Slow DNS resolution

Similar Messages

• Slow DNS Resolution using Time Capsule

  Hello,
  I'm using a time capsule as my main internet router and wireless access point, and I've noticed a significant delay before web pages begin to download.  In trying to troubleshoot this, I came across a very helpful utilitity called the Netalyzr from Berkley.  Using this tool, I'm able to see that there is a significant delay in name lookups using the time capsule DNS proxy capability.  There's not a lot of documentation on this, but it appears that instead of handing clients the designated DNS servers configured in DHCP, it hands out its own address to the clients as the DNS server and makes the DNS request to the configured servers.  I've included the verbage from the Netalyzer tool below.
  Your ISP's DNS resolver requires 2200 msec to conduct an external lookup. It takes 81 msec for your ISP's DNS resolver to lookup a name on our server.
  This is particularly slow, and you may see significant performance degradation as a result. 
  As you can see, this causes almost a 2.5 second "pause" before the lookup is even returned.  However, if I hard code the designated DNS servers into this client (Macbook air running Lion), I get the following result.
  Your ISP's DNS resolver requires 110 msec to conduct an external lookup. It takes 81 msec for your ISP's DNS resolver to lookup a name on our server. 
  This is a significant improvement over the lookup using the proxy capabilities of the Time Capsule.  This leads me to believe that the DNS "proxying" that the time capsule is doing is really slow.
  I'm using opendns as my provider in both scenarios.
  Is this a known issue, and if so, is there an existing fix or a planned fix for this?
  Best,
  Eric

  Frankly I just don't believe those analysers.. not until I can prove it myself.
  Do a very simple test..
  Open terminal  and ping a website you have never opened before.
  You should do this from a PC or Mac on the network using ethernet. Just to keep crummy wireless responses out of it. And do it without internet activity going on.
  Do it a second time, and it should be instantaneous now having the address resolved and held in the cache.
  If you get a significant lag before the address is resolved to actual IP, there maybe something wrong. And the first test then would be to change the DNS server to your local ISP not opendns.. because the routing to opendns might also be an issue.
  You can also test by removing the TC from the network..plug a computer directly to the modem and just browse.. compare that to speed with the TC. I know it isn't exactly scientific but a 2.5sec delay in dns resolution you will notice it. It is important to connect to stuff that is outside your normal pattern. Otherwise it should just be in the cache.
  Otherwise it is unlikely to really exist.

• RV082 - Slow DNS Resolution

  Greetings Gang,
  Have an RV082 v1.1 FW 1.3.98-tm that has been rock solid for a couple of years and is now, suddenly, experiencing dead crawl DNS resolution.
  No changes in configuration prior to the behavior starting. Tried rebooting the unit, no changein behavior.
  There's an internal DNS server that resolves internal resources, but everything else gets pushed to the RV082.
  I've tried Comcast, Verizon and Google DNS servers at the router level, and the results are the same -- so that rules out the DNS servers themselves.
  Change the DNS servers at the NIC level on a wrokstation, and resolution occurs quickly and reliably.
  I'm looking to reset to Factory Default and reload the configuration and likely upgrade to FW 2.0.0.19-tm or 2.0.2.01-tm but I do see similar issues reported with those firmwares, and moreover, in a mixed Mac/PC environment.
  Was wondering if anyone else has experienced these issues, could identify a root cause and resolution.
  Thanks,
  Jorge

  Probably just corruption, which can happen every so often.  A couple of years in service rock-solid is really great.
  I experienced similar problems with my rv016s when my ISP changed their backend carrier equipment.  I was never able to fix the issue, so I had to reboot them every 8hrs.
  I wouldn't upgrade unless you HAVE to.  You'll more than likely run into other bugs that breaks your current configuration, even if it's just a site-to-site VPN (I've been there, done that).
  Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com

• Slow DNS web resolution

  I've noticed the DNS resolution for web services on our network has become a little slow.
  The log is showing the below (for example):
  success resolving 'www.jamesallenonf1.com/A' (in 'jamesallenonf1.com'?) after reducing the advertised EDNS UDP packet size to 512 octets
  Any ideas what this could be caused by and if it would explain the slowing of web page resolution?
  Thanks

  Thanks - that was useful as was the below quote:
  Quote by: MacTroll
  Your DNS server is attempting to use DNS-SEC, for validated DNS lookups. This requires a larger UDP packet size, >512 bytes, than your firewall seems to like. It then has to wait to both decide it needs to reduce packet size /and/ to get a negative result on the lookup.
  I would imagine that the DNS resolver on OS X client doesn't bother to do a DNS-SEC lookup, and hence no issue.
  This was evident in another line of the log:
  host unreachable resolving 'I.ROOT-SERVERS.NET/AAAA/IN': 198.41.0.0#53
  I created a rule in the hardware firewall to forward port 53 to the SLS and its running fine now with no errors.

