I know this is a week late, but I've not been reading the list lately. However I do have what I think is the correct answer.
This sounds like a problem with UDP vs TCP connections. DNS does an initial query using UDP. If the response to the ANY query is to long - as it will be if the domain has a large number of name servers and/or MX records, all of the information will not fit into the UDP response datagram. When this happens, (http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc1035.html section 7.4 states that the truncated or partial response is not to be cached, "When several RRs of the same type are available for a particular owner name, the resolver should either cache them all or none at all. When a response is truncated, and a resolver doesn't know whether it has a complete set, it should not cache a possibly partial set of RRs." Please note it doesn't say the resolver can not USE the truncated response - just that it is not to be cached. Therefore, in W2K DNS, a truncated response to the ANY query is used the first time, resulting in successful resolution. The second time, in many cases, it will time out. Why? Because the resolver knows the when it queries longanyquerydomain.com, that it will get a truncated response using UDP, it starts querying longanyquerydomain.com using TCP, as it should. The problem is, many large enterprises, don't allow TCP traffic to/from their name servers and the Internet, thus causing a time out. So you have a Catch-22 situation. The ANY query response from UDP is enough to get the mail through, but W2K won't use truncated data more than once, doing a negative cache and thereafter attempting TCP. (Again, this is a flaw in the design of W2K DNS. It should use the truncated data, as BIND does, without caching it.) Then W2K does a TCP query, as it should, but due to firewall restrictions, TCP is blocked (at their and/or your firewall) and you can't get a response. So it fails and you have to reboot. You can set up nslookup to model the behavior of the BIND resolver by using the Option setting: set [no]ignoretc To quote from the new, 4th edition of DNS & BIND: "By default, nslookup doesn't ignore truncated messages. If a message is received that has the 'truncated' bit set - indicating that the name server couldn't fit all the important information in the UDP response datagram - nslookup doesn't ignore it; it retries the query using a TCP connection instead of UDP. Again, this matches the BIND resolver's behavior." THERE IS NO SOLUTION TO THIS WITH W2K. You will need to run a different name server for your external queries. We use MetaIP (Checkpoint), but we could have easily used BIND 8 or 9. This stumped me for most of a week, till I finally reached the designers of W2K DNS and got it resolved - the resolution is they're not going to fix it. That conversation occurred last October. Perhaps they've pulled their head out of their collective ass since then, and it will be fixed in a service pack. But don't count on it. You can also see this conversation on the BIND mailing list (not sure if its in the FAQ yet, given it's a BIND FAQ, but the question gets asked there about every couple of weeks.) Good luck, Jesse Wendel Sr. Technical Systems Analyst Primary Messaging/DNS Administrator www.pse.com (A Fortune 500 Company) -----Original Message----- From: Andrey Fyodorov [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 23, 2002 12:51 PM To: Exchange Discussions Subject: RE: Win2K DNS is PISSING ME OFF I tried disabling the DNS client but it did not help -----Original Message----- From: Roger Seielstad [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 23, 2002 3:11 PM To: Exchange Discussions Subject: RE: Win2K DNS is PISSING ME OFF Because forwarders suck? I've got a fairly high traffic Win2k SP2 + hotfixes DNS server that exhibited the same problems you're seeing until I killed the DNS Client service, and it hasn't happened since - and that's been 6-8 weeks now. ------------------------------------------------------ Roger D. Seielstad - MCSE Sr. Systems Administrator Peregrine Systems Atlanta, GA > -----Original Message----- > From: Andrey Fyodorov [mailto:[EMAIL PROTECTED]] > Sent: Thursday, May 23, 2002 11:31 AM > To: Exchange Discussions > Subject: RE: Win2K DNS is PISSING ME OFF > > > Many times. Sometimes it starts working right after clearing > the DNS cache > (so I don't have to restart the DNS server service), but sometimes it > doesn't. But sooner or later it craps out again. > > Using forwarders (BIND 8) servers seems to eliminate this > problem. The issue > is that we want