Introduction

This article provides possible solutions to DNS-related problems causing DNS lookups to fail with error message SERVFAIL, RCODE2, which means Server failure - The name server was unable to process this query due to a problem with the name server, which leads to poor filtering performance.

Is my system affected?

Occasional DNS lookup failures are considered normal, because DNS is an unreliable transport. If you see such errors logged only occasionally for the Reverse DNS and SPF tests, but the majority of DNS lookups are successful, there is nothing to worry about.

However, if you see this error logged for DNS Blacklist and SURBL lookups frequently, we recommend giving the below solutions a try:

1. Use the built-in DNS resolver (ORF 5.4 and newer only)

Starting from version 5.4, ORF can access DNS using a built-in recursive DNS resolver, which is not affected by local DNS server problems. Consider switching to this resolver. Find more information on this in the related ORF help topic.

2. Make sure you are using a local DNS server with no public forwarders

In most cases, the problem is caused by public DNS servers (Google DNS servers, OpenDNS servers, ISP DNS servers, etc.) which are used for the queries (either directly, or by forwarding the query through them from the local DNS server). Most online blacklist services (such as Spamhaus) do not accept queries from such public DNS servers (i.e., they return NXDOMAIN to all queries, or refuse to reply and the query times out eventually).

Make sure the DNS server configured in ORF meets all requirements.

3. Try disabling EDNS probes

If the local DNS server uses EDNS, the size of the packets may exceed the limit configured on your firewall. A possible solution is disabling EDNS probes using the following command:

For more information, please consult the related Microsoft TechNet article.

4. Increase the TTL value

When name resolution is provided by root hints, Windows Server 2008 DNS and Windows Server 2008 R2 DNS Servers may fail to resolve queries for names in certain top-level domains. When this happens, the problem will continue until the DNS Server cache is cleared or the DNS Server service is restarted. Setting the TTL to 2 days or higher and flushing the DNS cache may solve the problem.

For more information, please consult the related Microsoft Knowledge Base article.

5. Install a hotfix to eliminate a bug in the Microsoft DNS Server service

Some Microsoft DNS Server service versions are affected by a bug: they cannot correctly handle expired/removed glue records, causing SERVFAIL RCODE2 errors. Installing a hotfix may solve the problem.

We also strongly recommend flushing the DNS cache after applying the above solutions.

6. Verify IPv6 connectivity

If your DNS server thinks it has Internet access over IPv6 when it has none, name resolution may fail with timeout, which results in SERVFAIL errors. This typically affects specific DNS zones and a telltale symptom is name resolution working for a while, then suddenly ceasing to work until the DNS cache is cleared. This can be caused by a combination of the false IPv6 connectivity and a DNS zone which has a different Time-To-Live (TTL) configured for IPv4 (DNS A) and IPv6 (AAAA) authoritative name server data. As Microsoft DNS Server prefers IPv4 over IPv6, lookups work initially, but as IPv4 TTLs expire and Microsoft DNS falls back to the still valid IPv6, the lack of actual IPv6 connectivity will manifest itself as a SERVFAIL error.

If you are seeing this, we recommend investigating why the server believes it has IPv6 connectivity and fix the problem as per the result of your investigation.