Hi,
I am getting an incorrect DNS response for DNS queries to 199.85.162.20 and 199.85.127.20 for the name 'login.live.com'
I will try to provide the full technical details here to avoid confusion or the need for further questions.
Setup:
(windows & MAC) PC's on LAN resolve DNS from a local server on the LAN
This 'local server' is running server 2008r2 and the built-in Microsoft DNS server (this is AD integrated)
The 'local server' DNS server/service has 199.85.162.20 and 199.85.127.20 as the forwarders.
Thus queries all zones NOT on the local DNS server will be resolved via the forwarder(s).
This is a 'normal' default server/lan setup. I have not tried to re-invent the wheel or do anything special.
The Problem:
Incorrect DNS responses from NortonDNS under some circumstances for lookups of 'login.live.com'
1/ When I use NortonDNS (199.85.162.20 and 199.85.127.20) as the DNS forwarders I get Invalid (incorrect) responses.
2/ When I use OpenDNS (208.67.222.222 and 208.67.220.220) as the DNS forwarders I get correct responses.
3/ If I directly query NortonDNS (199.85.162.20 and 199.85.127.20) using NSLOOKUP I get correct responses.
HELP!
Can anyone help resolve this for me, or am I destined not to be able to use NortonDNS anymore..
This used to work ok and stopped in the last day or so..
Diagnostic, trace and log details:
----------------------------------------------
If I query uning NSLOOKUP from a PC on the LAN for 'login.live.com' I get:
C:\>nslookup -q=any login.live.com.
Server: LocalServer.local
Address: <local servers-ip>
Non-authoritative answer:
login.live.com canonical name = login.live.com.nsatc.net
login.live.com.nsatc.net internet address = 156.154.176.20
login.live.com.nsatc.net internet address = 156.154.176.20
This is VERY wrong!!!
If I do the same Query but use OpenDNS I get the correct answer:
C:\>nslookup -q=a login.live.com. 208.67.222.222
Server: resolver1.opendns.com
Address: 208.67.222.222
Non-authoritative answer:
Name: login.live.com.nsatc.net
Addresses: 131.253.61.98
131.253.61.82
131.253.61.80
131.253.61.96
Aliases: login.live.com
Now this looks correct..
If I query DIRECTLY to NortonDNS I get:
C:\>nslookup -q=a login.live.com. 199.85.126.20
Server: UnKnown
Address: 199.85.126.20
Non-authoritative answer:
Name: login.live.com.nsatc.net
Addresses: 65.55.163.80
131.253.61.84
65.55.163.76
131.253.61.80
Aliases: login.live.com
Again.. This looks CORRECT..!
So something is going ammis on the recursive query that the local DNS server is making of NortonDNS
If I check/trace the query via the localserver DNS server I see in the log the following:
24/04/2014 11:12:04 5928 PACKET 00000000034D4540 UDP Snd 199.85.126.20 9830 Q [0001 D NOERROR] ALL (5)login(4)live(3)com(0)
UDP question info at 00000000034D4540
Socket = 8088
Remote addr 199.85.126.20, port 53
Time Query=0, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x0020 (32)
Message:
XID 0x9830
Flags 0x0100
QR 0 (QUESTION)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 0
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 0
NSCOUNT 0
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
Name "(5)login(4)live(3)com(0)"
QTYPE ALL (255)
QCLASS 1
ANSWER SECTION:
empty
AUTHORITY SECTION:
empty
ADDITIONAL SECTION:
empty
24/04/2014 11:12:05 5928 PACKET 00000000185F7500 UDP Rcv 199.85.126.20 9830 R Q [8081 DR NOERROR] ALL (5)login(4)live(3)com(0)
UDP response info at 00000000185F7500
Socket = 8088
Remote addr 199.85.126.20, port 53
Time Query=1321251, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x0046 (70)
Message:
XID 0x9830
Flags 0x8180
QR 1 (RESPONSE)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 1
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 1
NSCOUNT 0
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
Name "(5)login(4)live(3)com(0)"
QTYPE ALL (255)
QCLASS 1
ANSWER SECTION:
Offset = 0x0020, RR count = 0
Name "[C00C](5)login(4)live(3)com(0)"
TYPE CNAME (5)
CLASS 1
TTL 1348
DLEN 26
DATA (5)login(4)live(3)com(5)nsatc(3)net(0)
AUTHORITY SECTION:
empty
ADDITIONAL SECTION:
empty
24/04/2014 11:12:05 5928 PACKET 00000000034D4540 UDP Snd 199.85.126.20 0560 Q [0001 D NOERROR] A (5)login(4)live(3)com(5)nsatc(3)net(0)
UDP question info at 00000000034D4540
Socket = 2132
Remote addr 199.85.126.20, port 53
Time Query=0, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x002a (42)
Message:
XID 0x0560
Flags 0x0100
QR 0 (QUESTION)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 0
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 0
NSCOUNT 0
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
Name "(5)login(4)live(3)com(5)nsatc(3)net(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
empty
AUTHORITY SECTION:
empty
ADDITIONAL SECTION:
empty
24/04/2014 11:12:05 5928 PACKET 00000000086817E0 UDP Rcv 199.85.126.20 0560 R Q [8081 DR NOERROR] A (5)login(4)live(3)com(5)nsatc(3)net(0)
UDP response info at 00000000086817E0
Socket = 2132
Remote addr 199.85.126.20, port 53
Time Query=1321251, Queued=0, Expire=0
Buf length = 0x0fa0 (4000)
Msg length = 0x007a (122)
Message:
XID 0x0560
Flags 0x8180
QR 1 (RESPONSE)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 1
Z 0
CD 0
AD 0
RCODE 0 (NOERROR)
QCOUNT 1
ACOUNT 2
NSCOUNT 0
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
Name "(5)login(4)live(3)com(5)nsatc(3)net(0)"
QTYPE A (1)
QCLASS 1
ANSWER SECTION:
Offset = 0x002a, RR count = 0
Name "(5)login(4)live(3)com(5)nsatc(3)net(0)"
TYPE A (1)
CLASS 1
TTL 600
DLEN 4
DATA 156.154.176.20
Offset = 0x0052, RR count = 1
Name "(5)login(4)live(3)com(5)nsatc(3)net(0)"
TYPE A (1)
CLASS 1
TTL 600
DLEN 4
DATA 156.154.175.20
AUTHORITY SECTION:
empty
ADDITIONAL SECTION:
empty