DNS for tld’s not working on SBS 2008 when using root hints

After one day, you may find your Windows 2008 DNS Server is unable to resolve names in some top level domains (TLD’s) like .co.uk, .cn, and .br when it is configured to use root hints. This may also be seen with other top level domains too. According to Microsoft, a network monitor trace should show that the DNS Server does not send any DNS traffic out to the internet. The Windows 2008 DNS server returns SERVFAIL to the client or when using nslookup. I have not used Network Monitor to verify this myself, but I am sure if you loaded it up and used this MS KB to set up a trace that you would be able to verify this symptom.
Workarounds include restarting the DNS server, clearing the DNS cache, setting maxcachettl to 2 days or greater, and using DNS Forwarders instead of root hints.

 

This currently occurs with default SBS 2008 installs that have been configured to use root hints for DNS lookup. I have recently noticed this behaviour myself with two different SBS 2008 installs.

 

If you want to use root hints, you can set the maxcachettl registry value on the Windows 2008 DNS Server as follows:
1. Start Registry Editor (Regedit.exe).
2. Locate the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
3. On the Edit menu, click New, click DWORD (32-bit) Value and then add the following value:
Value: MaxCacheTtl
Data Type: DWORD
Data value: 0x2A300 (172800 in decimal = 2 days)
4. Click OK.
5. Quit Registry Editor.
6. Restart the DNS server.

 

Another way to get around this issue is to use the following method (I personally prefer this way):

1. Open up DNS under Administrative tools from the SBS server’s start menu.
2. Right click on the server name and select Properties.

 

dns-console1

 

3. Go to the Forwarders tab and click on the “edit” button.
4. Enter the primary DNS address of your ISP (In this case mine was BT so I used 194.72.0.98) and click Ok.
5. The forwarders section will now attempt to automatically resolve the FQDN for that IP. (Note you can also probably enter your router’s IP address in the forwarders section which should then get your SBS to look to the router for DNS information).

 

dns-console-properties

 

6. Click Ok to close the properties window and then close your DNS console.

 

DNS lookups for the TLDs should now be working again. If not, stop and restart DNS or give the server a reboot.

12 Comments

  1. Extremely nice to know I’m not alone, but did you ever find a *solution*? These work-arounds don’t help me. Having to monitor when the issue occurs so I can restart DNS is not an option. Using forwarders isn’t either because we use 2 internet lines, from different ISPs and fail-over and load balance on them. I can thus not use the ISPs as the SBS server does not know what ISPs line it will be using. Public DNS servers frequently have issues with RBLs, which we use heavily, so it kind of ends there.

    The root hints always worked like this on 2003 servers. What’s more disturbing is that it doesn’t go away once it occurs either. You actually need to restart the damned thing.

    Since this issue is a year old, that doesn’t seem very promising either… We have all updates installed.

  2. Hi Ferry,

    Sorry to hear you are also having this issue. I haven’t worked with SBS 2008 in over a year now, so haven’t really been able to monitor the situation. Did you ever try to change your MaxCacheTTL value in registry? Setting it to 5 days may work better for you. I found Microsoft’s response (KB968372) to this situation, which is obviously the “official” solution at this stage – they also recommend adjusting the MaxCacheTTL value…

    I also found a post that said using a setting of 4 days worked best for them. Here is the quote (source):

    The fix is to increase the maximum Time To Live (TTL) setting in the DNS server so that it recognises records older than 1 day. Experience has shown that setting the value to 4 days is usually enough, but the maximum setting is 30 days.

  3. I’ve also run into this problem using Windows Server 2008 and Windows Server 2008 R2. You normally just need to clear the DNS cache to get the DNS server to resolve TLDs again.

    I “resolved” this problem by creating a scheduled task to clear the DNS cache every day.

  4. Thanks for the comment Xavier. How exactly did you get the DNS cache to clear via scheduled task? I’d be interested to know the the solution you used.

    Cheers,
    Sean

  5. Sorry for the slow response Sean.

    I found a permanent fix our DNS problem. Here’s a link to the Microsoft KB:
    //support.microsoft.com/kb/968372

    I cleared the DNS cache using a VBScript:

    strComputer = “COMPUTERNAME”
    Set objWMIService = GetObject _
    (“winmgmts:\\” & strComputer & “\root\MicrosoftDNS”)
    Set colItems = objWMIService.ExecQuery(“Select * From MicrosoftDNS_Cache”)
    For Each objItem in colItems
    objItem.ClearCache()
    Next

  6. LOL Sean – I think I made you aware of this issue a few years back and just had this problem again today on a SBS 2011 Server. And as I have not worked on SBS for a few years I forgot all about this issue. Good thing you made a tek article and google took me straight to your site. Lekker dude 😉

  7. thanks for the post. While the registry edit that the MS KB provides does fix the issue, I am still looking for a reason why this is occurring on some systems and not others. Has anyone found the actual cause of this issue?

  8. Hi JorgeM,

    I have not found the actual cause myself. If I find myself dealing with an edition of SBS again in the future that still has this issue I will most certainly try to dissect it and figure it out. What version / edition of SBS are you running out of curiosity? I am interested to know if this is still an issue on later versions (after SBS 2008).

    Sean

  9. Hi Sean. As they said in the movie Apollo 13, “You sir, are a steely eyed missile man”. Thank you so much for this DNS fix. I was pulling my hair out for days because this problem was causing outgoing email to get stuck in my Exchange server’s outgoing queue for up to a day for some domains because the Windows Server 2008 DNS service would refuse to resolve those names. Sheesh! Didn’t have this problem with Windows Server 2003!

  10. Haha, great quote! The highest of compliments from NASA. Not so sure I deserve all the credit as I am just passing on the fix and my experiences in this post, but thank you none the less kind sir!

Leave a Reply

Your email address will not be published. Required fields are marked *

ERROR: si-captcha.php plugin: GD image support not detected in PHP!

Contact your web host and ask them to enable GD image support for PHP.

ERROR: si-captcha.php plugin: imagepng function not detected in PHP!

Contact your web host and ask them to enable imagepng for PHP.