• Primary DNS resolution slow if PDC role DC is down

  Hello,
  In my environment I'm running purely Windows Server 2012 in a two site environment.  I run a single domain infrastructure with my main site that has 2 domain controllers (one has all FSMO roles), and a second site which has a single domain controller.
   I've been looking all over the forums for a related topic, but haven't read something anything that fits my scenario.  Basically what happens is, if the DC that has FSMO roles (specifically PDC) goes offline, or if I were to turn the DNS service
  off, all devices would take forever for DNS resolution.  Another scenario (which is essentially the same) is if the VPN tunnel between the two sites goes down, all clients at site 2 would take awhile for DNS resolution.  If those clients launch their
  browser any website they go to takes 5-10 seconds to load.  They could reboot their PC, and do ipconfig /flushdns, and even though those clients DNS settings point to the DC at site 2 as primary DNS, it takes awhile.  As soon as the PDC server is
  restored everything is back to normal.  Quite frequently the VPN tunnel will go down leaving very slow responses at site 2.  Oddly enough is, if the tunnel were to go down, and I logged into the DC at site 2, if I were to ping various domains the
  response would take 5 or so seconds.  Is this normal to occur?  If not, how could I possibly remedy this?  My assumption is that, if the primary DNS were to go down, or in this case the PDC server goes down, one of the secondary servers would
  kick in.  I appreciate any light you can shed on this issue.
  Ken

  I agree with Meinolf. It's not always the DNS or PDC or whatever DC is in question's, fault. A lot of it is due to the client side resolver algorithm. Here's more specifics on how the whole process works - and note that this applies to all operating systems,
  Windows, Linux, Unix, BEOS..... because they all follow the RFCs defining how client side resolvers work.
  This blog discusses:
  WINS NetBIOS, Browser Service, Disabling NetBIOS, & Direct Hosted SMB (DirectSMB). Troubleshooting the browser service.
  Client side resolution process chart.
  The DNS Client Side Resolver algorithm.
  If one DC or DNS goes down, does a client logon to another DC or use the other DNS server in the NIC?
  DNS Forwarders Algorithm and multiple DNS addresses (if you've configured more than one forwarders or more than one IP in the NIC's DNS list)
  Client side resolution process chart
  Published by Ace Fekay, MCT, MVP DS on Nov 29, 2009 at 10:28 PM  1764  1
  http://msmvps.com/blogs/acefekay/archive/2009/11/29/dns-wins-netbios-amp-the-client-side-resolver-browser-service-disabling-netbios-direct-hosted-smb-directsmb-if-one-dc-is-down-does-a-client-logon-to-another-dc-and-dns-forwarders-algorithm.aspx
  DNS Clients and Timeouts (Part 1 & Part 2), karammasri [MSFT] Dec 2011 6:18 AM
  http://blogs.technet.com/b/stdqry/archive/2011/12/02/dns-clients-and-timeouts-part-1.aspx
  http://blogs.technet.com/b/stdqry/archive/2011/12/15/dns-clients-and-timeouts-part-2.aspx
  DOMAIN NAMES - CONCEPTS AND FACILITIES - Dicusses local resolvers.
  http://tools.ietf.org/html/rfc882
  =============
  To add on how the client resolver picks a nameserver, below is a link to a discussion that points out the following - and please note, the operative point in the first bullet point indicates "equivalent," meaning that all DNS servers you enter into a NIC,
  must all reference the same exact data, so you can't mix nameserver with different data and expect the client to try all of them.
  •by RFC, all nameservers in a zone's delegation are equivalent
  •they are indistinguishable to the client
  •clients are allowed to choose the NS to query with whichever policy they wish
  •if any picked server fails to respond (e.g. "ns3"), then the next server is picked among the remaining set (e.g. ns1 and ns2) according to the policy
  •often clients use sophisticated policies that "score" servers and pick more often the ones that replied faster
  •as a by-product, in practice this policy makes caches favor "nearest" servers
  That was quoted from:
  When is a secondary nameserver hit?
  http://serverfault.com/questions/130608/when-is-a-secondary-nameserver-hit
  ===============
  So you have to check when the first DNS goes down, not all directory enabled apps can handle it. opened.
  Another issue is the client has bounded to the logon server during the DC Locator process. That's difficult to mess with other than restarting the machine...
  Ace Fekay
  MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
  This posting is provided AS-IS with no warranties or guarantees and confers no rights.

• Problem: Slow Intranet Sites/Internal DNS Resolution for only AD Users

  Hello,
  We are experiencing a very odd problem.
  Any and All Active Directory users are experiencing very slow intranet sites.
  We are a school corporation, so this is affecting our Student Information System, as it is entirely web-based and locally hosted.
  All of our Domain Controllers are Windows Server 2012 R2, with all the latest critical updates.
  All client workstations are Windows 8.1 Professional.
  The problem occurs with ALL web browsers (IE, Chrome, FF, etc)
  All DNS queries respond in <1 ms (no matter whether we are logged in as AD User or local computer user).
  If we login as local computer user, we have blazing fast intranet sites/DNS resolution.
  If we login as AD user, everything crawls again... every click on the intranet site spins and says loading for up to 15 seconds.
  If we add the the intranet site to the local computer HOST file, it is blazing fast, just as if we logged on as local computer user.
  If we take it back out of the HOST file, it drags again.
  I am totally stumped!
  Any help is appreciated.
  Thanks!

