I'm having quite a weird issue. Had mail delivery issues to a specific domain. After looking closer, I realized that the DNS for that domain isn't resolving via the in-house Windows 2003 SP2 DNS server.
C:\>nslookup foodmix.net
Server: DC.DOMAIN.com
Address: 10.1.1.1
DNS request timed out.
timeout was 2 seconds. DNS request timed out.
timeout was 2 seconds.
*** Request to DC.DOMAIN.com timed-out
(DC.DOMAIN.com and 10.1.1.1 are generic values to replace the actual ones)
Even if I run this nslookup from the DC.DOMAIN.com server, I get the same result. However, all other requests are working as they should. I had a sysadmin friend try this DNS lookup on servers at several companies that he consults for (which are also Windows 2003 AD servers). The weird thing is some of these were having the same exact issue. However using public DNS servers work. I have tried clearing the DNS cache, restarting the server, restarting the services, etc. Nothing has worked.
One weird event I noticed in the DNS Server Event Logs that might be related is an event ID of 5504 with the following description:
The DNS server encountered an invalid domain name in a packet from 192.33.4.12. The packet will be rejected. The event data contains the DNS packet.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
In the data section below, I can see the following mentioned:
ns2.webhostingstar.com
Which happens to be the nameserver for the domain in question. Several discussion threads and a MS KB have pointed to disabling EDNS. I have done this via "dnscmd /config /enableednsprobes 0" and it has not fixed the issue.
More Info:
I've added a wireshark excerpt(txt) which shows the DNS query. Just to clarify, the internal network is the 2.0.0.0/22 network is the internal network (I didn't set it up, and it's stupid that it's setup this way). The internal DNS server is 2.0.0.10.
So as far as I can see, here's what's happening:
- Internal DNS Server requests A record for foodmix.net from its NS record (ns2.webhostingstar.com) and it recieves no response
- Internal DNS server sends another request under the same transaction ID . It requests A record for foodmix.net from its other NS record (ns.webhostingstar.com) and it recieves no response
- Internal DNS server sends a request under a new transaction ID . It requests an A record for foodmix.net from a nameserver 192.31.80.30 (d.gtld-servers.net).
- It recieves a response from 192.31.80.30 with no records, just listing the authoritative NS servers.
Ok, sorry to send you all on a goose chase. Ran a few more Wireshark sessions and realized that the ns.webhostingstar.com and ns2.webhostingstar.com weren't sending any replies whatsoever. So I forced our DNS server to go out a different internet connection of ours and it worked. From what I can tell, the nameserver is blocking our requests coming from some of our IPs. I've contacted the people running the server and they're going to see if they can straighten it out on their end.
Update
After much testing, we realized the problem was that somehow traffic being sent to us from their network was being discarded. It turns out they had an outdated file from IANA somewhere that listed all the reserved networks, and was blocking traffic to these networks. Our public IP addresses fell in one of these ranges, despite the fact that it had been allocated a while back.. they were just using an outdated list.
Using the default root hints if the IP/DNS information you are trying to use inside your Windows 2003 DNS infrastructure is the same that the public internet uses, i.e. in your example: foodmix.net. 86399 IN A 204.x.y.z then you shouldn't need to add a forwarder for the domain, however, that is so long as the domain foodmix.net is not used within the active directory forest itself.
Based on your Event log entries, I found http://support.microsoft.com/kb/920162 which states that the Windows 2003 DNS servers don't support the "DNAME" attribute.
So there are a couple of options, either install the hotfixes that are mentioned on the MS site, or work with your DNS provider/configuration and remove the DNAME record for the foodmix.net zone.
According to DavidB http://blacka.com/david/2006/12/04/dns-dname-is-almost-useless/ dnames are used to alias entire trees. This will likely be something along the lines of a @ foodmix.net record or *.foodmix.net
Download the bind dns server package from isc: Bind-9.9.1-P1. Run BIND-Install.exe and do a tools only install (uncheck other boxes). This will let you use dig instead of nslookup. If you do
dig +trace foodmix.netyou will likely be able to glean what is going on.