I have installed DNS Sever service on my win server 2003 DC (which is also the PDC emulator and the Global Catalog server).
When I try to test for a recursive query, it doesn't work. I have cinfigured forwarders to DNS server of my ISP. Also I have added these servers in root hints also.

When I try to nslookup for an external domain I get the foolowing error

C:\Documents and Settings\Administrator>nslookup www.microsoft.com
Server: beta1.test.sch.lk
Address: 192.168.1.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to beta1.test.sch.lk timed-out

DNS server is behind a firewall (ISA 2000)
Does this has something to do with ISA firewall?
Why does the recursive query fail?
Why cant I nslookup an external domain?

Help is greatly appreciated.
RGDS
lakmal

Recursive queries are not forwarded to other DNS servers.
With recursive queries the DNS server doesn't attempt to contact another DNS server to get the information a client is asking for.
Only iterative queries are forwarded to other DNS servers if the local DNS server doesn't have an answer.

Dear Royn,

Thank you very much for the advice. Correct me if Im wrong

1. The term recursion means that a DNS server contacting another DNS server when it cannot by itself answer a query on behalf of a client

2. Iteration refers to the process of a DNS client making repeated queries to different DNS servers.

I have configured forwarders and they work fine. (that means iterative queries are ok. My DNS server forwards queries)

When I try to test for a recursive query, I still get the time-out error (means my DNS server can't contact other DNS servers on behalf of a client)

Any suggestions..?
Thanks
lakmal

You’re wright, it was late last night.
With recursive queries the DNS server always answers requests from clients, either by providing the requested information or by providing an error message. (When there is no record found)
With iterative queries the DNS server will provide the client with a record that is closes to the request if the DNS server doesn’t have a record. If the DNS server isn’t authoritative for a domain namespace it will provide the client with a record of a DNS server that is closes to that specific domain namespace. (has the best answer)
Port 53 (TCP and UDP) is used for DNS, can you surf the web?
Can you resolve a name on the LAN with the Nslookup command?

Hi there again, did you try debugging on the DNS server.
Create a txt file on you’re hard drive en go to the properties of the DNS server.
On the debug logging tab enable debugging and fill in the pad to the text file below.
Did you also check the event viewer?

Royn,

Hi. Thanks for the follow up.
Yes, I can
Surf the web without a prob(all my clients in all the subnets can surf the net smoothly)
TCP and UDP ports (53) are ok in the firewall(ISA)
nslookup works perfectly and I can resolve names on the LAN without a prob.

I enabled debugging on the DNS server and am monitoring it right now.Im also checking the event viewer also.

I'll get back to u shortly.if u have a new suggestion, pleas elet me know.
Thanks
Lakmal

Hi There,

What happens when you remove the forwarders pointing to you’re ISP?

Dear Royn,
Forgive me for the late feed back...

Yes.it does work without forwarders..

I think the broblem is in the ISA server

I found that these ports have to be opened at the ISA

TCP and UDP port 53

and als0 these protocol rules

DNS query
DNS query server
DNS Zone transfer
DNS Zone Transfer server

But when I scan the ISA server for the open ports (using GFI Languard Network Scan), I couldnt fined the port 53.
So far im trying to resolve this issue

RGDS
Lakmal