  Hi,
  How are DNS settings configured?
  If there are any public DNS IP addresses in Preferred or Alternate field, please remove them, then input these DNS entries in the Advanced section. We should only configure Domain Controllers’ IP addresses on Preferred
  and Alternate DNS server section for domain-joined machines.
  More information for you:
  Active Directory’s Reliance on DNS, and using an ISP’s DNS address
  http://blogs.msmvps.com/acefekay/2009/08/17/ad-and-its-reliance-on-dns/
  Best Regards,
  Amy

• SBS 2011 DNS Resolution Slow

  I have a customer running SBS2011 Standard.  We've had problems with slow DNS resolute for a very long time.  When users on their workstations go to a web site in IE, it usually takes a couple of seconds to load the site.  The best example
  of the problem is on Yahoo!.  When users click a link there, IE will spin for a while and then time out.  If they click on the link again, it usually loads the second time.
  We recently switched internet providers and I was hoping that might resolve the issue, but it has not.  The server is up-to-date as of a month or so ago and I've run BPA and the only issue there is with WSUS Group Policy objects, which I don't care
  about.  I wouldn't think this would be related to that.  There are no errors in the DNS logs.  This server was originally a clean install of a new domain, not a migration.
  I have Forwarders configured and have tried using the DNS servers of the old ISP, the new ISP and OpenDNS.  No improvement with any of those changes.  On the Monitoring tab of the DNS server properites, "A simple query against this DNS server"
  and "A recursive query to other DNS server" both fail every time.  If I get rid of the Forwarders, those queries still fail and DNS resolute at the clients is still slow.
  I know there was a DNS issue that was reported by the BPA a while ago and I fixed that.  I think it was a registry setting that needed to be adjusted, but I can't recall the details right now.
  I ran DCDIAG last night and was receiving messages about running Chkdsk to fix errors.  I was hopeful that that would fix something, but I'm no longer getting that message.  Now, the only errors in DCDIAG are SystemLog errors about not being able
  to contact a machine that has been off the network for a while.
  Restarting the server or just the DNS server has never helped.
  My server has a PTR record in the reverse lookup zone and a static A record in the Forward Lookup Zone.
  When I run NSLookup, it only responds with
  Default Server:  UnKnown
  Address:  fe80::9fcf:d19d:a86e:46cd
  On another SBS server that I have, it has all of this information:
  x.x.2.0.3.x.8.6.x.x.x.2.0.d.f.d.0.0.0.0.0.0.0.0.0.0.0.0.0.8.x.x.ip6.arpa
          primary name server = localhost
          responsible mail addr = nobody.invalid
          serial  = 1
          refresh = 600 (10 mins)
          retry   = 1200 (20 mins)
          expire  = 604800 (7 days)
          default TTL = 10800 (3 hours)
  Default Server:  UnKnown
  Address:  fe80::dfd0:2dca:68f3:2cf
  Is that a helpful clue?  Where do I start with troubleshooting and/or checking settings?
  Any help would be appreciated.
  Thank,
  Mike

  I would certainly change the router, just to rule it out.
  Have you run the SBS BPA and fixed any issues it highlights?
  If pointing a client directly to an external DNS, improves, but does not fully resolve, i would be inclined to say the Server is 'ok' and that it may be the router at fault.
  It has been too long since i looked at a ProSafe router, but there may well be some firewall settings you can tweak.
  Robert Pearman SBS MVP
  itauthority.co.uk |
  Title(Required)
  Facebook |
  Twitter |
  Linked in |
  Google+

• Changes in DNS resolution in Mac OS X Snow Leopard

  Disclaimer: Apple does not necessarily endorse any suggestions, solutions, or third-party software products that may be mentioned in the topic below. Apple encourages you to first seek a solution at Apple Support. The following links are provided as is, with no guarantee of the effectiveness or reliability of the information. Apple does not guarantee that these links will be maintained or functional at any given time. Use the information below at your own discretion.
  There have been two major changes in DNS resolution in Mac OS X Snow Leopard as compared to Mac OS X Leopard and previous releases, and this tip is intended to explain them.
  1) User-specified DNS servers, if any, are now used to the exclusion of all others
  DNS server addresses may be manually-specified by users via the Networking preference pane by selecting the active interface (e.g. AirPort, Ethernet, etc.), the clicking the "Advanced…" button in the lower right hand corner of the window, and selecting the "DNS" tab.
  DNS server addresses may also be provided by a DHCP server.
  In Mac OS X Snow Leopard, if any DNS servers are manually specified, they will be the only DNS servers consulted; any DNS servers specified via DHCP will be ignored
  This differs from Mac OS X Leopard and previous releases of Mac OS X, as in those releases, if DNS servers were specified manually as well as provided via DHCP, the manually-specified server(s) would be queried first, and if those requests failed, requests would then be sent to any DNS server(s) specified via DHCP.
  This means that in Mac OS X Snow Leopard, if queries to manually-specified DNS servers fail, the request will be considered to have failed and no DHCP-specified DNS server will ever be queried.
  Users may encounter this because at some point a DNS server (which is no longer functioning or reachable) was manually set in a work or other environment and they had forgotten about it since the previous behavior was for failed requests to "fall through" to DHCP-specified servers.
  Because of the change in behavior, those same systems will fail to resolve any DNS requests in Mac OS X Snow Leopard.
  2) mDNSResponder does not honor DNS server ordering
  While not explicitly documented, in Mac OS X versions earlier than Snow Leopard, DNS servers, whether specified manually or via DHCP, were queried in the order they were provided. For manual specification, this means in the order shown in the appropriate Network preferences pane tab, and for DHCP users in the order specified by the DHCP server.
  This is no longer true in Mac OS X Snow Leopard; instead mDNSResponder now seems to occasionally change the order in which it queries DNS servers from that in which they were specified.
  This has caused some users issues when DNS servers are specified in a specific sequence.
  For example, say your network has two DNS servers, a main server at address 192.168.100.1, and a secondary server at 192.168.100.2, which is normally only to be used if the primary DNS server fails as it is slower and/or has a slower link to the Internet.
  If they were specified in that order, past versions of Mac OS X would query them in that order, and unless a failure occurred contacting the primary server, the second server specified would never be contacted.
  In Mac OS X Snow Leopard, under various conditions mDNSResponder will instead decide to route all DNS queries to the second DNS server specified, perhaps as a method of routing DNS queries in a round-robin fashion.
  Nevertheless, this behavior is unexpected to most users, and may cause issues if the previous behavior was expected.
  The only workaround is to realize that Mac OS X Snow Leopard treats all specified DNS servers as being equally capable and to specify DNS servers, either manually or via DHCP, accordingly.
  This is the 1st version of this tip. It was submitted on November 15, 2009 by William Kucharski.
  Do you want to provide feedback on this User Contributed Tip or contribute your own? If you have achieved Level 2 status, visit the User Tips Library Contributions forum for more information.