to avoid using forwarders, we have other > reasons for that. > > -----Original Message----- > From: Roger Seielstad [mailto:[EMAIL PROTECTED]] > Sent: Thursday, May 23, 2002 10:25 AM > To: Exchange Discussions > Subject: RE: Win2K DNS is PISSING ME OFF > > > Did you also clear the DNS cache in the DNS service? > > > ------------------------------------------------------ > Roger D. Seielstad - MCSE > Sr. Systems Administrator > Peregrine Systems > Atlanta, GA > > > > -----Original Message----- > > From: Andrey Fyodorov [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, May 22, 2002 4:56 PM > > To: Exchange Discussions > > Cc: Humberto Perez; Joe Gonzalez > > Subject: RE: Win2K DNS is PISSING ME OFF > > > > > > Stopped the DNS client but DNS still crapped out. > > > > -----Original Message----- > > From: Roger Seielstad [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, May 22, 2002 2:55 PM > > To: Exchange Discussions > > Subject: RE: Win2K DNS is PISSING ME OFF > > > > > > That's all fine and good, but you need to read up on what the > > DNS Client > > service does. > > > > The DNS Client Service acts as a client side DNS cache. There > > is no need for > > the DNS Client to run on ANY machine on the network. It can > > help, but on an > > active server running the DNS service, it causes problems. > > > > Disable it and you'll stop having the issue. > > > > ------------------------------------------------------ > > Roger D. Seielstad - MCSE > > Sr. Systems Administrator > > Peregrine Systems > > Atlanta, GA > > > > > > > -----Original Message----- > > > From: Andrey Fyodorov [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, May 22, 2002 2:44 PM > > > To: Exchange Discussions > > > Subject: RE: Win2K DNS is PISSING ME OFF > > > > > > > > > But... the server is its own client. For example in order for > > > Netdiag to > > > pass all the tests, the IP configuration needs its own IP > > > address for the > > > DNS server. > > > > > > -----Original Message----- > > > From: Roger Seielstad [mailto:[EMAIL PROTECTED]] > > > Sent: Wednesday, May 22, 2002 2:01 PM > > > To: Exchange Discussions > > > Subject: RE: Win2K DNS is PISSING ME OFF > > > > > > > > > Although this is more NT/Win2k than anything, disable the DNS > > > Client service > > > on the DNS server. > > > > > > ------------------------------------------------------ > > > Roger D. Seielstad - MCSE > > > Sr. Systems Administrator > > > Peregrine Systems > > > Atlanta, GA > > > > > > > > > > -----Original Message----- > > > > From: Andrey Fyodorov [mailto:[EMAIL PROTECTED]] > > > > Sent: Wednesday, May 22, 2002 12:16 PM > > > > To: Exchange Discussions > > > > Subject: Win2K DNS is PISSING ME OFF > > > > > > > > > > > > Hi all. > > > > > > > > I have two Win2K AD DNS servers. Recently they have been > > > > acting up: all of a > > > > sudden one of them stops using root hints and can't resolve a > > > > lot of good > > > > domain names (request timed-out). I restart the DNS server > > > service and > > > > everything is OK again. Then 10-15 minutes later, it starts > > > > giving request > > > > timed-out. Both DNS servers experience this at different times. > > > > > > > > Has anyone here seen this? > > > > > > > > > _________________________________________________________________ > > > > List posting FAQ: > http://www.swinc.com/resource/exch_faq.htm > > > > Archives: > http://www.swynk.com/sitesearch/search.asp > > > > To unsubscribe: mailto:[EMAIL PROTECTED] > > > > Exchange List admin: [EMAIL PROTECTED] > > > > > > > > > > _________________________________________________________________ > > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > > Archives: http://www.swynk.com/sitesearch/search.asp > > > To unsubscribe: mailto:[EMAIL PROTECTED] > > > Exchange List admin: [EMAIL PROTECTED] > > > > > > _________________________________________________________________ > > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > > Archives: http://www.swynk.com/sitesearch/search.asp > > > To unsubscribe: mailto:[EMAIL PROTECTED] > > > Exchange List admin: [EMAIL PROTECTED] > > > > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe: mailto:[EMAIL PROTECTED] > > Exchange List admin: [EMAIL PROTECTED] > > > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > > _________________________________________________________________ > List posting FAQ: http://www.swinc.com/resource/exch_faq.htm > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe: mailto:[EMAIL PROTECTED] > Exchange List admin: [EMAIL PROTECTED] > _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]
