Score:1

Windows Server DNS Server Failure

br flag

I am having some issues with Windows Server 2022's DNS resolution and was hoping to get some insights. I have included some screenshots throughout the post

The server in question is running on HyperV, and is setup as an Active Directory Domain Controller with the DNS and DHCP roles installed. I have setup my DNS Forwarders as shown in this screenshot

I've noticed an event showing up in the event logs a fair amount saying The DNS server encountered an invalid domain name in a packet from 1.1.1.1. The packet will be rejected. The event data contains the DNS packet. Trying to run an nslookup on the domains shown in the packet will result in a failure, however pointing nslookup at my forwarders directly will resolve correctly.

It seems that there are some domains that fail more than others, however after a while the failed domains may begin to resolve correctly until I clear the DNS cache. The domain name I've been testing with is token.safebrowsing.apple as I've found it fails the most reliably, however I have seen this happening with all manner of domains, including www.icann.org. Just browsing the internet, I've found websites will fail to resolve maybe 5% of the time?

This is the error nslookup returns, however after a while it'll stop even trying to query the forwarders and simply return this error. As mentioned above, pointing nslookup directly at 1.1.1.1 will work correctly

I have run WireShark to try and get to the bottom of this, and you can see as the DNS Service tries to query each forwarder, getting a server failure from each one before returning to the client (in this case, 10.10.0.55) with servfail. The DC/DNS Server is configured on 10.100.0.30. Here's a screenshot of the packet view (packet 83 from previous screenshot)

So far I've tried using different forwarders (I've found that removing 1.1.1.1 and leaving just 8.8.8.8 stopped the error in the event viewer but not the actual resolution error). I've also tried playing with the DNSSec settings and trust points, removing all forwarders and just using root hints, disabling the server from listening on it's IPv6 address, and enabling/disabling various options under advanced properties, to no avail. I have also tried increasing the timeout times but still nothing.

Been scratching my head for a little while so any advice would be amazing! Please let me know if any more info is required.

Thanks!

cn flag
Serfail seems fairly self-explanatory. What does DNS Debug logging show? Also root hints should be disabled and the root hints file cleared out.
Score:0
in flag

Looks like the query is timing out due to not receiving an authoritative answer. I would look at what your dns forwarders are doing instead of your internal network. It seems whatever your forwarder is replying with to your client/server is not the SOA and being denied. Not exactly a fix but hopefully gets you in the right direction.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.