No, I Will Not Fix Your #@$!! Computer → Random annoying Windows 2008 R2 DNS lookup issue.

This has been driving me crazy, for the past month or so my home Windows 2008 R2 DNS server keeps having issues resolving www.twitch.tv and www.justin.tv (same company/service just different targeted users).

When I clear the cache it will work for a short time but the problem just comes back and will stay like this for days unless I clear the cache again.

The DNS server is set to query root servers, so no forwarders.

nslookup with the debug option set. also a Wireshark capture attached.

> www.justin.tv.
Server:  server2.napshome.local
Address:  10.0.1.2
 
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 20, rcode = SERVFAIL
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 0,  additional = 0
 
    QUESTIONS:
        www.justin.tv, type = A, class = IN
 
------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 21, rcode = SERVFAIL
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 0,  additional = 0
 
    QUESTIONS:
        www.justin.tv, type = AAAA, class = IN
 
------------
*** server2.napshome.local can't find www.justin.tv.: Server failed
> www.twitch.tv.
Server:  server2.napshome.local
Address:  10.0.1.2
 
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 22, rcode = SERVFAIL
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 0,  additional = 0
 
    QUESTIONS:
        www.twitch.tv, type = A, class = IN
 
------------
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 23, rcode = SERVFAIL
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 0,  additional = 0
 
    QUESTIONS:
        www.twitch.tv, type = AAAA, class = IN
 
------------
*** server2.napshome.local can't find www.twitch.tv.: Server failed
 

twitch-tv-an···l.pcapng
1262 bytes
(twitch-tv-any-servfail.pcapng.zip)Wireshark Cap from when the queries were run.

I'm no DNS "best practices" expert, but I thought quering the root servers for every URL was a No-No?

Some thoughts off the top of my head
- What's the TTL set for both those URLs?
- how long does it work for before you have to clear the cache? If you can, time this to to the minute and see if it's constant.
- set a static DNS / host entry for these URLs, possibly?

My 00000010bits

Regards

querying for every DNS request would be but thanks to TTL and DNS caching by the server it shouldn't have to as it would hold on to the cached result till the TTL expires.

The root servers are there to be queried, forwarders are for if you have another DNS server in your org that you want to forward queries for a given domain/set of domains to.

honestly the root servers are beasts and you just don't want client computers nagging them, but it should be fine for a DNS server to poll them, just use root hints not forward to the roots.

then when you do a lookup your DNS server would ask the roots which server is authoritative for that TLD, then it'd ask that which is authoritative for the 2nd level domain will it gets the IP

So say you ask a DNS server for mail.google.com
then later ask that server for somethingelse.google.com

that 2nd time it wouldn't go to the roots it'd go to the server that's authoritative for google.com (IE google's NS record should be cached as would the NS record for the authoritative server for .com, the roots are authoritative for .

this makes it so as long as the TTL's for all the NS records are right that the roots don't do much work after initial setup of a DNS server as it'll cache the most used TLD NS records (like .com, .net, .org, ect)

I only use the root server because I have 2 ISP's a IPv4 and IPv6, so the only way to get good CDN lookups for each IP version is to use root and let my server query the other DNS servers directly, as soon as I have 1 ISP for both ill use forwarders of said ISP.Here is a lookup from my Dedicated server. since this one cant get any records for the domains thus no TTL.

Looks like the the TTL for www.twitch.tv and the cname cdn.justin.tv.c.footprint.net are pretty low, although that is the TTL that is left from the caching server not what its set to on twitch/footprints side. Now the NS servers seem to be set for about 24hrs.

> www.twitch.tv.
Server:  
Address:  ***.***.96.2
 
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 10, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 4,  authority records = 4,  additional = 4
 
    QUESTIONS:
        www.twitch.tv, type = A, class = IN
    ANSWERS:
    ->  www.twitch.tv
        canonical name = cdn.justin.tv.c.footprint.net
        ttl = 698 (11 mins 38 secs)
    ->  cdn.justin.tv.c.footprint.net
        internet address = 4.27.12.253
        ttl = 178 (2 mins 58 secs)
    ->  cdn.justin.tv.c.footprint.net
        internet address = 8.26.207.126
        ttl = 178 (2 mins 58 secs)
    ->  cdn.justin.tv.c.footprint.net
        internet address = 8.254.57.254
        ttl = 178 (2 mins 58 secs)
    AUTHORITY RECORDS:
    ->  c.footprint.net
        nameserver = us-va-1.ns.c.footprint.net
        ttl = 65084 (18 hours 4 mins 44 secs)
    ->  c.footprint.net
        nameserver = us-fl-2.ns.c.footprint.net
        ttl = 65084 (18 hours 4 mins 44 secs)
    ->  c.footprint.net
        nameserver = us-ga-1.ns.c.footprint.net
        ttl = 65084 (18 hours 4 mins 44 secs)
    ->  c.footprint.net
        nameserver = us-ny-3.ns.c.footprint.net
        ttl = 65084 (18 hours 4 mins 44 secs)
    ADDITIONAL RECORDS:
    ->  us-fl-2.ns.c.footprint.net
        internet address = 198.78.199.153
        ttl = 65329 (18 hours 8 mins 49 secs)
    ->  us-ga-1.ns.c.footprint.net
        internet address = 8.254.56.153
        ttl = 65329 (18 hours 8 mins 49 secs)
    ->  us-ny-3.ns.c.footprint.net
        internet address = 8.26.200.155
        ttl = 65329 (18 hours 8 mins 49 secs)
    ->  us-va-1.ns.c.footprint.net
        internet address = 205.128.73.155
        ttl = 65329 (18 hours 8 mins 49 secs)
 
