By default, DNS queries are done over UDP. UDP is stateless - and therefore there is no automatic reverse allow created by firewalls. So what's happening is that you're probably failing the UDP request because the response can't come back in to the DNS server, at which point your DNS servers fail over to TCP and more often than not are able to complete the lookups.
Now - I also know some people block all TCP traffic to their DNS servers so if you're DNS servers can't do UDP, you can't resolve from their servers. -------- Roger Seielstad E-mail Geek & MS-MVP > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Rimmerman, Russ > Sent: Wednesday, November 17, 2004 5:53 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] DNS Issues > > > Our Win2k DNS servers are on our internal network. I have a > rule allowing > 53 tcp and 53 udp outbound to the Internet. I don't have any > other rules for DNS. Why do I need to create an inbound > rule? Aren't the DNS servers doing all the lookups outbound? > What would initiate a connection inbound to our DNS servers > from the outside? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Roger Seielstad > Sent: Tuesday, November 16, 2004 11:32 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] DNS Issues > > TCP shouldn't be an issue - since most firewalls will do some > sort of state management for those connects. > > My money's on the fact there ISN'T an an inbound firewall > rule allowing > UDP/53 to his DNS servers and tangental to that the fact that > there is no static NAT enabled for the DNS servers internally. > > In other words, create a static NAT rule for the DNS servers > with root hints enabled, and enable UDP/53 inbound to those > hosts. DNS starts working again > - this time consistently. > > The reason for inconsistency is most likely caused by the > fact some resolutions will fall over to TCP, due to response > size and some less regular occurances. > > -------- > Roger Seielstad > E-mail Geek & MS-MVP > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al > > Sent: Tuesday, November 16, 2004 7:41 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] DNS Issues > > > > TCP or UDP through the firewall? > > > > What have you done to troubleshoot? Logs? ?? > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, > > Russ > > Sent: Tuesday, November 16, 2004 8:58 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] DNS Issues > > > > Yes, all DNS is working fine except for some rare instances of > > hostnames we've run into. Last week we couldn't get to ftp.nai.com > > but now we can. > > All our workstations are pointed to our child DCs for DNS. > > They are set to forward to our empty root DCs, and the > empty root DCs > > have the root-hints, and the firewall allows them out port 53. > > > > ________________________________ > > > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Robert > > Rutherford > > Sent: Tuesday, November 16, 2004 7:53 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] DNS Issues > > > > > > > > I'd advise using forwarding for the functions you require. > > > > > > > > It may seem stupid... but I take it the DNS server/s have > appropriate > > rules in your firewall/s? > > > > > > > > ________________________________ > > > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, > > Russ > > Sent: 16 November 2004 13:48 > > To: [EMAIL PROTECTED] > > Subject: [ActiveDir] DNS Issues > > > > > > > > Since changing our DNS design from forwarding to our old firewall > > which had root-hints built into it, to forwarding our DNS > to our empty > > forest root domain controllers with the root-hints on them, > we are not > > getting all our DNS lookups. > > > > > > > > For example, http://www.volksbanksalzburg.at right now is not > > resolving for us. Yet if we RDP into one of our home PCs, > it resolves > > fine. So my question is, is there anything weird about > Windows 2000 > > root-hints or DNS servers that would cause us to not be > able to look > > up some hostnames properly in DNS? > > Or what would cause this issue? > > > > > > ============================================================== > > ========= > > Scanned for virus infection by Messagelabs > > ============================================================== > > ========= > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > This e-mail is confidential, may contain proprietary information of > > the Cooper Cameron Corporation and its operating Divisions > and may be > > confidential or privileged. > > > > This e-mail should be read, copied, disseminated and/or > used only by > > the addressee. If you have received this message in error please > > delete it, together with any attachments, from your system. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > This e-mail is confidential, may contain proprietary information of > > the Cooper Cameron Corporation and its operating Divisions > and may be > > confidential or privileged. > > > > This e-mail should be read, copied, disseminated and/or > used only by > > the addressee. If you have received this message in error please > > delete it, together with any attachments, from your system. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > This e-mail is confidential, may contain proprietary > information of the Cooper Cameron Corporation and its > operating Divisions and may be confidential or privileged. > > This e-mail should be read, copied, disseminated and/or used > only by the addressee. If you have received this message in > error please delete it, together with any attachments, from > your system. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
