Select the product you need help with

Microsoft DNS Server Cannot Resolve Some Domain Names

Article ID: 247681 - View products that this article applies to.

This article was previously published under Q247681

SYMPTOMS

When you use a Microsoft Domain Name System (DNS) server to resolve client queries for Internet hosts, some domain names may not resolve. Some of the domain names which may be affected include, but are not limited to:

www.apple.com
www.caldera.com
www.efax.com
www.intel.com
www.fda.gov

This problem occurs under the following circumstances:

A Microsoft DNS server on the inside of the firewall queries an authoritative name server on the outside of the firewall for a record.
The external DNS server that replies to the request has a different source IP address than the address to which the query was sent.

Back to the top | Give Feedback

CAUSE

This problem occurs because some implementations of DNS include a load balancing feature. In implementations such as this, the server that answers a query outside the firewall can be different than the server to which the query was originally addressed.

Under these circumstances, a firewall may discard the reply from the external DNS server. The packet is discarded because the internal host (the DNS server inside the firewall) originally opened the connection to a different destination IP address than the IP address the reply was received on (the first external DNS server). This causes the reply from the external DNS server to never be received on the DNS server on the inside of the firewall.

WORKAROUND

To work around this problem:

Have the DNS server that is unable to resolve some of the domain names set the "Forwarders" option to a DNS server external to the firewall. The forwarders option will cause the internal DNS server to do a recursive query to an external DNS server, which will cause the reply to be from the same source IP address that the query was sent to.
Set a rule on the firewall to allow any inbound traffic destined for port 53 to the IP address of the internal Microsoft DNS server. With this setting, the firewall will not drop the replies even though they are from a different source address than the query was sent to.

Back to the top | Give Feedback

MORE INFORMATION

This problem does not typically occur on a Microsoft DNS server that is authoritative for a zone which services external queries from the Internet. The reason for this being that the rule mentioned in workaround 2 is already set by necessity. An alternative, but equally likely, cause of this issue on Windows NT 4.0 is that the authoritative DNS server for the queried domain is located behind a firewall that blocks all DNS queries from source ports under port 1024.

The workaround is to modify the port on which your Windows NT 4.0 DNS server send its DNS queries. Windows NT 4.0 DNS by default sends DNS queries on source port 53. Use the following registry value to modify the send port for DNS.

Non-port-53 operation: This allows a firewall of port 53 and while still having the server go out and query the world. Anyone running a server on a firewall who is not interested in incoming traffic may be interested. You need to set the SendOnNonDnsPort registry key to get non-53 sends. If you set this to a specific port > 1024, you actually run on that port; any < 1024 true value means you bind to any port.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

Value Name: SendOnNonDnsPort
Data Type : REG_DWORD
Data : Appropriate port # (53 is default) (port numbers are in decimal)

NOTE: This key does not exist by default.

Back to the top | Give Feedback