Cannot resolve names in certain top level domains like

Cannot resolve names in certain top level domains like

  • Comments 9
  • Likes

[Today's post comes to us courtesy of Chris Puckett] 

After one day, you may find your Windows 2008 DNS Server is unable to resolve names in certain top level domains (tld’s) like, .cn, and .br when it is configured to use root hints. It may also occur with other tld’s. A network monitor trace shows the DNS Server does not send any DNS traffic out to the internet. The Windows 2008 DNS server returns SERVFAIL to the client or when using nslookup.

Workarounds include restarting DNS, clearing the DNS cache, setting maxcachettl to 2 days or greater, and using DNS Forwarders instead of root hints.

If you want to use root hints, you can set the maxcachettl registry value on the Windows 2008 DNS Server as follows:

1. Start Registry Editor (Regedit.exe).

2. Locate the following registry key:


3. On the Edit menu, click New, click DWORD (32-bit) Value , and then add the following value:

Value: MaxCacheTtl
Data Type: DWORD
Data value: 0x2A300  (172800 in decimal = 2 days)

4. Click OK .

5. Quit Registry Editor.

6. Restart the DNS server.

Data type                       Range 
REG_DWORD 0x0 | 0x1 - 0xFFFFFFFF seconds Default value:0x15180 (86,400 seconds = 1 day)

You may see this behavior in Windows 2008, SBS 2008 and EBS 2008.

UPDATE: KB Published. 

968372 Windows Server 2008 DNS Servers may fail to resolve queries for some top-level domains;EN-US;968372

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Are you able to give the circumstances when this happens, I work for a TLD and am also a Windows Admin (we've had tickets from customers on this) so would really like to re-create it in my lab.



  • Hurrah! I was beginning to think it was just me! I've seen this behaviour since day 1 testing server 2008 all the way through to our now live client's production enviroments. We alwas use root hints where possible as we find may provider's own DNS servers to be unreliable.

    Thank you for this great post - at least I know what to do about it - but do you know what's the cause and long term resolution?



  • Ok... but WHY would I want to make this registry change on my server?  What's the root cause of the problem?  Why would I want to set MaxCacheTtl to 2 days instead of 1 day or 10 days?

  • PingBack from

  • Cause: When the DNS server saves the NS records to the cache, the TTL for the A (Glue) record gets changed to be 1 day. The TTL for the NS Record stays at 2 days. When the A records expire, the DNS server starts returning a "Server Failure" response to the client that issues the dns query.

  • Data value: 0x2A300  (172800 in decimal = 2 days)

    0x2A300 resolves to 68330240 decimal

    2A300 resolves to 172800 decimal

    Or it does in my regedt32 anyway.

    But thanks for the fix, this DNS bug has really been annoying me.

  • That's odd.  In calculator, 172800 decimal translates to 2A300 in hex and 68330240 decimal translates to 412A300 in hex.

  • I've encountered this issue in Windows 2012 R2 as well when using root-hints only.