  This tip is now ready for publication.

• Intermittend DNS resolution, timeserver, group policy updates errors in client logs in Win 2012 R2 single server environement

  We recently switched hardware and server software Win SBS 2008 to 2012R2 for a small network roughly 40 clients (Win7 Pro / Win 8.1 Pro) about 16 running concurrently at a given time and one network printer with the printer queue residing on the DC as well.
  I read that a single server environment might not be ideal in particular no fail-over but that is an accepted risk in this particular network here.
  Errors:
  Error 1043: Timeout during name resolution request
  Error 1129: Group policy updates could not be processed due to DC not available
  Error 5719: Could not establish secure connection to DC, DC not available
  Occasionally but disappears after a while
  Error 134: As a result of a DNS resolution timeout could not reach time server
  Symptoms
  On Win 7 Clients
  Network shares added through Group Policy will not show sometimes
  Network shares disconnect (red X) and when accessed return access authorization error after one or two clicks on the share finally grant access again
  When the issue with accessing network shares occurs, it usually also affects Internet access meaning a 'server not responding' error appears in the browser windows when trying to open just any web page
  nslookup during the incident returns cannot resolve error
  ipconfig on client shows correct default router (VDSL Router) and DHCP / DNS Domain Controller
  Also, the Win system log shows the above errors during these incidents, however, the nuimber of incidents vary from 20-30
  On Win 8.1 Clients
  Same as above with the slight variation for network shares apparently due to Server 2012 and Win 8.1 clients managing drive shares differently. However, network share refresh does not work with this clients. In most cases only a gpupdate /force returns
  drive shares but usually only for the active session. After logoff / logon the shares are gone again.
  The issue does appear to be load related since it occurs even if there are only one or two workstations active.
  Server Configuration
  Dell R320 PowerEdge 16GB / 4TB 7200RPM RAID10 / GBitEthernet
  Zyxel 1910-48 Port Switch
  VDSL 50Mbps Down / 20Mbps Up
  Since the DC is the only local DNS and there are no plans to add another one or move DNS to another server, the DNS server is configured with this own address as preferred DNS with three DNS forwarders 1) VDSL Router 2) ISP DNS1 3) ISP DNS2
  Currently only one Network card is active for problem determination reasons.
  There appears to be no consensus concerning IPV6 enabled or disabled, I tried both with no apparent effect
  I have set all network cards server and client to Full Duplex and the same speed, also disabled Offload functions within the adapter settings. Some but no consistent improvements.
  Best Practice Analyzer Results
  DNS server scavening not enabled
  Root hint server XYZ must respond to NS queries for the root zone
  More than one forwarding server should be configured (although 3 are configured)
  NIC1 should be configured to use both a preferred and alternate DNS (there is only one DNS in this network)
  I have found some instructions to apply changes to the clients through a host file but I would rather like to understand whether this DNS response time issue can be resolved on the server for example timing setting perhaps. Currently the DNS forwarders are
  set to 3 second.
  Since a few people have reported issues with DNS but most are working with multi DNS, DC environment I could not really apply any suggestions made there. perhaps there is anyone like me who is running a single server who has overcome or experience the same
  issues. Any help would be appreciated

