MS Update Breaks External DNS again

Windows Server 2003 - The most recent DNS patch and the previous DNS patch
completely breaks my to external (Internet) DNS Servers. Once I remove the
DNS patch (uninstall) and reboot I can again grab root hints and resolve
Internet addresses.

When I applied the DNS server update everything starts normally, however
doing a nslookup for a internet address I get a timeout error. THe DNS
services are running and I can query the local DNS entries.

Does anyone have any ideas on how I can successfully up DNS and not have
external resolving issues?

I am near the point of using something other than Microsoft DNS.

Each time I reboot the two DNS servers, I must go into each DNS and manually
grab root hints and restart the DNS Service to be able to resolve external
Internet addresses. This particular issue has been ongoing since I first
installed Windows Server 2003 on the servers several years ago.

If possible please reply via email as well as on post here ( email allen
_ mvp @ msn . com )

Sounds for me that you have a general DNS problem, not only patch related.
We use all patches and it works fine. For starting please post an unedited
ipconfig /all from the DNS servers.

Are the DNS servers also Domain controllers? If yes, do you use AD integrated
zones?

I have to force root hint updates on both servers manuall ( i use
4.2.2.2 to pull the hints), the cache.dns does have the FQDN and IP for all
of the root servers.

Do you use a Forwarder to 4.2.2.2 or pull them really manual?

I don't use any forwarders (stand alone DNS) and use the copy root hints in
hte DNS management to do it.

No not a firewall, we have Cisco router ACL's that prevent spoofing of our
IP address space.

our two DNS server are authoritative for the domains we host (about 262),
these DNS server also recolve for our mail server and our corporate LAN.

My problem isn't connectivity, it is that when I apply the last two DNS
patches from WIndows UP I can no longer resolve external Internet address,
thus my mail server doesn't work nor does resolving address when browsing
from our private LAN.

Tahnks for replying. Neither are domain controllers nor do they have AD on
them. They are our authoritative (ns. and nn2. internet servers that also
act as our internal resolving DNS), the also provide DNS for our external
internet mail server to resolve DNS). Note these are web servers/DNS servers
combined. Once also hs th email server runinng on it. Both are Dell 4600's
with 12gb of ram, dual Xeon, all RAID mirrored Ultra 320 drives. All other
patches we have put on these WIndows 2003 server installations have been
fine except the two DNS update patches. Other than this DNS quirkiness the
servers run like champs without any problems.

I appreciate your taking the time to work through this. I sincerely hope it
is a simple misconfiguration. If you need anything else let me know.

I've often wonder if have a 127.x.x.x reverse zone could
cause problems. I am a bit wary of removing it because of unforseen issues.
We only use Class C IP's (74.43.13x.x) on the server so I don't think the
127 zone should be in there.

Hello Allen Harkleroad" allen _ mvp at msn dot com,

127.in-addr.arpa is automatic created during install, also with 0.in-add.arpa
and 255.in-addr.arpa so they shouldn't be an issue.

May i ask why you have your domain in public ip range and assigned also that
much ip addresses to the NIC?

These are web servers / DNS Servers each website is assigned it's own IP in
IIS. the web/dns machines are ns.gmpservices.com and ns2.gmpservices.com

We have 262 forward lookup zones on each machine (identical zones on both).

We use them for hosting primarily and thus must have public IP ranges.

Allen, since you are using these servers to host Public zones for many
domains, Root Hints should be disabled and recursion should also be disabled
(Advanced tab). The only names this server should resolve are for the zones
it actually hosts in it zones.

"FAIL Open DNS servers ERROR: One or more of your nameservers reports that
it is an open DNS server. This usually means that anyone in the world can
query it for domains it is not authoritative for (it is possible that the
DNS server advertises that it does recursive lookups when it does not, but
that shouldn't happen). This can cause an excessive load on your DNS server.
Also, it is strongly discouraged to have a DNS server be both authoritative
for your domain and be recursive (even if it is not open), due to the
potential for cache poisoning (with no recursion, there is no cache, and it
is impossible to poison it). Also, the bad guys could use your DNS server as
part of an attack, by forging their IP address. Problem record(s) are:

Server 74.43.132.10 reports that it will do recursive lookups. [test] Server
74.43.133.10 reports that it will do recursive lookups. [test] See this page
for info on closing open DNS servers."

