Servers are Windows 2008R2 VMware based.
The two (2) DNS servers are also our two agency domain controllers so it is DNS services running on the domain controllers.
We are a state agency and are a child domain in the state forest - a member of a greater forest. State/forest, our agency/domain.
In all examples below, I have removed our real name and state. This is us:
OurAgency(3)gov(5)state(2)AA(2)us(0)
Where this would be our FQD - ouragencyname dot the forest level dot state dot state abbreviation dot US
I am part of our agency's IT staff, Network Security Administrator - I was being slowed down in my work and bugged by things that made no sense to me, so I ended up getting very determined and ended up fishing out issues that have been issues
for a long time. I am VERY new to Active Directory, DNS and such, there's still 90% of it over my head. I've sort of fallen into it.
I'll try to explain the issue or problem.
Our clients are sending DSN queries to our DNS servers that appear to be nonsense, or invalid questions. In fact one of the state IT enterprise specialists looked at the logs and said "your computers have a problem, they should not be doing this".
The examples below come from the debug logs on the DNS servers/Domain Controllers - I enabled the debug logging on both.
Here is a query many of our computers send to DNS that get a "no such thing" response:
(5)_ldap(4)_tcp(8)DNSServerName(4)ouragency(3)gov(5)state(2)AA(2)us(0)
_ldap._tcp.DNSServerName.ouragency.gov.state.AA.us
Where DNSServerName is the REAL name of our actual server.
There are actually quite a few of these in the DNS debug logs on both DNS servers. Some are even aimed at the forest level - one level up from us.
Here are some that work and get a valid response with the correct answer:
(5)_ldap(4)_tcp(3)pdc(6)_msdcs(4)ouragency(3)gov(5)state(2)AA(2)us(0)
(5)_ldap(4)_tcp(29)Our-Building(6)_sites(2)dc(6)_msdcs(4)ouragency(3)GOV(5)STATE(2)AA(2)US(0)
I am told I should never see a request that has the server's actual name in the "path" (for lack of a better term). And in fact, if I do, it's always a NXDOMAIN, but if it does not have a server name, it is a NOERROR response.
These are my concern where you see the NXDOMAIN response - here is an exchange between a single computer and our DNS:
3/18/2013 7:41:05 AM 0A24 PACKET 00000000030D0BE0 UDP Rcv 10.252.24.104 3ddc Q [0001 D NOERROR] SRV (5)_ldap(4)_tcp(29)OurBuilding(6)_sites(2)gc(6)_msdcs(3)gov(5)state(2)AA(2)us(0)
3/18/2013 7:41:05 AM 0A24 PACKET 00000000030D0BE0 UDP Snd 10.252.24.104 3ddc R Q [8081 DR NOERROR] SRV (5)_ldap(4)_tcp(29)OurBuilding(6)_sites(2)gc(6)_msdcs(3)gov(5)state(2)AA(2)us(0)
3/18/2013 7:41:05 AM 0A24 PACKET 0000000002E3D030 UDP Rcv 10.252.24.104 b4ba Q [0001 D NOERROR] SRV (5)_ldap(4)_tcp(29)OurBuilding(6)_sites(8)DNSServerName(4)OurAgency(3)gov(5)state(2)AA(2)us(0)
3/18/2013 7:41:05 AM 0A24 PACKET 0000000002E3D030 UDP Snd 10.252.24.104 b4ba R Q [8385 A DR NXDOMAIN] SRV (5)_ldap(4)_tcp(29)OurBuilding(6)_sites(8)DNSServerName(4)OurAgency(3)gov(5)state(2)AA(2)us(0)
3/18/2013 7:41:05 AM 0A24 PACKET 0000000003C0B8B0 UDP Rcv 10.252.24.104 d098 Q [0001 D NOERROR] SRV (5)_ldap(4)_tcp(8)DNSServerName(4)OurAgency(3)gov(5)state(2)AA(2)us(0)
3/18/2013 7:41:05 AM 0A24 PACKET 0000000003C0B8B0 UDP Snd 10.252.24.104 d098 R Q [8385 A DR NXDOMAIN] SRV (5)_ldap(4)_tcp(8)DNSServerName(4)OurAgency(3)gov(5)state(2)AA(2)us(0)
Originally I had found several of our computers were logging DNS client errors - such as failures or no domain controller responded, that sort of thing.
The DC were really responding in most cases as I noted in the debug logs, or they appeared to be, but in this process I noted these queries above, and the apparent "mistakes" in them which caused us to get our state enterprise IT shop involved.
First thing one of them noted were these as he called them nonsense queries. He claims "none of my servers or clients make such requests". I have since proven him wrong in that now and then their DNS server asks us for resolution to something in
our domain, and their DNS is asking in similar fashion. Oddly, their DNS servers only end up asking that sort of thing when contacting OUR DNS servers. They never see it if their server queries other agency servers - he claims it's only us.
So the questions -
Why are clients and servers asking our DNS servers for things which include the DNS server name in the "path"?
A request for the _ldfap.tcp should not include the ACTUAL SERVER NAME, should it ever? Such as this example?
_ldap._tcp.OurDCName.OurAgencyName.gov.state.AA.us