  Hello Milos thx for your reply.. my comments below
  1. What does it "switched"? You may mean migration or new installation. We do not know...
  >> Switched is probably the incorrect term, replaced would be the appropriate wording. Before, there was a HP Proliant Server with SBS 2008 with distinct domain and now there is a Dell Server with MS 2012 R2 with a distinct domain. Client were
  removed from one (SBS) domain and added to the new Server 2012 domain. Other components did not change for example same Network Switch or VDSL Router, Workstations and Printer
  2. Two DCs are better alternative. Or backup very frequently. There are two groups of administrators. Those who have lost DC and those who will experience this disaster in near future.
  >> Correct, and I am aware of that
  3. NIC settings in W 7 and W 8.1, namely DNS points to DC (...and NOTHING else. No public IP or that of router DNS.))
  >> Correct, this is how it's currently implemented. Clients point to DC for DHCP and DNS and Default Router, no public IP or DNS. The only references to ISP DNS exist on the VDSL Router itself as provided through ISP when establishing VDSL
  Link and the list of Forwarders in the DNS Server configuration. However, I have just recently added the ISPs DNS as forwarders for test purposes and will probably learn tomorrow morning whether this had any effect for better or worse.
  4. Do nslookup to RR on clients. RR branch is saying client basic info on LDAP parameters of AD.
  >> Will post as soon as available
  5. I do not use forwarders and the system works
  >> Ok, does this mean it works for you in a similar or the same infrastructure setup or are you saying it is not required at all and I can remove any forwarder in a scenario like mine? If not required can you explain a bit more why it is not
  required apart from that it does work for you that way?
  6. DHCP should sit on DC (DHCP on router is disabled)
  >> Correct, no other device is configured to provide DHCP service other than DC and DHCP is currently running on DC
  7. NIC settings in DC points to itself (loopback address 127.0.0.1)
  >> Are you sure this is still correct and does apply to Server 2012? I am reading articles stating that it should be the servers own IP but local loop or should this be added as alternate DNS in addition to the servers own IP?
  8. Use IPCONFIG /FLUSHDNS whenever you change DNS settings.
  >> OK, that was not done every time I changed some settings but I can do that next week. Reboot alone would not suffice, correct?
  9. Test your system with dcdiag.
  >> See result below
  10. Share your findings.
  Regards
  Milos
  Directory Server Diagnosis
  Performing initial setup:
     Trying to find home server...
    Home Server = GSERVER2
     * Identified AD Forest.
     Done gathering initial info.
  Doing initial required tests
  Testing server: Default-First-Site-Name\GSERVER2
        Starting test: Connectivity
           ......................... GSERVER2 passed test Connectivity
  Doing primary tests
     Testing server: Default-First-Site-Name\GSERVER2
        Starting test: Advertising
           ......................... GSERVER2 passed test Advertising
        Starting test: FrsEvent
           ......................... GSERVER2 passed test FrsEvent
        Starting test: DFSREvent
           ......................... GSERVER2 passed test DFSREvent
        Starting test: SysVolCheck
           ......................... GSERVER2 passed test SysVolCheck
        Starting test: KccEvent
           ......................... GSERVER2 passed test KccEvent
        Starting test: KnowsOfRoleHolders
           ......................... GSERVER2 passed test
           KnowsOfRoleHolders
        Starting test: MachineAccount
           ......................... GSERVER2 passed test MachineAccount
        Starting test: NCSecDesc
           ......................... GSERVER2 passed test NCSecDesc
        Starting test: NetLogons
           ......................... GSERVER2 passed test NetLogons
        Starting test: ObjectsReplicated
           ......................... GSERVER2 passed test
           ObjectsReplicated
        Starting test: Replications
           ......................... GSERVER2 passed test Replications
        Starting test: RidManager
           ......................... GSERVER2 passed test RidManager
        Starting test: Services
           ......................... GSERVER2 passed test Services
        Starting test: SystemLog
           ......................... GSERVER2 passed test SystemLog
        Starting test: VerifyReferences
           ......................... GSERVER2 passed test VerifyReferences  
     Running partition tests on : ForestDnsZones
        Starting test: CheckSDRefDom
           ......................... ForestDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... ForestDnsZones passed test
           CrossRefValidation
     Running partition tests on : DomainDnsZones
        Starting test: CheckSDRefDom
           ......................... DomainDnsZones passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... DomainDnsZones passed test
           CrossRefValidation
     Running partition tests on : Schema
