============Mail Server Output==============================================

nslookup -type=TXT rs.dns-oarc.net
Server: localhost
Address: 127.0.0.1

DNS request timed out.
timeout was 2 seconds.
*** Request to localhost timed-out

nslookup -type=TXT rs.dns-oarc.net 8.8.8.8
Server: google-public-dns-a.google.com
Address: 8.8.8.8

DNS request timed out.
timeout was 2 seconds.
*** Request to google-public-dns-a.google.com timed-out

nslookup -type=TXT rs.dns-oarc.net 4.2.2.2
Server: b.resolvers.Level3.net
Address: 4.2.2.2

Non-authoritative answer:
rs.dns-oarc.net canonical name = rst.x3827.rs.dns-oarc.net
rst.x3827.rs.dns-oarc.net canonical name = rst.x3837.x3827.rs.dns-oarc.net

rst.x3837.x3827.rs.dns-oarc.net canonical name = rst.x457.x3837.x3827.rs.dns-oar
c.net
rst.x457.x3837.x3827.rs.dns-oarc.net text =

"128.229.5.253 DNS reply size limit is at least 3837"
rst.x457.x3837.x3827.rs.dns-oarc.net text =

"128.229.5.253 sent EDNS buffer size 4096"
rst.x457.x3837.x3827.rs.dns-oarc.net text =

"Tested at 2013-04-05 17:57:52 UTC"

nslookup -type=TXT rs.dns-oarc.net 8.4.4.4
Server: UnKnown
Address: 8.4.4.4

Non-authoritative answer:
rs.dns-oarc.net canonical name = rst.x3827.rs.dns-oarc.net
rst.x3827.rs.dns-oarc.net canonical name = rst.x3837.x3827.rs.dns-oarc.net

rst.x3837.x3827.rs.dns-oarc.net canonical name = rst.x457.x3837.x3827.rs.dns-oar
c.net
rst.x457.x3837.x3827.rs.dns-oarc.net text =

"128.229.5.253 sent EDNS buffer size 4096"
rst.x457.x3837.x3827.rs.dns-oarc.net text =

"Tested at 2013-04-05 17:57:52 UTC"
rst.x457.x3837.x3827.rs.dns-oarc.net text =

"128.229.5.253 DNS reply size limit is at least 3837"

===============Mail Server Output==============================================

nslookup -type=TXT rs.dns-oarc.net
Server: b.resolvers.Level3.net
Address: 4.2.2.2

DNS request timed out.
timeout was 2 seconds.
*** Request to b.resolvers.Level3.net timed-out

nslookup -type=TXT rs.dns-oarc.net 10..x.x.x
Server: DC1
Address: 10.x.x.x

Non-authoritative answer:
rs.dns-oarc.net canonical name = rst.x1002.rs.dns-oarc.net
rst.x1002.rs.dns-oarc.net canonical name = rst.x1957.x1002.rs.dns-oarc.net

rst.x1957.x1002.rs.dns-oarc.net canonical name = rst.x457.x1957.x1002.rs.dns-oar
c.net
rst.x457.x1957.x1002.rs.dns-oarc.net text =

"128.229.5.253 DNS reply size limit is at least 1957"
rst.x457.x1957.x1002.rs.dns-oarc.net text =

"128.229.5.253 sent EDNS buffer size 4096"
rst.x457.x1957.x1002.rs.dns-oarc.net text =

"Tested at 2013-04-05 18:28:31 UTC"

nslookup -type=TXT rs.dns-oarc.net 10.224.0.11
Server: ashb-wht-dns-02.csn.internal
Address: 10.224.0.11

Non-authoritative answer:
rs.dns-oarc.net canonical name = rst.x1002.rs.dns-oarc.net
rst.x1002.rs.dns-oarc.net canonical name = rst.x1957.x1002.rs.dns-oarc.net

rst.x1957.x1002.rs.dns-oarc.net canonical name = rst.x457.x1957.x1002.rs.dns-oar
c.net
rst.x457.x1957.x1002.rs.dns-oarc.net text =

