Randomly DNS server is failing to resolve hostnames

Question

_{Wednesday, May 9, 2018 2:31 PM}

I have <g class="gr_ gr_202 gr-alert gr_gramm gr_inline_cards gr_disable_anim_appear Grammar multiReplace" data-gr-id="202" id="202">a SBS2011</g> where at random times its logging a ServerFail message in the DNS logs. I'm seeing the same for my forwarder IP - 1.1.1.1.  When this is logged, all internet traffic fail to resolve. This is happening numerous times during the day. Appreciate the feedback

B9C PACKET  000000000B9C7E90 UDP Snd 192.168.34.89    0d94 R U [02a8      SERVFAIL] SOA    (6)_msdcs(3)<g class="gr_ gr_1008 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" data-gr-id="1008" id="1008">mydomain</g>(5)local(0)
UDP response info at 000000000B9C7E90
  Socket = 356
  Remote addr 192.168.34.89 port 54369
  Time Query=715907, Queued=0, Expire=0
  Buf length = 0x0fa0 (4000)
  Msg length = 0x0068 (104)
  Message:
    XID       0x0d94
    Flags     0xa802
      QR        1 (RESPONSE)
      OPCODE    5 (UPDATE)
      AA        0
      TC        0
      RD        0
      RA        0
      Z         0
      CD        0
      AD        0
      RCODE     2 (SERVFAIL)
    ZCOUNT    1
    PRECOUNT  0
    UPCOUNT   1
    ARCOUNT   0
    ZONE SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(6)_msdcs(3)mydomain(5)local(0)"
      ZTYPE   SOA (6)
      ZCLASS  1
    PREREQUISITE SECTION:
      empty
    UPDATE SECTION:
    Offset = 0x0022, RR count = 0
    Name      "(5)_ldap(4)_tcp(2)gc(6)_msdcs(3)mydomain(5)local(0)"
      TYPE   SRV  (33)
      CLASS  1
      TTL    600
      DLEN   28
      DATA   Priority     = 0
Weight       = 100
Port         = 3268
Target host (10)myserver(3)mydomain(5)local(0)
    ADDITIONAL SECTION:
      empty

C2C PACKET  0000000004964600 UDP Rcv 1.1.1.1         8c01 R Q [8281   DR SERVFAIL] PTR    (1)4(2)82(3)138(2)40(7)in-addr(4)arpa(0)
UDP response info at 0000000004964600
  Socket = 4740
  Remote addr 1.1.1.1, port 53
  Time Query=715908, Queued=0, Expire=0
  Buf length = 0x0fa0 (4000)
  Msg length = 0x002a (42)
  Message:
    XID       0x8c01
    Flags     0x8182
      QR        1 (RESPONSE)
      OPCODE    0 (QUERY)
      AA        0
      TC        0
      RD        1
      RA        1
      Z         0
      CD        0
      AD        0
      RCODE     2 (SERVFAIL)
    QCOUNT    1
    ACOUNT    0
    NSCOUNT   0
    ARCOUNT   0
    QUESTION SECTION:
    Offset = 0x000c, RR count = 0
    Name      "(1)4(2)82(3)138(2)40(7)in-addr(4)arpa(0)"
      QTYPE   PTR (12)
      QCLASS  1
    ANSWER SECTION:
      empty
    AUTHORITY SECTION:
      empty
    ADDITIONAL SECTION:
      empty

All replies (6)

_{Thursday, May 17, 2018 8:00 AM ✅Answered}

Hi,

How are things going on? Was the issue resolved?

Please let me know if you would like further assistance.

Best regards,

Michael

Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]

_{Thursday, May 10, 2018 3:58 AM}

Hi,

Thanks for your question.

From the message, we only get the information that there’s no DNS record that matches your query. Furthermore, from the first response packet, it seems that it could update SRV records to DNS server. It means that DC can communicate with DNS server. I guess the problem is that the forwarder can’t resolve external name. Make sure the forwarder can communicate with the primary DNS and it could access to Internet.

For testing purpose, you may add another forwarder, example public DNS to see if it could be of help.

Due to lack of information about this issue, we can first follow these threads for common DNS troubleshooting.

https://technet.microsoft.com/en-us/library/bb962024.aspx

/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959340(v=technet.10)

Meanwhile, please check the event viewer for more error message so that we could find more clue.

In addition, here is a link talked about DNS logging and diagnostics, it may be helpful.

/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11)

Hope above information can help you.

Highly appreciate your successive effort and time. If you have any questions and concerns, please feel free to let me know.

Best regards,

Michael

Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]

_{Thursday, May 10, 2018 7:27 AM}

Thanks for your response. Tried using google public DNS as the forwarder but the issue persists. I capture a packet trace on the DNS server, filter on DNS communication and notice that when we are in the state all communication from and to the DNS server has this response "

Standard query response 0x7959 No such name SRV _kerberos-master._udp. mydomain.LOCAL SOA myserver.mydomain.local

I know this may not be much, hoping the message error syntax might shed some light on the actual issue.