Hi Allen,

I'm assuming you are saying these two DNS servers are not DCs and do not
host the AD zone for the internal corporate network, and are used to host
public records, which you are also using them as forwarders from the
internal AD/DNS servers.

I'm not sure what you mean about the Cisco ACLs preventing spoofing.
However, I'm also assuming you mean it blocks requests that appear to be
coming from external requests spoofing the source address as an internal IP,
then that is a standard config to stop this sort of attack by many routers,
but it wouldn't apply to this issue. One issue with a Cisco firewall (no
matter which version), is the DNS fixup command being required with a
Windows 2003 or newer DNS that resolves external queries. Did you set the
DNS fixup command on the Cisco box in order for it to allow EDNS0 traffic
(UDP DNS packets upto 1280 bytes instead of 512 bytes)?

The set vc switch tells it to use TCP instead of UDP. If it works with the
vc switch, and not without it, then it is an EDNS0 block. I provided
hotmail.com as an example because it's response is definitely greater than
512 bytes. You can also not set it to 'mx' and leave it default when you
invoke nslookup, and then try aol.com, microsoft.com, yahoo.com, as some
examples with large responses.

Which DNS patches are you referring to? Are you referring to MS08-037? If
not, do you have the KB or MS08-xxx or MS09-xxx numbers?

The Fixup DNS doesn't apply as this is a 2600 router and not a firewall,
both tests you posted work.

The only two patches that aren't installed on DNS are the last two supplied
via WU, all others are there.

In the interim I am using OpenDNS for forwarding. I may build a BIND box and
see how complicated importing our MSFT DNS records into it, if it goes
smoothly I am going to switch to BIND and dispense with MS DNS (tired of the
random breakage of DNS).

It is rather easy to go from Microsoft DNS to Bind by using a simple
Secondary, allow the transfer, then make it a Primary. But this could be
cumbersome if you have100's of zones.

Do you have any more information on which updates you removed in order to
fix your problem? I think I'm running into the same issue and I'd like to
remove the updates to see if it fixes the problem for me as well. The KB
numbers would be ideal.

I had to switch back from OpenDNS, yesterday it stopped responding to
queries for us, so I am back to stand-alone mode and not using any
forwaders. It worked for about a week. I went back to root hints (still have
to manually update and restart to make DNS work).

As simple as DNS is, you would think there would be zero issues with a
simple stand-alone DNS implementation (no AD, etc.). I have less than 300
public DNS records and using the resolver for our mail server and internal
resolving.

I hope there is a fix for DNS so I can fully patch it. In the mean time I am
putting up a test server and installing BIND on it and learn BIND, just in
case I have to resort to using BIND. If BIND had a decent GUI it would be
better, unformtunately the few that I have found are expensive, and the one
free BIND GUI one I found CodePlex only seems to have 2 features and neither
of them help with adding/deleting DNS records, etc.

I may end up writing my own BIND GUI (asp.net 2.0 vb app) when I have time
and if I decide to replace Microsoft DNS with BIND.

Thanks for responding, I will try to keep an eye on this thread.

As I pointed out, it's a best practice, as well as part of a security
design, but I can quite understand your viewpoint. I guess it would depend
on who's DNS you used as a forwarder. The one I gave earlier is reliable. It
is one of the ones I use for all of my customers.

If I hear of any hotfixes for this issue, I will post back. I'll keep this
thread marked.

The fact that forwarders break also leads me to suspect either your DNS
servers are corrupt or you have a firewall problem.

To reinstall DNS, do the following. Uninstall the DNS service, rebooting
into safe mode and deleting the DNS folder from under Windows\system32. If
your AV can run in safe mode (most can), do a complete scan of your system
at this point. Reboot, do a complete AV scan, reinstall DNS, and reapply
any security patches that MS has released.

On your firewall, ensure your DNS server can send requests out through both
UDP and TCP port 53. You should only need UDP, but I have run into
situations where DNS servers use TCP.

I removed the last 3-4 DNS patches/updates to get the DNS back to where it
woule resolved external sites. I still have to manually pull Root Hints
though from another server