"128.229.5.253 sent EDNS buffer size 4096"
rst.x457.x1957.x1002.rs.dns-oarc.net text =

"Tested at 2013-04-05 18:28:31 UTC"
rst.x457.x1957.x1002.rs.dns-oarc.net text =

"128.229.5.253 DNS reply size limit is at least 1957"

nslookup -type=TXT rs.dns-oarc.net 10.x.x.x
Server: DC2

Address: 10.x.x.x

Non-authoritative answer:
rs.dns-oarc.net canonical name = rst.x1002.rs.dns-oarc.net
rst.x1002.rs.dns-oarc.net canonical name = rst.x1957.x1002.rs.dns-oarc.net

rst.x1957.x1002.rs.dns-oarc.net canonical name = rst.x457.x1957.x1002.rs.dns-oar
c.net
rst.x457.x1957.x1002.rs.dns-oarc.net text =

"Tested at 2013-04-05 18:28:31 UTC"
rst.x457.x1957.x1002.rs.dns-oarc.net text =

"128.229.5.253 DNS reply size limit is at least 1957"
rst.x457.x1957.x1002.rs.dns-oarc.net text =

"128.229.5.253 sent EDNS buffer size 4096"

nslookup -type=TXT rs.dns-oarc.net 10.x.x.x
Server: DC1
Address: 10.x.x.x

Non-authoritative answer:
rs.dns-oarc.net canonical name = rst.x1002.rs.dns-oarc.net
rst.x1002.rs.dns-oarc.net canonical name = rst.x1957.x1002.rs.dns-oarc.net

rst.x1957.x1002.rs.dns-oarc.net canonical name = rst.x457.x1957.x1002.rs.dns-oar
c.net
rst.x457.x1957.x1002.rs.dns-oarc.net text =

"128.229.5.253 DNS reply size limit is at least 1957"
rst.x457.x1957.x1002.rs.dns-oarc.net text =

"128.229.5.253 sent EDNS buffer size 4096"
rst.x457.x1957.x1002.rs.dns-oarc.net text =

"Tested at 2013-04-05 18:28:31 UTC"

I know I could have exclude some of the outputs but I figured maybe something would stand out.

EDIT: I am currently pointing the Mail server to an external DNS. But I would like to resolve this issue for the internal DNS servers.

Thanks,
AD

_{Friday, April 5, 2013 9:33 PM | 1 vote}

The EDNS0 results look fine. I'm really surprised that this issue is occuring.

The mail server is a DC? I noticed the nslookup shows ther localhost as 127.0.0.1, as the DNS server it's using.

Is that the Windows 2008 R2 server (based on it taking update Windows6.1-KB2508835-x64)?
If not, what Operating system version is the server?
Is IPv6 disabled? If so, we need that enabled. Issues occur disabling IPv6, since it's now tied into the OS.
How many DC/DNS servers do you have? If more than one, does the MX lookup work on the others?
What version of Exchange?

Some info you may or may not be be aware of:

Assuming you understand AD's reliance on DNS, we should never use an external DNS on a DC or another AD machine? I do not suggest using an external DNS on a domain controller.
Did you know you can configure the Hub Transport Role (Ex 2007 or newer), and the SMTP service (Ex 2000/2003) to use an external DNS server and not the one the machine itself is configured to use in the NIC? I suggest to do that for now.
Did you also know that if you have more than one DC, to point the first entry to a partner/replica DC/DNS, and the second entry to itself? This is actually what the BPA looks for. You'll see mixed reviews and comments on this if you search around, and even among the Microsoft engineers since AD's beginnings in 1999, but the consensus now is first to another, itself as the second.
Did you again know that Google's DNS does not support EDNS0?
Did you know that Google's 8.8.8.8 DNS is gathering usage data?
http://royal.pingdom.com/2010/01/08/how-google-collects-data-about-you-and-the-internet/-

I'm starting to think that the Bluecoat may be causing it.

