This becomes more interesting. ORCA has set up a reply-size test server (
https://www.dns-oarc.net/oarc/services/replysizetest). The results look
backwards to me, but follow the pattern of success/failure. An indication
that this does have to do with UDP packet size.
I'm hesitant to start applying the workaround & turning off EDNS
capability. Contacting firewall team for their input.
C:\Documents and Settings\me>nslookup -type=txt rs.dns-oarc.net. (our 2K8
server)
Server: (our 2K8 server)
Address: (our 2K8 server)
DNS request timed out.
timeout was 2 seconds.
*** Request to (our 2K8 server) timed-out
C:\Documents and Settings\me>nslookup -type=txt rs.dns-oarc.net. (our 2k3
server)
Server: (our 2k3 server)
Address: (our 2k3 server)
DNS request timed out.
timeout was 2 seconds.
*** Request to (our 2k3 server) timed-out
C:\Documents and Settings\me>nslookup -type=txt rs.dns-oarc.net. (our 2k8r2
server)
Server: (our 2k8r2 server)
Address: (our 2k8r2 server)
Non-authoritative answer:
rs.dns-oarc.net canonical name = rst.x3827.rs.dns-oarc.net
rst.x3827.rs.dns-oarc.net canonical name =
rst.x3837.x3827.rs.dns-oarc.net
rst.x3837.x3827.rs.dns-oarc.net canonical name =
rst.x3843.x3837.x3827.rs.dns-oa
rc.net
rst.x3843.x3837.x3827.rs.dns-oarc.net text =
"(our 2k8r2 server) DNS reply size limit is at least 3843"
rst.x3843.x3837.x3827.rs.dns-oarc.net text =
"(our 2k8r2 server) sent EDNS buffer size 4000"
rst.x3843.x3837.x3827.rs.dns-oarc.net text =
"Tested at 2010-12-15 16:55:15 UTC"
On Wed, Dec 15, 2010 at 10:23 AM, VIPCS <[email protected]> wrote:
> Jeffrey just tried an nslookup query (results below) on two WS2K8 servers
> (one is R2) on two different networks and both resolved (both are DCs with
> DNS installed):
>
>
>
> Non-authoritative answer:
>
> Name: www.insead.edu
>
> Address: 213.182.38.52
>
>
>
> Is it possible an upstream DNS forwarder is blocking access?
>
>
>
> Sincerely,
>
>
>
> Jeffrey and Mary Jane Harris
>
> VIPCS
>
>
> ------------------------------
>
> *From:* m b [mailto:[email protected]]
> *Sent:* Wednesday, December 15, 2010 11:15 AM
>
> *To:* NT System Admin Issues
> *Subject:* 2K8R2 DNS anomaly
>
>
>
> Within our forest, all domain controllers are DNS servers. We've been
> working to upgrade from 2K3 to 2K8. Most of those that are upgraded are
> 2K8R2, while a few are just 2K8.
>
>
>
> I have heard some reports from users that they were unable to access
> certain websites that they were able to access from home. Today's example
> is www.insead.edu.
>
>
>
> When I do an nslookup against any of our 2K8R2 DNS servers, the lookup
> fails to resolve. If I do that same lookup against any 2K3 or 2K8 DNS
> server, it is successful.
>
>
>
> I'm not seeing any common event log errors/warnings among the 2K8R2 DNS
> servers. My only hunch is root hints. Anyone experienced something
> similar?
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to [email protected]
> with the body: unsubscribe ntsysadmin
>
> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~
> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
>
> ---
> To manage subscriptions click here:
> http://lyris.sunbelt-software.com/read/my_forums/
> or send an email to [email protected]
> with the body: unsubscribe ntsysadmin
>
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin
