Article ID: 247681 - View products that this article applies to.
This article was previously published under Q247681
When you use a Microsoft Domain Name System (DNS) server to resolve client queries for Internet hosts, some domain names may not resolve. Some of the domain names which may be affected include, but are not limited to:
This problem occurs because some implementations of DNS include a load balancing feature. In implementations such as this, the server that answers a query outside the firewall can be different than the server to which the query was originally addressed.
Under these circumstances, a firewall may discard the reply from the external DNS server. The packet is discarded because the internal host (the DNS server inside the firewall) originally opened the connection to a different destination IP address than the IP address the reply was received on (the first external DNS server). This causes the reply from the external DNS server to never be received on the DNS server on the inside of the firewall.
WORKAROUNDTo work around this problem:
This problem does not typically occur on a Microsoft DNS server that is authoritative for a zone which services external queries from the Internet. The reason for this being that the rule mentioned in workaround 2 is already set by necessity. An alternative, but equally likely, cause of this issue on Windows NT 4.0 is that the authoritative DNS server for the queried domain is located behind a firewall that blocks all DNS queries from source ports under port 1024.
The workaround is to modify the port on which your Windows NT 4.0 DNS server send its DNS queries. Windows NT 4.0 DNS by default sends DNS queries on source port 53. Use the following registry value to modify the send port for DNS.
Non-port-53 operation: This allows a firewall of port 53 and while still having the server go out and query the world. Anyone running a server on a firewall who is not interested in incoming traffic may be interested. You need to set the SendOnNonDnsPort registry key to get non-53 sends. If you set this to a specific port > 1024, you actually run on that port; any < 1024 true value means you bind to any port.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\ParametersNOTE: This key does not exist by default.
Value Name: SendOnNonDnsPort
Data Type : REG_DWORD
Data : Appropriate port # (53 is default) (port numbers are in decimal)
Article ID: 247681 - Last Review: February 28, 2007 - Revision: 1.2