_{Saturday, May 12, 2018 5:35 AM}

Hi,

Thanks for your reply.

Can you resolve internal name from the DNS server? And Active Diretory works correctly?

Please type the following steps to see if it could resolve this no SRV response.

1)Type the command "net stop netlogon"  & "**net start netlogon" **

2)Restart DNS service on the DNS server MMC.

3)Type the command "dcdiag /test:dns" ro check AD and DNS works well.

4)Do copy from on the Root hints tab of the DNS server properties, pointing a public DNS server.

5)Please type "nslookup -d2 <internet name>" on one client or DNS server to trace the query process. You could post the result.

Best regards,

Michael

Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]

_{Saturday, May 12, 2018 11:57 AM}

This issue occurs at random times. All seems to be OK now so I would expect the test results to show no error. The chance of the issue occurring increases as the user base increase. Typically I would have <50 users on a day to day basis. Occasionally I would have >400. It's guarantee to occur when the user bases is >400.

====DNS TEST=====

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = myserver
   * Identified AD Forest. 
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\myserver
      Starting test: Connectivity
         ......................... myserver passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\myserver

      Starting test: DNS

         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... myserver passed test DNS

   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : mydomain

   Running enterprise tests on : mydomain.local
      Starting test: DNS
         Test results for domain controllers:

            DC: myserver.mydomain.local
            Domain: mydomain.local

               TEST: Dynamic update (Dyn)
                  Warning: Failed to delete the test record dcdiag-test-record in zone mydomain.local

               myserver                   PASS PASS PASS PASS WARN PASS n/a  
         ......................... mydomain.local passed test DNS

C:\temp>nslookup -d2 google.com

SendRequest(), len 43
    HEADER:
        opcode = QUERY, id = 1, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        34.34.168.192.in-addr.arpa, type = PTR, class = IN

Got answer (77 bytes):
    HEADER:
        opcode = QUERY, id = 1, rcode = NOERROR
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        34.34.168.192.in-addr.arpa, type = PTR, class = IN
    ANSWERS:
    ->  34.34.168.192.in-addr.arpa
        type = PTR, class = IN, dlen = 22
        name = myserver.mydomain.local
        ttl = 1200 (20 mins)

Server:  myserver.mydomain.local
Address:  192.168.34.34

SendRequest(), len 38
    HEADER:
        opcode = QUERY, id = 2, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        google.com.mydomain.local, type = A, class = IN

Got answer (105 bytes):
    HEADER:
        opcode = QUERY, id = 2, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        google.com.mydomain.local, type = A, class = IN
    AUTHORITY RECORDS:
    ->  mydomain.local
        type = SOA, class = IN, dlen = 46
        ttl = 3600 (1 hour)
        primary name server = myserver.mydomain.local
        responsible mail addr = hostmaster.mydomain.local
        serial  = 87623
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)

SendRequest(), len 38
    HEADER:
        opcode = QUERY, id = 3, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        google.com.mydomain.local, type = AAAA, class = IN

Got answer (105 bytes):
    HEADER:
        opcode = QUERY, id = 3, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        google.com.mydomain.local, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  mydomain.local
        type = SOA, class = IN, dlen = 46
        ttl = 3600 (1 hour)
        primary name server = myserver.mydomain.local
        responsible mail addr = hostmaster.mydomain.local
        serial  = 87623
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)

SendRequest(), len 28
    HEADER:
        opcode = QUERY, id = 4, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        google.com, type = A, class = IN

Got answer (44 bytes):
    HEADER:
        opcode = QUERY, id = 4, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        google.com, type = A, class = IN
    ANSWERS:
    ->  google.com
        type = A, class = IN, dlen = 4
        internet address = 172.217.15.78
        ttl = 82 (1 min 22 secs)

Non-authoritative answer:

SendRequest(), len 28
    HEADER:
        opcode = QUERY, id = 5, rcode = NOERROR
        header flags:  query, want recursion
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        google.com, type = AAAA, class = IN

Got answer (56 bytes):
    HEADER:
        opcode = QUERY, id = 5, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        google.com, type = AAAA, class = IN
    ANSWERS:
    ->  google.com
        type = AAAA, class = IN, dlen = 16
        AAAA IPv6 address = 2607:f8b0:4004:810::200e
        ttl = 110 (1 min 50 secs)

Name:    google.com
Addresses:  2607:f8b0:4004:810::200e
          172.217.15.78

_{Tuesday, May 15, 2018 2:48 PM}

Hi,

Thanks for your reply.

It shows that the DNS is fine and DC test passed. Traditionally, it will not be related to user base.

Please also monitor the event viewer for any error message so that we could find more clue when the issue reproduces.

Best regards,

Michael

Please remember to mark the replies as an answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected]