Server 2008R2 DNS problems

[Nerdface Killah]

I run a Server 2008R2 AD/DNS/DHCP at home for learning purposes and for some websites I need to use DNS forwarders as opposed to just using the root hints. Is there a reason for this and how might I figure out what's causing the underlying problem? I have a few websites that won't load, NSLOOKUP just times out at my DNS servers until I put forwarders in there and it resolves them just fine. Any ideas?

 

[Jay_2]

what sites are you having issues with?

 

[Shambler]

Just for giggles, hit those sites from another machine. Ping them a few times, see what IP or IP's come back. See if you can then ping those IP's from your 2008R2 machine. (To sort if it is a traffic or DNS issue)

 

[D-EJ915]

Turn on debug logging and also make sure your root servers are up to date.

 

[Nerdface Killah]

Turn on debug logging and also make sure your root servers are up to date.

How do you update root hints? Can I just tell it to server to copy from 8.8.8.8 and be good?

 

[Hawkbox]

Why are you not just setting your forwarders to google and opendns? Using root hints is the slowest way I can think of to use DNS.

 

[TCM2]

Maybe he doesn't want to whore out his usage patterns.

Waiting 1-2s when resolving a record for the first time is not a big deal.

The authoritative source for root hints is the file named.root in ftp://ftp.internic.net/domain/

 

[Hawkbox]

 

[D-EJ915]

Why are you not just setting your forwarders to google and opendns? Using root hints is the slowest way I can think of to use DNS.

Ehh

I'm not going to post all of them but here are a few. NTT was fastest on everything but cached lookups so I would probably set them as my forward. But these are the most relevant to this discussion. But really we're talking a few hundredths of a second. My box also runs off opennic so it could be faster off the typical root servers too I've not compared. I set it up and never had a reason to change it.

local bind server  |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  + Cached Name   | 0.000 | 0.000 | 0.001 | 0.000 | 100.0 |
  + Uncached Name | 0.021 | 0.070 | 0.254 | 0.062 | 100.0 |
  + DotCom Lookup | 0.024 | 0.061 | 0.124 | 0.029 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+

  129.250. 35.250 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.017 | 0.021 | 0.026 | 0.002 | 100.0 |
  - Uncached Name | 0.018 | 0.061 | 0.255 | 0.065 | 100.0 |
  - DotCom Lookup | 0.019 | 0.026 | 0.055 | 0.007 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
                    x.ns.gin.ntt.net
   68. 10. 16. 25 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.011 | 0.018 | 0.041 | 0.006 |  96.0 |
  - Uncached Name | 0.020 | 0.060 | 0.274 | 0.064 | 100.0 |
  - DotCom Lookup | 0.021 | 0.053 | 0.205 | 0.041 |  97.9 |
  ---<-------->---+-------+-------+-------+-------+-------+
                     ns2.hr.cox.net
   68. 10. 16. 30 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.012 | 0.018 | 0.030 | 0.003 | 100.0 |
  - Uncached Name | 0.022 | 0.061 | 0.251 | 0.060 |  98.0 |
  - DotCom Lookup | 0.021 | 0.047 | 0.115 | 0.031 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
                     ns1.hr.cox.net
  208. 67.222.220 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.017 | 0.022 | 0.030 | 0.003 | 100.0 |
  - Uncached Name | 0.018 | 0.077 | 0.527 | 0.091 | 100.0 |
  - DotCom Lookup | 0.019 | 0.064 | 0.124 | 0.036 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
                  resolver3.opendns.com
    8.  8.  4.  4 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
  ----------------+-------+-------+-------+-------+-------+
  - Cached Name   | 0.027 | 0.030 | 0.037 | 0.002 | 100.0 |
  - Uncached Name | 0.029 | 0.084 | 0.300 | 0.072 | 100.0 |
  - DotCom Lookup | 0.041 | 0.072 | 0.130 | 0.029 | 100.0 |
  ---<-------->---+-------+-------+-------+-------+-------+
             google-public-dns-b.google.com

https://www.grc.com/dns/Benchmark.htm

 

[mwarps]

Why are you not just setting your forwarders to google and opendns? Using root hints is the slowest way I can think of to use DNS.

There's nothing wrong or slow about using a local recursive server. The server reads the roots and remembers TLDs with TTLs. Saying that it's slower (outside of the first lookup for the TLD) simply isn't true.

Also, local recursives can sometimes have better geographic resolution than anycasted services.

 

[Hawkbox]

There's nothing wrong or slow about using a local recursive server. The server reads the roots and remembers TLDs with TTLs. Saying that it's slower (outside of the first lookup for the TLD) simply isn't true.

Also, local recursives can sometimes have better geographic resolution than anycasted services.

If you're using the same sites regularly yes, root hints can work fine. Or assuming you never scavenge DNS, but having the first time the page loads every time take way longer is hardly a great solution. Forwarders exist for a reason after all. Don't use them if you don't want to, but don't be surprised when you get results like the OPs.

 

[TCM2]

If you're using the same sites regularly yes, root hints can work fine. Or assuming you never scavenge DNS, but having the first time the page loads every time take way longer is hardly a great solution. Forwarders exist for a reason after all. Don't use them if you don't want to, but don't be surprised when you get results like the OPs.

That's plain FUD. The OP's problem has nothing to do with running a local resolver at all. What do you think forwarders are other than the same resolvers?

Also, a lookup takes the longest if you have to crawl all the way from the root servers to the target. The largest TLDs have TTLs of one to several days. The root zone has a TTL of 6 days. Once you have those cached (the root zone is permanently cached via the hints file), fetching unknown records in that TLD is nothing more than directly asking the domain's nameservers - which even for EU<->USA traffic is nothing more than maybe 200ms waiting time.

The more often you request a record, the less likely you are to experience a slowdown. The benefits of running your own resolver far outweigh relying on external resolvers. Those may have the desired records on hold more often, but you are relying on them to be properly maintained, not knowingly or unknowingly giving you false records and not using your access pattern for nefarious reasons. OpenDNS lies to you and Google markets the shit out of your requests.

Running your own resolver > using forwarders.

To the OP: Running a local resolver greatly benefits from having good and working IPv6 connectivity. Are you sure your resolver is not trying to reach some nameservers via IPv6 but doesn't have a working link?

 

[mwarps]

That's plain FUD. The OP's problem has nothing to do with running a local resolver at all. What do you think forwarders are other than the same resolvers?

This.