Windows DNS Queries Failing

I was putting together a PoC late last year and encountered an issue that I've not seen before that was caused by some functionality within Windows 2008 that I did not know existed at the time. In fact, no one who I've mentioned it to since knew about it either. It seemed sufficiently obscure that I thought I should write about it quickly.

In the PoC, I had created a Windows domain based on Server 2008 R2. Setting that up was simple enough and I'd done it many times before. What I began to notice though was that DNS queries forwarded outside of my PoC infrastructure were failing more often than not. This made Microsoft Updates impossible to install amongst other issues.

After fiddling with the DNS timeouts and talking with the hosting provider at the remote datacenter to no avail, I discovered this Microsoft KB article:

Some DNS name queries are unsuccessful after you deploy a Windows Server 2003 or Windows Server 2008 R2-based DNS server

After following the workaround instructions and issuing the following command on the Windows DNS server…

[text]dnscmd /config /enableednsprobes 0[/text]

…external DNS queries were successfully resolved 100% of the time. Following up with the hosting provider, they confirmed that the larger UDP packets would have been dropped by their firewalls.