        Starting test: CheckSDRefDom
           ......................... Schema passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Schema passed test CrossRefValidation
     Running partition tests on : Configuration
        Starting test: CheckSDRefDom
           ......................... Configuration passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... Configuration passed test CrossRefValidation
     Running partition tests on : GS2
        Starting test: CheckSDRefDom
           ......................... GS2 passed test CheckSDRefDom
        Starting test: CrossRefValidation
           ......................... GS2 passed test CrossRefValidation  
     Running enterprise tests on : GS2.intra
        Starting test: LocatorCheck
           ......................... GS2.intra passed test LocatorCheck
        Starting test: Intersite
           ......................... GS2.intra passed test Intersite
  Server:  gserver2.g2.intra
  Address:  192.168.240.6
  *** gserver2.g2.intra can't find g2: Non-existent domain
  > gserver2
  Server:  gserver2.g2.intra
  Address:  192.168.240.6
  g2.intra
          primary name server = gserver2.g2.intra
          responsible mail addr = hostmaster.g2.intra
          serial  = 443
          refresh = 900 (15 mins)
          retry   = 600 (10 mins)
          expire  = 86400 (1 day)
          default TTL = 3600 (1 hour)
  > wikipedia.org
  Server:  gserver2.g2.intra
  Address:  192.168.240.6
  Non-authoritative answer:
  wikipedia.org   MX preference = 10, mail exchanger = polonium.wikimedia.org
  wikipedia.org   MX preference = 50, mail exchanger = lead.wikimedia.org
  polonium.wikimedia.org  internet address = 208.80.154.90
  polonium.wikimedia.org  AAAA IPv6 address = 2620:0:861:3:208:80:154:90
  lead.wikimedia.org      internet address = 208.80.154.89
  lead.wikimedia.org      AAAA IPv6 address = 2620:0:861:3:208:80:154:89
  Final benchmark results, sorted by nameserver performance:
   (average cached name retrieval speed, fastest to slowest)
    192.168.240.  6 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    + Cached Name   | 0,001 | 0,002 | 0,003 | 0,001 | 100,0 |
    + Uncached Name | 0,027 | 0,076 | 0,298 | 0,069 | 100,0 |
    + DotCom Lookup | 0,041 | 0,048 | 0,079 | 0,009 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
               gserver2.g2.intra
                  Local Network Nameserver
    195.186.  4.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,022 | 0,023 | 0,025 | 0,000 | 100,0 |
    - Uncached Name | 0,025 | 0,071 | 0,274 | 0,065 | 100,0 |
    - DotCom Lookup | 0,039 | 0,040 | 0,043 | 0,001 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
                       cns8.bluewin.ch
             BLUEWIN-AS Swisscom (Schweiz) AG,CH
    195.186.  1.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,022 | 0,023 | 0,026 | 0,001 | 100,0 |
    - Uncached Name | 0,025 | 0,072 | 0,299 | 0,066 | 100,0 |
    - DotCom Lookup | 0,039 | 0,042 | 0,049 | 0,003 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
                       cns7.bluewin.ch
             BLUEWIN-AS Swisscom (Schweiz) AG,CH
      8.  8.  8.  8 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,033 | 0,040 | 0,079 | 0,011 | 100,0 |
    - Uncached Name | 0,042 | 0,113 | 0,482 | 0,097 | 100,0 |
    - DotCom Lookup | 0,049 | 0,079 | 0,192 | 0,039 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
               google-public-dns-a.google.com
                   GOOGLE - Google Inc.,US
    UTC: 2014-11-03, from 14:33:12 to 14:33:29, for 00:17,648
  15: 40
  192.168.240.  6 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    + Cached Name   | 0,001 | 0,002 | 0,004 | 0,000 | 100,0 |
    + Uncached Name | 0,025 | 0,074 | 0,266 | 0,063 | 100,0 |
    + DotCom Lookup | 0,042 | 0,048 | 0,075 | 0,007 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
               gserver2.g2.intra
                  Local Network Nameserver
    195.186.  1.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,022 | 0,024 | 0,029 | 0,001 | 100,0 |
    - Uncached Name | 0,024 | 0,073 | 0,289 | 0,067 | 100,0 |
    - DotCom Lookup | 0,039 | 0,041 | 0,043 | 0,001 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
                       cns7.bluewin.ch
             BLUEWIN-AS Swisscom (Schweiz) AG,CH
    195.186.  4.162 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,022 | 0,024 | 0,029 | 0,001 | 100,0 |
    - Uncached Name | 0,025 | 0,073 | 0,286 | 0,065 | 100,0 |
    - DotCom Lookup | 0,041 | 0,066 | 0,180 | 0,037 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
                       cns8.bluewin.ch
             BLUEWIN-AS Swisscom (Schweiz) AG,CH
      8.  8.  8.  8 |  Min  |  Avg  |  Max  |Std.Dev|Reliab%|
    ----------------+-------+-------+-------+-------+-------+
    - Cached Name   | 0,033 | 0,038 | 0,077 | 0,009 | 100,0 |
    - Uncached Name | 0,042 | 0,105 | 0,398 | 0,091 | 100,0 |
    - DotCom Lookup | 0,049 | 0,066 | 0,141 | 0,025 | 100,0 |
    ---<-------->---+-------+-------+-------+-------+-------+
               google-public-dns-a.google.com
                   GOOGLE - Google Inc.,US
    UTC: 2014-11-03, from 14:39:59 to 14:40:12, for 00:13,363

