DNS stops resolving...outbound email stuck until dns restarted

Thread view:

Enable EMail Alerts

Start New Thread

Thread rating:

Patty S - 06 Sep 2006 23:01 GMT

I have two companies that we support that each have Windows 2003 with
Exchange 2003. They each are current on all updates and service packs.
But, on occasion, their dns service stops resolving and the queue's stack
up. Email does not go out.

If we restart the dns server service, email starts moving again.

We have actually worked with Microsoft on this one without being able to
resolve it. It is random and can go three weeks or stop every other day.

I know this is a short description, but I wanted to see if anyone out there
has experienced this same situation.

Patty S.

Reply to this Message

Kevin D. Goodknecht Sr. [MVP] - 07 Sep 2006 04:26 GMT

> I have two companies that we support that each have Windows 2003 with
> Exchange 2003. They each are current on all updates and service
[quoted text clipped - 9 lines]
> I know this is a short description, but I wanted to see if anyone out
> there has experienced this same situation.

Try updating the root hints, the Win2k3 DNS console made it real easy, first
remove all root hints, then click the copy from server button, enter
198.41.0.4 in the copy from dialog (A.ROOT-SERVERS.NET.) this will reload
all the Root hints from the master ICANN root server.

Signature

Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

Reply to this Message

Patty S - 07 Sep 2006 17:05 GMT

I just did that. I think they have tried that, but everything is worth a
try now.

The interesting thing is both sites have barracuda spam devices, but we have
set the barracuda to use a different dns server at one site. The second
site is still set to the same dns server.

Both sites have a Cisco Pix, 501 and a 506.

Any ideas would greatly be appreciated!

Patty Seaman (a MVP years ago)

>> I have two companies that we support that each have Windows 2003 with
>> Exchange 2003. They each are current on all updates and service
[quoted text clipped - 15 lines]
> 198.41.0.4 in the copy from dialog (A.ROOT-SERVERS.NET.) this will reload
> all the Root hints from the master ICANN root server.

Reply to this Message

Kevin D. Goodknecht Sr. [MVP] - 07 Sep 2006 19:57 GMT

> I just did that. I think they have tried that, but everything is
> worth a try now.
[quoted text clipped - 4 lines]
>
> Both sites have a Cisco Pix, 501 and a 506.

PIX Firewall?
Did you try this one?
828263 - DNS query responses do not travel through a firewall in Windows
Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;en-us;828263&sd=RMVP

It mentions to methods, one is to fix the firewall to allow UDP packets
larger than 512 bytes, two is to disable EDNS.
I usually recommend fixing the firewall, if possible, because UDP is much
more efficient protocol for DNS, if you disable EDNS, and the DNS response
will not fit into one UDP packet, the DNS server should retry the query
using TCP.

Signature

Reply to this Message

Patty S - 07 Sep 2006 20:11 GMT

We automatically do that when we install.

>> I just did that. I think they have tried that, but everything is
>> worth a try now.
[quoted text clipped - 17 lines]
> will not fit into one UDP packet, the DNS server should retry the query
> using TCP.

Reply to this Message

Kevin D. Goodknecht Sr. [MVP] - 07 Sep 2006 23:02 GMT

> We automatically do that when we install.

Instead of restarting the DNS service, does clearing the DNS server cache
work?

Are you using a forwarder?
Has it (the forwarder) been tested to allow recursion?

Does your firewall allow your DNS access to any address on port 53 UDP and
TCP?
If your firewall only allows access to your ISP's DNS on those two ports,
check the box "Do not use recursion for this domain" on the forwarders tab.

On the subject of forwarders, my preference is to not use a forwarder and
just let DNS do its own recursive lookups. It actually make you DNS less
susceptible to corruption because it will only use Authoritative servers for
resolution. I use a forwarder only if I have a caching DNS that I'm in
control of.

Signature

Reply to this Message

Patty S - 07 Sep 2006 23:14 GMT

I will try the clearing of the cache next time it fails. Now it is just a
waiting game until it failes again.

We do have forwarders in there. Both sites do actually go to the same isp.

I will check with the Cisco guys here in regards to the ports.

Thanks for the assistance. There are 7 of us here and we are hitting a
wall. I was hoping someone else out there had run into this problem. I
can't believe that we are the only ones. We have been trying to come up
with what is similar between the two clients. We have about 100 clients and
it is just these two. We have quite a few that are with the same isp and
not having problems.

>> We automatically do that when we install.
>
[quoted text clipped - 16 lines]
> resolution. I use a forwarder only if I have a caching DNS that I'm in
> control of.

Reply to this Message

Patty S - 08 Sep 2006 16:44 GMT

Well, clearing the cache didn't work.

When I do nslookup, I get a timeout for external sites.

>I will try the clearing of the cache next time it fails. Now it is just a
>waiting game until it failes again.
[quoted text clipped - 32 lines]
>> resolution. I use a forwarder only if I have a caching DNS that I'm in
>> control of.

Reply to this Message

Kevin D. Goodknecht Sr. [MVP] - 08 Sep 2006 19:15 GMT

> Well, clearing the cache didn't work.

Can you post dnscmd <servername> /Info

Maybe something will jump out, this usually points to a problem with the
root hints or the forwarders.

Signature

Reply to this Message

Patty S - 08 Sep 2006 19:28 GMT

I replaced the domain names with xxxxxxxx

Query result:

Server info

server name = sweepea.xxxxxxxx.com

version = 0ECE0205 (5.2 build 3790)

DS container = cn=MicrosoftDNS,cn=System,DC=xxxxxxxx,DC=com

forest name = xxxxxxxx.com

domain name = xxxxxxxx.com

builtin domain partition = ForestDnsZones.xxxxxxxx.com

builtin forest partition = DomainDnsZones.xxxxxxxx.com

last scavenge cycle = not since restart (0)

Configuration:

dwLogLevel = 0000F331

dwDebugLevel = 00000000

dwRpcProtocol = FFFFFFFF

dwNameCheckFlag = 00000002

cAddressAnswerLimit = 0

dwRecursionRetry = 3

dwRecursionTimeout = 15

dwDsPollingInterval = 180

Configuration Flags:

fBootMethod = 3

fAdminConfigured = 1

fAllowUpdate = 1

fDsAvailable = 1

fAutoReverseZones = 1

fAutoCacheUpdate = 0

fSlave = 0

fNoRecursion = 0

fRoundRobin = 1

fStrictFileParsing = 0

fLooseWildcarding = 0

fBindSecondaries = 1

fWriteAuthorityNs = 0

fLocalNetPriority = 1

Aging Configuration:

ScavengingInterval = 0

DefaultAgingState = 0

DefaultRefreshInterval = 168

DefaultNoRefreshInterval = 168

ServerAddresses:

Addr Count = 1 Addr[0] => 10.0.1.6 ListenAddresses:

NULL IP Array. Forwarders:

Addr Count = 2 Addr[0] => 216.57.214.17 Addr[1] => 216.57.207.18 forward
timeout = 5

slave = 0

Command completed successfully.

>> Well, clearing the cache didn't work.
>
> Can you post dnscmd <servername> /Info
>
> Maybe something will jump out, this usually points to a problem with the
> root hints or the forwarders.

Reply to this Message

Kevin D. Goodknecht Sr. [MVP] - 08 Sep 2006 20:16 GMT

> I replaced the domain names with xxxxxxxx

I believe this could be your problem

> dwLogLevel = 0000F331

On the Debug Logging tab, clear the Log packets for debugging check box.

Under loaded situations when DNS is answering a lot of queries, you can
overload the service with debug logging enabled. DNS can handle hundreds of
queries a second in normal read only mode, until it has to write a log. If
it has to log these queries, it can cause DNS to stop responding.

Signature

Reply to this Message

Patty S - 08 Sep 2006 20:38 GMT

I just turned on debugging yesterday.

>> I replaced the domain names with xxxxxxxx
>
[quoted text clipped - 8 lines]
> queries a second in normal read only mode, until it has to write a log. If
> it has to log these queries, it can cause DNS to stop responding.

Reply to this Message

markSD - 29 Sep 2006 19:40 GMT

Hi Patty and Kevin,
I came across your posts and am having the same exact problem! I cannot find
any answers. was this ever resolved?

> I just turned on debugging yesterday.
> >> I replaced the domain names with xxxxxxxx
[quoted text clipped - 9 lines]
> > queries a second in normal read only mode, until it has to write a log. If
> > it has to log these queries, it can cause DNS to stop responding.

Reply to this Message

Patty S. - 29 Sep 2006 20:14 GMT

The problem hasn't occurred again. But at times, we could go three weeks
without it happening.

So here are the steps we took...

On 9/7/06, I updated the root hints
9/8/06 am - failed
9/8/06 pm - added a third forwarder that wasn't their isp, it was our
dns server at a co-location
ran the dnscmd Server Name /Config
/EnableEDnsProbes 0 on each server. (it previously had been run on one out
of two servers)
Increased max length on the pix to 1500

I hope this helps someone else.

If it fails again, I will post an update.

> Hi Patty and Kevin,
> I came across your posts and am having the same exact problem! I cannot
[quoted text clipped - 17 lines]
>> > If
>> > it has to log these queries, it can cause DNS to stop responding.

Reply to this Message