------------
Non-authoritative answer:
------------
Got answer:
    HEADER:
        opcode = QUERY, id = 11, rcode = NOERROR
        header flags:  response, want recursion, recursion avail.
        questions = 1,  answers = 1,  authority records = 1,  additional = 0
 
    QUESTIONS:
        www.twitch.tv, type = AAAA, class = IN
    ANSWERS:
    ->  www.twitch.tv
        canonical name = cdn.justin.tv.c.footprint.net
        ttl = 697 (11 mins 37 secs)
    AUTHORITY RECORDS:
    ->  c.footprint.net
        ttl = 327 (5 mins 27 secs)
        primary name server = admin.nsatc.org
        responsible mail addr = dl-cdn_infrastructure.level3.com
        serial  = 1390250842
        refresh = 10800 (3 hours)
        retry   = 2700 (45 mins)
        expire  = 3600000 (41 days 16 hours)
        default TTL = 900 (15 mins)
 
------------
Name:    cdn.justin.tv.c.footprint.net
Addresses:  4.27.12.253
          8.26.207.126
          8.254.57.254
Aliases:  www.twitch.tv
 
>
 

Not sure anywhere from a few hours to a few day.That just hides the problem, and if they ever change anything it will break, and is just not good practice.

Well a caching server "shouldn't" change the TTL as the TTL of the record is how long the admin for the given domain wanted it to cache up to, and some change this to be very short when they're planning to change the IP for the DNS record so that the caches of the record will start to expire so their server will get asked so they can lower the convergence time for a DNS change, but then bump it up to a longer value to lower traffic to that server when no changes are planned.

Your kind of right a caching server wont (shouldn't) change the TTL.

What is does though, say say the domain has a TTL of 60 sec, the first time the cache server retrieves the record and sends it to the first person who asked for it that system would receive the record with the 60 sec TTL, now the next person to query the cache server for the same record within 60 secs get the same record except the TTL will be minus how ever long it has been since the cache server first retrieved it. It doesn't just hand out the cached records with 60 sec TTL for everyone.

yep, so you can safely assume the set TTL is greater than what you're seeing from the non-authoritative DNS server.

I know you mentioned that you're querying the root servers but have you tried using something other than the root servers to determine if it resolves your issue?

Try using forwarders to OpenDNS or Level 3 or something.
208.67.222.222
208.67.220.220
4.2.2.1
4.2.2.2
4.2.2.3
4.2.2.4

I was going to suggest the same. Drop in a few forwarders and see what happens.

i am embarrassed to ask this, can someone explain where the root dns servers are added? i have always used DHCP to assign a private IP address to all network devices (class c address) and at the DNS server i have always used forwarders. 1 from the ISP and 1 from google or openDNS and i have never experienced any issues which is why i have always done it this way.

On a windows DNS server its the root hints tab its auto filled.

thanks. i have only ran windows DNS servers and as stated, have always used forwarders. thanks for pointing that out.

Here's the tab
I always leave forwarders blank

yeah, i went to take a look after i saw your last reply. if i dont configure forwarders, those servers are what is used for DNS lookups?

it won't do a full look up on them they're just the ones that are authoritative for the . domain, thus they'll pass you to the next level down domain (IE com, net, org, ect)

IE the roots won't tell you the IP of yahoo.com instead they'll tell you the NS of com which will then tell you the NS for yahoo.com which will then tell you ether the IP of yahoo.com or the NS for www.yahoo.com, then each of those NS records will have a TTL (I'd bet the TTL for com is very long so once you've made one blabla.com look up you won't have to ask the roots again for a long while for the com NS.

makes sense. thanks for explaining that.

Ya many forget about the . domain to which all other domains are sub-domains

Any update?

Not so far, I last cleared it on around midnight on the 6th, so far it has yet to fail again.

I wonder if I am randomly hitting a bad NS for the domain and my server is caching it? (just a random thought)

If all you're doing is caching, then the problem is most likely upstream and beyond your control. Yes instability of the domain name servers would exhibit this kind of problem.