T The Triage ManualTechnical Guides for IT Emergencies
P2 · Network Infrastructure

DNS Resolution Failures Across Segmented Networks — Missing Conditional Forwarders, Firewall Port 53 Blocks, and Zone Delegation Gaps

In VLAN-separated or micro-segmented environments, DNS resolution fails when client-facing resolvers lack conditional forwarders pointing to authoritative servers in remote segments, or when firewall ACLs block UDP/TCP port 53 between resolvers and those authoritative servers. Symptoms include hostname lookup failures (SERVFAIL, NXDOMAIN, timeout) while IP-based connectivity succeeds, and downstream failures in Kerberos authentication, LDAP, and SRV-dependent service discovery. Resolution requires adding correct conditional forwarders or stub zones on each segment's resolver, opening bidirectional port 53 (UDP and TCP) through intervening firewalls, and flushing DNS caches after changes. Caching can mask intermittent failures during diagnosis; both forward and reverse (PTR) zones must be accounted for across all segments.

Indicators

Likely causes

Diagnostic steps

  1. From an affected client in the failing segment, query the local resolver and then query the remote authoritative DNS server directly to isolate whether the fault is in forwarding or firewall policy: nslookup <target-hostname> <local-dns-server-ip> nslookup <target-hostname> <remote-authoritative-dns-ip>
    Determines whether the local resolver can answer the query itself and whether the remote authoritative server is reachable at the DNS protocol level; if the second query succeeds but the first fails, forwarding is the problem.
  2. Test TCP port 53 reachability from the local DNS resolver to the remote DNS server: Test-NetConnection -ComputerName <remote-dns-server-ip> -Port 53 Also test UDP/53 reachability using a targeted nslookup or by observing packet capture responses.
    Confirms whether firewall or ACL policy is blocking DNS traffic between segments — a TCP/53 failure with UDP/53 success explains large-response failures (DNSSEC, many SRV records).
  3. On the local DNS server, inspect configured forwarders and conditional forwarders: Get-DnsServerForwarder Get-DnsServerZone | Where-Object { $_.ZoneType -eq 'Forwarder' } | Select-Object ZoneName, MasterServers
    Identifies missing or incorrect conditional forwarder entries — if no forwarder zone exists for the target domain or it points to the wrong IP, this is the root cause.
  4. Run a trace-level DNS query using dig with the +trace flag from the resolver to observe the full delegation path: dig +trace <target-hostname> @<local-dns-server-ip>
    Reveals whether delegation referrals at any level point outside the expected segment path or return incorrect NS records, and shows exactly where resolution breaks down.
  5. Capture DNS query and response traffic on the local DNS server's interface facing the remote segment: tcpdump -i <interface> -n port 53 -w /tmp/dns-capture.pcap Open the capture in Wireshark for analysis.
    Provides wire-level ground truth — confirms whether queries leave the resolver, reach the remote server, and what error or response is returned; distinguishes dropped packets from SERVFAIL responses.
  6. Check DNS server event logs for forwarder timeout or zone delegation errors: Windows: Event Viewer → Applications and Services Logs → DNS Server Linux: /var/log/named/named.log or /var/log/syslog (grep for 'SERVFAIL', 'forwarder', 'transfer')
    Surfaces logged DNS server errors including forwarder unreachable events, SERVFAIL generation, and zone transfer failures that confirm the specific failure mode.

Resolution path

Prevention

Tools

References

dnsname-resolutionnetwork-segmentationfirewallconditional-forwarderstub-zonesplit-dnsvlankerberosldapport-53windows-dnsbindinfrastructureservfailnxdomainptrreverse-dnszone-delegationtcp-fallback