• DNS-resolution doesn't work with VPN

  Hello,
  I setup a l2tp vpn connection in the iPhone and nearly all works perfectly. But the most important part doesn't work: The DNS-resolution after connecting to the VPN.
  It's possible to send pings over the 'ping'-App and I also can ping the iPhone from the network. Safari also works with IP-Adresses. But when I try to use a hostname the resolution fails. Equally for internal and external addresses.
  On my MacBook Pro the VPN works and Mac OS is able to resolv hostnames. So the server should be alright.
  So I think there is a bug in the resolver-part of iPhone OS. Please fix this Apple.
  Kind regards,
  lord-of-linux

  Thanks for your hint to send this as a bug report. But today I had time and continued testing and changed some settings of my l2tp-Server and now I's working fine. I don't know where I had the mistake, but it seems that it was my fault.
  Now the only problem I have to solve is access over NAT, but this is not iPhone specific.

• DNS Resolution Totally Dead in 10.6.7 (except dig)

  My problem, on a 2010 iMac running 10.6.7, is basically identical to Andreas's in this thread, but whereas he tracked it to "the VPN client SonicWall NetExtender" and solved it, I've never even heard of that. As with him, though, the only way I seem to have of connecting a URL to an IP address is with dig; Safari, ping and nslookup all fail when given URLs but succeed when I give them an IP address acquired through dig.
  This happened today while I was in the middle of browsing; I don't recall any network problems recently that could have caused it, and I have a MacBook also running 10.6.7 on the same network which has no such problems. The iMac has a history of being unable to see or be seen by the other machines on the LAN (to which it connects via wifi through a Tenda router) but nothing else. Further, the iMac and MacBook give identical results when I run scutil --dns on them. I'm pretty much at a loss. Any suggestions would be greatly appreciated!

  Safari gives the error message
  Safari can't open the page "[URL]" because your computer isn't connected to the Internet.
  on any attempt to access a page by URL. If I put in an IP address it loads fine (aside from not being able to resolve any links to images, etc. which are linked using a domain name).
  nslookup google.com on the command line gives the error:
  /SourceCache/bind9/bind9-31/bind9/lib/isc/unix/socket.c:4525: bind: No route to host
  nslookup: isc_socket_bind: unexpected error
  DNS resolution does not work on Firefox either.
  All checkboxes in the System Preferences>Network>Advanced>Proxies tab are unchecked. The box at the bottom ("Bypass proxy settings...") contains:
  *.local, 169.254/16
  Thanks for trying to help me out! I'm happy to provide any other information that might be useful to you.

• ISE ver 1.1.3.124 - DNS Resolution Errors.

  I am having a very strange issue with ISE version 1.1.3.124 running as a VM on UCS.
  When I login to ISE GUI using my browser I see a large number of Alarms:
  Alarm
  Occurred At:
  Mon Apr 15 19:45:01 UTC 2013
  Cause:
  DNS resolution failure on host device_name01.abc.xyz.com
  Details:
  DNS resolution failed for the hostname device_name01.abc.xyz.com
  against the currently configured name  servers. Ensure that you have configured a reachable name server using  the 'ip name-server <servername>' CLI. 
  I have the 'ip name-server x.y.z.1' command configured in ISE using the CLI.
  From the CLI I resolve any other device names by PINGing from ISE CLI to any of my other devices in the network. So DNS seems to be working fine.
  But why am I getting the Alarms in ISE?
  Thanks for any help or suggestion in advance.
  Regards.
  Adil.

  Can you confirm that you have an A record for the ISE node configured on your DNS Server?
  If there is only a CNAME record, then you may see the specified error message.

• Error NtpClient was unable to set a manual peer. DNS resolution error When using IP address.

  Hya,
  We have been migarting to some new DCs. one of the new DCs now has all the master roles call it DC01.
  when I try and sync/setup NTP on this server as the the authoritive NTP in the doamin I get:
  NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on '”10.*.*.*,0x1”'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
  I am using the following commands to set NTP up on the server.
  >net stop w32time
  >w32tm /config /syncfromflags:manual /manualpeerlist:"10.*.*.*,0x1"
  >w32tm /config /reliable:yes
  >net start w32time.
  Is anyone aware of what the issue could be?
  Ps one of the old dc can still sync to this site manually if tried.
  cheers Mike

  Hi,
  First make sure your DNS is working properly, then please try this article below:
  Event ID 134 — Manual Time Source Acquisition
  http://technet.microsoft.com/en-us/library/cc756393(v=ws.10).aspx
  Hope this helps.

• Slow name resolution

  hi all,
  My mac has been miss-behaving since I upgraded to Mountain Lion.
  name resolution takes 10 seconds or more, which is ridiculous!
  on my linux box sitting right next to my mac, takes less than a second.
  Anyone else having the same issue?
  #### On my mac ####
  # time nslookup google.com 8.8.8.8
  Server:                    8.8.8.8
  Address:          8.8.8.8#53
  Non-authoritative answer:
  Name:          google.com
  Address: 173.194.38.136
  Name:          google.com
  Address: 173.194.38.135
  Name:          google.com
  Address: 173.194.38.131
  Name:          google.com
  Address: 173.194.38.132
  Name:          google.com
  Address: 173.194.38.130
  Name:          google.com
  Address: 173.194.38.133
  Name:          google.com
  Address: 173.194.38.128
  Name:          google.com
  Address: 173.194.38.137
  Name:          google.com
  Address: 173.194.38.142
  Name:          google.com
  Address: 173.194.38.129
  Name:          google.com
  Address: 173.194.38.134
  real          0m10.278s
  user          0m0.004s
  sys          0m0.003s
  ####### on my linux box #######
  # time nslookup google.com 8.8.8.8
  Server:                    8.8.8.8
  Address:          8.8.8.8#53
  Non-authoritative answer:
  Name:          google.com
  Address: 173.194.38.136
  Name:          google.com
  Address: 173.194.38.135
  Name:          google.com
  Address: 173.194.38.131
  Name:          google.com
  Address: 173.194.38.132
  Name:          google.com
  Address: 173.194.38.130
  Name:          google.com
  Address: 173.194.38.133
  Name:          google.com
  Address: 173.194.38.128
  Name:          google.com
  Address: 173.194.38.137
  Name:          google.com
  Address: 173.194.38.142
  Name:          google.com
  Address: 173.194.38.129
  Name:          google.com
  Address: 173.194.38.134
  real          0m0.304s
  user          0m0.100s
  sys          0m0.100s

