Microsoft DNS Server Cannot Resolve Some Domain Names

ID: Q247681

The information in this article applies to:
  • Microsoft Windows NT Server versions 4.0, 4.0 SP1, 4.0 SP2, 4.0 SP3, 4.0 SP4, 4.0 SP5, 4.0 SP6, 4.0 SP6a
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server

SYMPTOMS

When you use a Microsoft Domain Name System (DNS) server to resolve client queries for Internet hosts, some domain names may not resolve. Some of the domain names which may be affected include, but are not limited to:

  • www.apple.com


  • www.caldera.com


  • www.efax.com


  • www.intel.com


  • www.fda.gov


This problem occurs under the following circumstances:
  • A Microsoft DNS server on the inside of the firewall queries an authoritative name server on the outside of the firewall for a record.


  • The external DNS server that replies to the request has a different source IP address than the address to which the query was sent.



CAUSE

This problem occurs because some implementations of DNS include a load balancing feature. In implementations such as this, the server that answers a query outside the firewall can be different than the server to which the query was originally addressed.

Under these circumstances, a firewall may discard the reply from the external DNS server. The packet is discarded because the internal host (the DNS server inside the firewall) originally opened the connection to a different destination IP address than the IP address the reply was received on (the first external DNS server). This causes the reply from the external DNS server to never be received on the DNS server on the inside of the firewall.

WORKAROUND

To work around this problem:
  1. Have the DNS server that is unable to resolve some of the domain names set the "Forwarders" option to a DNS server external to the firewall. The forwarders option will cause the internal DNS server to do a recursive query to an external DNS server, which will cause the reply to be from the same source IP address that the query was sent to.


  2. Set a rule on the firewall to allow any inbound traffic destined for port 53 to the IP address of the internal Microsoft DNS server. With this setting, the firewall will not drop the replies even though they are from a different source address than the query was sent to.



MORE INFORMATION

This problem does not typically occur on a Microsoft DNS server that is authoritative for a zone which services external queries from the Internet. The reason for this being that the rule mentioned in workaround 2 is already set by necessity.

Additional query words: Checkpoint, Firewall 1

Keywords :
Version : WINDOWS:2000; winnt:4.0,4.0 SP1,4.0 SP2,4.0 SP3,4.0 SP4,4.0 SP5,4.0 SP6,4.0 SP6a
Platform : WINDOWS winnt
Issue type : kbprb


Last Reviewed: December 29, 1999
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.