For the nslookup run, if you type in the actual IP address of itself, then re-run it, does it resolve?
For the nslookup run, if you type in one of the other DC/DNS servers, then re-run it, does it resolve?
In DNS, do you have a Forwarder configured? If not, set 4.2.2.2 and 4.2.2.3 as Forwarders, and see if the local DNS will resolve it.

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Friday, April 5, 2013 10:12 PM | 1 vote}

I just wanted to add about Google's EDNS0 support. The pretinent part of the data is in bold and underlined, below. The info below was copied/pasted from:
http://comments.gmane.org/gmane.network.dns.operations/1653)

dig <at> 8.8.8.8 hopcount.ca MX +dnssec

; <<>> DiG 9.8.3-P1 <<>> <at> 8.8.8.8 hopcount.ca MX +dnssec
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21782
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 512
;; QUESTION SECTION:
;hopcount.ca. IN MX

;; ANSWER SECTION:

This post is provided AS-IS with no warranties or guarantees and confers no rights.

_{Saturday, April 6, 2013 2:48 AM}

Thanks for the detailed response.

The Mail Server is separate from the DC. Both the Mail server and the redundant DCs are running 2008 R2.

Currently IPv6 is enabled on all three servers.

There are a total of 2 DCs and 2 DNS servers. MX records fail on all four.

I am not using exchange for this instance. I am using SMTP Virtual Server.

This are great tips:

The DCs are currently pointing to each other but in the order: localhost then secondary. I like the idea of criss-crossing the DCs to have the secondary/primary as the first DNS and localhost as secondary.

Since this is not an exchange server, I have to point the NIC settings to the desired DNS server. I first started with pointing to the dedicated DNS1/2 then tried the DC1/2 combo. As stated earlier, I resulted in using 4.2.2.2 as the primary DNS and one of the DC/DNS servers as the secondary.

I did not know this about Google’s DNS server. But their methods of gathering information is seen in everything....

I'm starting to think that the Bluecoat may be causing it.

*For the nslookup run, if you type in the actual IP address of itself, then re-run it, does it resolve?*Can you give me a sample command for this? I am not sure what you mean by IP address of itself.
*For the nslookup run, if you type in one of the other DC/DNS servers, then re-run it, does it resolve?*I did something similar where I did the following:

From DC1 ran: nslookup –q=mx Microsoft.com 4.2.2.2. I received the correct response.

From DC1 ran: nslookup –q=mx Microsoft.com. I received the correct response along with the Internet Address of the 2 mail servers.

From Mail Server ran: nslookup –q=mx Microsoft.com DC1. I received the correct response along with the Internet Address of the 2 mail servers.

I expected this since, the DC has DNS cache enabled and will retain the information. Is this what you wanted to see?

In DNS, do you have a Forwarder configured? If not, set 4.2.2.2 and 4.2.2.3 as Forwarders, and see if the local DNS will resolve it.

Currently the forwards were set as follows:

DC1=none, forced to use root hints

DC2= none, forced to use root hints

DNS1= none, forced to use root hints

DNS2= none, forced to use root hints

I modified DC2 to use the forwards to mentioned 4.2.2.2 and 4.2.2.3. MX records are able to be resolved without an issue. DC2 and DC1 have also been updated to have each other as a primary DNS in NIC settings.

Would this conclude that root hints are not operating when the Server is unable to resolve the MX record locally? As stated before A records were resolved without an error.

_{Sunday, April 7, 2013 9:52 PM}

Thanks for all your help. I will report any of my findings.

-AD

_{Monday, April 8, 2013 1:54 AM}

Thank you.

Another suggestion: plug the server directly into the switch on the internet side completely bypassing the Bluecoat.

This post is provided AS-IS with no warranties or guarantees and confers no rights.

Last updated on 2013-04-02

Share via

2008R2: MX records fail to resolve. A Records can be resolved. No external DNS server

Question

All replies (10)

Additional resources