DNS issue "server failed" Windows 2012 DNS

Started by Dieselboy, June 09, 2017, 12:49:22 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

Dieselboy

June 09, 2017, 12:49:22 AM
A user reported he could not get to a web site from our office.
I done checks and our internal DNS server is reporting:

Quote
> ipleak.net
Server:  localhost
Address:  127.0.0.1

*** localhost can't find ipleak.net: Server failed
> ipleak.net
Server:  localhost
Address:  127.0.0.1

Some more checks and packet captures confirm:

1. the traffic is not being blocked (2-way communication between internal and external DNS server
2. the DNS server which is being queried on the internet is returning the result which is the same as the DNS server

To explain point 2, check my packet capture screenshot attached.
But basically, the internet DNS server IP (which is being queried) is the same as the DNS query result.

I checked event viewer and found:

Quote from: Internal DNS server
Event 5504
The DNS server encountered an invalid domain name in a packet from 95.85.16.212. The packet will be rejected. The event data contains the DNS packet.

I'm using root DNS servers (no forwarders). Google DNS is fine from nslookup:

Quote from: Google
> ipleak.net
Server:  [8.8.8.8]
Address:  8.8.8.8

Non-authoritative answer:
Name:    ipleak.net
Addresses:  2a03:b0c0:0:1010::509:d001
          95.85.16.212

I checked the packet capture but the only thing that stands out is that the DNS server and the result for the URL is the same IP address... does this fail a security check on the DNS server?

deanwebb

#1
June 09, 2017, 03:31:40 PM
Is it just one user there, or many?

If many, is it just that location, or others?

If it's just one user, that box he's working with needs fixing, not your network issue.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

#2
June 10, 2017, 07:01:03 AM Last Edit: June 10, 2017, 07:06:59 AM by wintermute000
that is weird, but in theory there is nothing 'wrong' (as in non-compliant) with having DNS and web on the same IP address or even same server/VM/entity.

Could it be choking on the AAAA record coming back?

Dieselboy

#3
June 10, 2017, 10:36:00 AM
...Possibly. I done a google and found some people having this same event "5504" error and the same log message giving them hell.

As a test, I put a forwarder on my DNS server to point to 8.8.8.8 instead of using root hints. After I done that I was able to ping the URL, but I didn't capture the traffic to compare the two.

I checked the list of root hints and I don't see the DNS server IP that my DNS servers are querying there. I was going to try and find out how the DNS server gets to that IP from the root hints.
Print
Go Up Pages1
User actions