Home / server / Questions / 910066
Accepted
BaseZen
Asked: 2018-05-01 10:18:36 +0800 CST

Windows Server 2012 DNS: Bizarre TIMEOUT failure mode for A-type queries back to own interface

  • 772

I have an Active Directory Windows 2012 (R2 Standard, 6.3.9600) server that has been working for years with no issues. All of a sudden, I have the following failure mode. It should be obvious from the evidence below that networking infrastructure -- packets, routing, firewall -- are not the problem. I've also tried restarting the DNS server several times, refreshing and reloading the zones, and sanity checking them.

This is PowerShell on the server talking to its own physical network interface:

Server> Resolve-DNSName printer.example.com -Server 10.1.1.1 -DNSOnly -Type A
Resolve-DNSName : printer.thecoop.com : This operation returned because the timeout period expired
At line:1 char:1
+ Resolve-DNSName printer.example.com -Server 10.1.1.1 -DNSOnly -Type A
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationTimeout: (printer.example.com:String) [Resolve-DnsName], Win32Exception
    + FullyQualifiedErrorId : ERROR_TIMEOUT,Microsoft.DnsClient.Commands.ResolveDnsName

What makes no sense is that when the request is initiated from anywhere else on the LAN or over the VPN that exact query works fine.

Further, if we switch to type ALL it also works fine (MX records are good too, for 'example.com'):

Server> Resolve-DNSName printer.example.com -Server 10.1.1.1 -DNSOnly -Type ALL

Name                                 Type   TTL   Section    IPAddress
----                                 ----   ---   -------    ---------
printer.example.com                    A    3600  Answer     10.1.1.202

And finally, switching to querying at localhost also works fine:

Server> Resolve-DNSName printer.example.com -Server 127.0.0.1 -DNSOnly -Type A

Name                                   Type   TTL   Section    IPAddress
----                                   ----   ---   -------    ---------
printer.example.com                    A      3600  Answer     10.1.1.202

DNS PACKET CAPTURE

Enabling packet debugging, I see, but mostly don't understand:

4/30/2018 2:27:41 PM 1D30 PACKET  000000764976A220 UDP Rcv 10.1.1.1     81ea   Q [0001   D   NOERROR] A      (15)printer(7)example(3)com(0)

4/30/2018 2:27:41 PM 1D30 PACKET  000000764976A220 UDP Snd 10.1.1.1     81ea R Q [8085 A DR  NOERROR] A      (15)printer(7)example(3)com(0)

4/30/2018 2:27:42 PM 1D30 PACKET  000000764ACB60A0 UDP Rcv 10.1.1.1     81ea   Q [0001   D   NOERROR] A      (15)printer(7)example(3)com(0)

4/30/2018 2:27:42 PM 1D30 PACKET  000000764ACB60A0 UDP Snd 10.1.1.1     81ea R Q [8085 A DR  NOERROR] A      (15)printer(7)example(3)com(0)

4/30/2018 2:27:43 PM 1D30 PACKET  00000076482420A0 UDP Rcv 10.1.1.1     81ea   Q [0001   D   NOERROR] A      (15)printer(7)example(3)com(0)

4/30/2018 2:27:43 PM 1D30 PACKET  00000076482420A0 UDP Snd 10.1.1.1     81ea R Q [8085 A DR  NOERROR] A      (15)printer(7)example(3)com(0)
domain-name-system

1 Answers

  1. Best Answer

    So it turns out it's a big Don't Do That with consumer-grade Anti-Malware.

    https://forums.malwarebytes.com/topic/200478-malwarebytes-breaks-dns-resolution/

    Running the consumer MalwareBytes blocks self DNS queries because this is a botnet pattern?! It seems dns.exe is frequently a trojan on end user machines.

    https://forums.malwarebytes.com/topic/200478-malwarebytes-breaks-dns-resolution/

    Malwarebytes was not designed to work on a Server (in your case Windows 2012r2). If you want to run Malwarebytes on a business (and on a server) you will need to use the business version and contact/post in the business section of the forum HERE

    WHAT HELPED ME SOLVE IT

    This has happened before:

    https://community.spiceworks.com/topic/357003-windows-dns-server-issue?page=2#entry-2345589

    • 1