In my experience, I only witnessed & reproduced the issue versus Windows 2008 R2 servers. And they will resolve 99.999% of all queries, just a select few that present a problem. So far, none of the problem domain queries have been business-related.
On Wed, Dec 15, 2010 at 12:12 PM, Kennedy, Jim <kennedy...@elyriaschools.org > wrote: > Your results do indicate the EDNS issue. It is universal…it kills all > 2008 servers that I have seen using DNS. As for the 2K3 server, who is it’s > forwarder? I will bet it’s a 2K8 server. > > > > *From:* m b [mailto:midphan12...@gmail.com] > *Sent:* Wednesday, December 15, 2010 12:13 PM > > *To:* NT System Admin Issues > *Subject:* Re: 2K8R2 DNS anomaly > > > > This becomes more interesting. ORCA has set up a reply-size test server ( > https://www.dns-oarc.net/oarc/services/replysizetest). The results look > backwards to me, but follow the pattern of success/failure. An indication > that this does have to do with UDP packet size. > > > > I'm hesitant to start applying the workaround & turning off EDNS > capability. Contacting firewall team for their input. > > > > > > C:\Documents and Settings\me>nslookup -type=txt rs.dns-oarc.net. (our 2K8 > server) > > Server: (our 2K8 server) > > Address: (our 2K8 server) > > DNS request timed out. > timeout was 2 seconds. > *** Request to (our 2K8 server) timed-out > > > > C:\Documents and Settings\me>nslookup -type=txt rs.dns-oarc.net. (our 2k3 > server) > > Server: (our 2k3 server) > > Address: (our 2k3 server) > > DNS request timed out. > timeout was 2 seconds. > *** Request to (our 2k3 server) timed-out > > > > C:\Documents and Settings\me>nslookup -type=txt rs.dns-oarc.net. (our > 2k8r2 server) > > Server: (our 2k8r2 server) > > Address: (our 2k8r2 server) > > Non-authoritative answer: > rs.dns-oarc.net canonical name = rst.x3827.rs.dns-oarc.net > rst.x3827.rs.dns-oarc.net canonical name = > rst.x3837.x3827.rs.dns-oarc.net > > rst.x3837.x3827.rs.dns-oarc.net canonical name = > rst.x3843.x3837.x3827.rs.dns-oa > rc.net > rst.x3843.x3837.x3827.rs.dns-oarc.net text = > > "(our 2k8r2 server) DNS reply size limit is at least 3843" > rst.x3843.x3837.x3827.rs.dns-oarc.net text = > > "(our 2k8r2 server) sent EDNS buffer size 4000" > rst.x3843.x3837.x3827.rs.dns-oarc.net text = > > "Tested at 2010-12-15 16:55:15 UTC" > > > > > > > On Wed, Dec 15, 2010 at 10:23 AM, VIPCS <vi...@stny.rr.com> wrote: > > Jeffrey just tried an nslookup query (results below) on two WS2K8 servers > (one is R2) on two different networks and both resolved (both are DCs with > DNS installed): > > > > Non-authoritative answer: > > Name: www.insead.edu > > Address: 213.182.38.52 > > > > Is it possible an upstream DNS forwarder is blocking access? > > > > Sincerely, > > > > Jeffrey and Mary Jane Harris > > VIPCS > > > ------------------------------ > > *From:* m b [mailto:midphan12...@gmail.com] > *Sent:* Wednesday, December 15, 2010 11:15 AM > > > *To:* NT System Admin Issues > *Subject:* 2K8R2 DNS anomaly > > > > Within our forest, all domain controllers are DNS servers. We've been > working to upgrade from 2K3 to 2K8. Most of those that are upgraded are > 2K8R2, while a few are just 2K8. > > > > I have heard some reports from users that they were unable to access > certain websites that they were able to access from home. Today's example > is www.insead.edu. > > > > When I do an nslookup against any of our 2K8R2 DNS servers, the lookup > fails to resolve. If I do that same lookup against any 2K3 or 2K8 DNS > server, it is successful. > > > > I'm not seeing any common event log errors/warnings among the 2K8R2 DNS > servers. My only hunch is root hints. Anyone experienced something > similar? > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin