![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 56.00000000000001%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
4,102 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 81%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECT%3C/text%3E%3C/svg%3E)
Hello,
Thank you for posting question on Microsoft Windows forum!
Based on your query of being able to resolve records within ad.abc.com on the BIND secondary, but lb.ad.abc.com fails with **connection timed out; no servers could be reached**. This might indicate that the BIND secondary server is not able to successfully resolve the NS records for lb.ad.abc.com and then query those delegated name servers. Also the phrase **Further many of these delegated zone ns servers are LB instances and do not listen to port 53** is a key piece information. Since DNS relies on UDP and TCP port 53. If your delegated NS servers are load balancers that don't pass port 53 traffic to the actual DNS servers behind them, or if the actual DNS servers are listening on port 53, then the BIND secondary server will indeed time out when trying to query them. The followings are the potential suggested troubleshooting steps for the issue.
1.Firewall Issues:
- Verify firewall rules on your BIND secondary server, any network firewalls between the BIND secondary and the delegated NS servers, and on the delegated NS servers themselves. Ensure UDP and TCP port 53 are open for inbound queries on the delegated NS servers from your BIND secondary's IP
- While you said AD DNS has no issues, it's worth double-checking that AD DNS can reach the delegated NS servers on port 53.
2.Delegated NS Servers Not Listening on Port 53:
- Verify the actual DNS servers**:** What are the actual DNS servers behind those load balancers? Ensure they are listening on port 53.
- Load Balancer Configuration**:** The load balancer (LB) needs to be configured to forward UDP and TCP port 53 traffic to the DNS servers. If it's performing health checks, those checks should be for the DNS service, not just a basic TCP connect.
3.Incorrect NS Records in the Parent Zone (ad.abc.com):
- While you said AD DNS works, it's worth verifying the NS records for lb.ad.abc.com within ad.abc.com zone on your AD DNS.
- On your AD DNS, use nslookup or dig to query lb.ad.abc.com and see what NS records are returned. Ensure the IP addresses associated with those NS records are correct and correspond to your delegated name servers (or their load balancer VIPs). Pay close attention to glue records if the NS servers for lb.ad.abc.com are within lb.ad.abc.com itself. For example ns1.lb.ad.abc.com.
4.BIND Secondary Server Configuration for Recursion/Forwarders:
- Your BIND secondary server needs to be able to resolve names recursively or use forwarders to find the authoritative servers for lb.ad.abc.com.
- Recursion: Ensure recursion yes; is set in your named.conf.options or named.conf file on the BIND secondary server. Also, allow-recursion should permit your clients (or the BIND server itself when performing recursion) to query.
- Forwarders: If you're using forwarders on your BIND secondary, ensure they are configured correctly and that these forwarders can resolve lb.ad.abc.com. Ideally, your BIND secondary should be able to resolve these directly by following the delegation chain.
Hope the above information is helpful!