  Hi Fer!
  Thanks for your tip about trying a different user - it didn't work, but it got me thinking
  I tried my daughter's new MB Pro with ML, and it worked flawlessly. So, thoroughly ****** off, I wasn't going to give up easily - I got out my Wireshark and started digging. After a few hours I came up with several handy tips, a couple of which fixed my problems. Here they are, copied from the blog I keep (to remember stuff like this). With any luck, they will save others some of the time we wasted.
  Thanks again for your help and inspiration!
  I’ve been incredibly frustrated by how poorly DNS resolves since upgrading first to Lion, then later to Mountain Lion (on a new machine, but migrating my old files). The impact of this was particularly bad connecting to SMB/CIFS/Samba shares – some would mount after several minutes, others not at all.
  Early on it became clear the problems were related to my router (DDWRT) not supporting IPv6 but then neither does my ISP. Here are a few things to try:
  DNS Resolver Order
  Normally /etc/hosts is first in line for DNS resolution. But it seems improper line termination, presumably a carriage return/linefeed instead of just a linefeed, causes all sorts of problems. Many posts describe ways to force reloading of the hosts file, but the root cause seems to be improper line termination. Always make sure you use a Unix compatible editor.
  To check the order resolvers are called:
  scutil --dns
  /etc/hosts Entries
  These two were the main source of my problems:
  1. My host has multiple names – these must all be present, and fully qualified:
  127.0.0.1 hosta hosta.foo.com 127.0.0.1 hostb hostb.foo.com
  2. All localhost entries must have ::1 entries too, or OS X will send IPv6 requests to resolve them externally. And this despite IPv6 being disabled on the interface!
  ::1 hosta hosta.foo.com ::1 hostb hostb.foo.com
  Turn off IPv6 in Network Preferences
  Go to System Preferences -> Network -> Advanced -> TCP. In the Configure IPv6 list, you may have an “Off” option. If so, select it. If not, see next tip.
  Turn off IPv6 from Terminal
  List available network services:
  networksetup -listallnetworkservices
  Turn off IPv6 on chosen device (name from above list):
  networksetup -setv6off your_device_name (i.e. Wi-Fi, Ethernet)
  Now the Configure IPv6 list  for that device will show “Off”  (see previous tip).
  MobileMe Remnants
  Apparently older OS X installations migrated to newer releases may still have hooks to no-longer existant MobileMe servers. Many users report that removing these greatly speeds up SMB connection. The following removes those references if present and are harmless if not.
  defaults delete -g iToolsMemberDomain defaults delete -g iToolsMember

• Slow DNS Lookups after connecting via PPP VPN

  I have this very annoying problem and just can't seem to find a method to resolve it.
  When I connect to my work network via a PPP VPN connection, all internet connectivity thereafter takes forever to do a DNS lookup. So when I browse the internet it takes ages before the page is displayed back.
  If I also do a ping in finder for a random URL, www.google.com for example, it sits there for nearly a minute before I get a response. If I then immediately perform the ping again, I get a response straight away. So it seems once it's resolved the domain name, it gets stored in a cache somewhere. If I try another domain name, I get the same delay and then it eventually gets through.
  As soon as I close the VPN connection, service is resumed and DNS lookups work fast.
  I've also made sure I've unchecked the option to "Send all traffic over VPN connection".
  I've also set my 'Service Order' to have my wireless Airport connection in the No #1 position.
  The other thing I've tried is deleting the default route (via Terminal) and adding one manually that points to my wireless router, again without success.
  Does anyone have any other ideas I could try? I've also recently re-installed a fresh copy of Leopard in case something was stuffed up, but the problem is still there after installation.
  Hoping someone has an easy solution!
  Many thanks

  I seem to have found a work-around. There is probably a neater way of doing this but here goes.
  Here is my setup:
  Airport Wireless to my home router
  PPP VPN connection to my office windows network
  3G connection via mobile phone
  My aim was to be able to connect to my office network via wireless at home or via my cellular data connection, but continue to route all non-work traffic via the main connection (wireless/3G).
  The #1 problem I had once I connected to my office VPN on either wireless or 3G, was that DNS lookups to general internet sites took forever. So to get around this, I created TWO VPN connections to my office network in Network Preferences and in both connections I made sure the option to send all traffic over VPN was left UNCHECKED.
  The first connection I then designated for use when connecting wirelessly at home. Here I manually added the IP address of my home router as a DNS entry.
  The second connection I did the same by adding a new DNS entry, except here I used the DNS server of my cellular data connection, in this case T-Mobile UK.
  When connecting to my office network I just use either of the above connections depending on whether I am connecting wirelessly at home or via my mobile phone.
  It seems a bit long winded I grant you, but after literally months of trying to resolve this annoying problem, this appears to be the only fix that works.
  The downfall of this would be that DNS resolution to any servers on your office network might not work, but that isn't a problem for me since I manually add any servers I use at work to my local hosts file. This negates any need for DNS lookups and actually speeds up access to my work servers.
  In amongst this I did several reboots, so you give your machine a reboot once you've completed the above steps, just in case.
  The 3G connection won't work for you if your provider changes the DNS server every time you connect, but this is unlikely.
  If anyone's got any comments, I'd love to hear them.
  Cheers
  Phil