Home / server / Questions / 1032017
In Process
Dai
Asked: 2020-08-30 22:36:57 +0800 CST

nslookup for public domains to Active Directory domain controller DNS server times-out *and* still succeeds

  • 772

The problem:

Lately I've noticed Chrome on my desktop stalling when it loads a new website, saying it's resolving the domain-name. Eventually it resolved, but it feels like DNS requests take up to 5 seconds to succeed, which isn't right.

The Set-up:

  • Windows Server 2012 R2 Active Directory domain controller.

    • IPv4 address: 172.16.1.10 (name: server.my.ad.domain)
    • Windows DNS Server is configured to use only Google's 8.8.8.8 and 8.8.4.4 as the only Forwarders.
      • It is also configured to use Root hints if no forwarders are available.
    • dcdiag passes all tests.

  • Windows 10 desktop computer, member of the domain.

    • Name: desktop.my.ad.domain
    • Network settings:
      • Bluetooth PAN: Disabled ("Not connected")
      • Ethernet: Connected (Domain network profile)
        • DHCP enabled.
        • Using only 172.16.1.10 as its DNS server.

nslookup Output:

I ran this from my desktop - I was surprised to see timeout errors but for the name to resolve eventually without needing a second invocation of nslookup:

C:\>nslookup stackoverflow.com
Server:  server.my.ad.domain
Address:  172.16.1.10

DNS request timed out.
    timeout was 2 seconds.
Non-authoritative answer:
DNS request timed out.
    timeout was 2 seconds.
Name:    stackoverflow.com
Addresses:  151.101.65.69
          151.101.1.69
          151.101.129.69
          151.101.193.69

I can't seem to reliably reproduce the issue - even after running ipconfig /flushdns on both my desktop and the server, and removing the cached items from the Windows DNS Server's cache.

I tried again just now with nslookup and set debug and I got this:

> openra.net
Server:  server.my.ad.domain
Address:  172.16.1.10

------------
Got answer:
    HEADER:
        opcode = QUERY, id = 16, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        openra.net.my.ad.domain, type = A, class = IN
    AUTHORITY RECORDS:
    ->  my.ad.domain
        ttl = 3600 (1 hour)
        primary name server = server.my.ad.domain
        responsible mail addr = hostmaster.my.ad.domain
        serial  = 8384
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 17, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        openra.net.my.ad.domain, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  my.ad.domain
        ttl = 3600 (1 hour)
        primary name server = server.my.ad.domain
        responsible mail addr = hostmaster.my.ad.domain
        serial  = 8384
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 18, rcode = NXDOMAIN
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        openra.net.ad.domain, type = A, class = IN
    AUTHORITY RECORDS:
    ->  ad.domain
        ttl = 298 (4 mins 58 secs)
        primary name server = ns1.bdm.microsoftonline.com
        responsible mail addr = azuredns-hostmaster.microsoft.com
        serial  = 1
        refresh = 3600 (1 hour)
        retry   = 300 (5 mins)
        expire  = 2419200 (28 days)
        default TTL = 300 (5 mins)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 19, rcode = NXDOMAIN
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 1,  additional = 0

    QUESTIONS:
        openra.net.ad.domain, type = AAAA, class = IN
    AUTHORITY RECORDS:
    ->  ad.domain
        ttl = 298 (4 mins 58 secs)
        primary name server = ns1.bdm.microsoftonline.com
        responsible mail addr = azuredns-hostmaster.microsoft.com
        serial  = 1
        refresh = 3600 (1 hour)
        retry   = 300 (5 mins)
        expire  = 2419200 (28 days)
        default TTL = 300 (5 mins)

------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 20, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 0,  additional = 0

    QUESTIONS:
        openra.net, type = A, class = IN
    ANSWERS:
    ->  openra.net
        internet address = 194.63.248.52
        ttl = 3599 (59 mins 59 secs)

------------
Non-authoritative answer:
DNS request timed out.
    timeout was 2 seconds.
timeout (2 secs)
Name:    openra.net
Address:  194.63.248.52

>

Unfortunately it still doesn't tell me exactly what timed-out...

domain-name-system domain-controller

1 Answers

  1. Your local dns server us resolving recersive dns queery without any issue but it's taking little more time as than expected . This will have many reason check

    1. network connectivity from your desktop to Local DNS server . Most probably it should be > 2 ms when you ping from desktop to Local DNS server

    2. check network connectivity from local dns server to internet or check connectivity from local dns servers to dns forwarders ip which ever is configured on servers .

    While checking above connectivity if you found any latency in network then try to optimise the connectivity issue.

    • 0