Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


DNS Hell !!

Posted on 2002-04-22
Medium Priority
Last Modified: 2012-05-04
Here's my dilemma..
Win2K DNS server, internal with AD integrated, trying to get forwarders to work.
I have added my External DNS server, running linux, ip address to my Internal DNS server in the forwarders option tab. My intention is for my Internal DNS to reply to queries for FQDN out on the Internet. DNS services have been stopped and restarted.
I do not have a root zone in my Internal DNS server (the . zone).
I can ping my External DNS server from the Internal DNS server, so firewall is setup properly for Internal DNS to access External DNS and viceversa.
When I use NSLOOKUP from Internal DNS server and change the SERVER option to point to External DNS server (or any external DNS server)...I can resolve Internet FQDNs just fine; however, if I change this setting back to Internal DNS server... I can no longer resolve Internet domains.
I've installed NetMon and I cannot see any packets trying to access any External DNS server from the Internal DNS; I can see all DNS traffic directed to the Internal DNS from my clients...

I'm at a loss here...any help will be greatly appreciated.
Question by:edgonz99
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 6960791
a few things to look at:

- what is the forward time-out setting? 1 second is good.
- under advanced tab, make sure the name checking is set to All names.
- Make sure the server is listening on teh proper IP address. I would set it to all addresses just to be safe.
- do you have any forward lookup zones?

hope this helps.

Author Comment

ID: 6960859

- what is the forward time-out setting? 1 second is good.
****Ok, I made this change...I had it set to 0..I set it to 1.

- under advanced tab, make sure the name checking is set to All names.
*****Ok, I made this change also.

- Make sure the server is listening on teh proper IP address. I would set it to all addresses just to
be safe.
*****Yes, server is listening to all IP addresses

- do you have any forward lookup zones?
*****Yes, I only have the one for my AD Domain..(Internal)
Do I need a separate one?

Thanks for the pointers.


Expert Comment

ID: 6961087
Nope, I'm sure you already know htis, but just be aware that it will try to resolve all requests for yourdomain.com locally and won't forward requests for that perticular domain.

Let me know if it works.
Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.


Author Comment

ID: 6961187

Hmmm...Ok, correct me if I'm wrong. I , probably, am wrong.
I have a forward lookup zone...mycompany.com (internal dns)... that's all I have for my Internal DNS.
External DNS however defines the zone for my company's FQDN for the Internet. It sounds as if I'm missing something in my Internal DNS.
Oh, btw, I'm also able to telnet externaldnsip 53 and I'm able to see connection logs on my firewall from the Inside DNS to the External DNS, so I'm positive is not a connection/firewall issue.


Expert Comment

ID: 6961224
to resolve you company domain you will need to do one of two:

- set you internal DNS server as a secondary and pull form the external DNS. Which you can't do because you need it to be primary or intergrated for active directory to work.

- recreat the entries manually on the internal DNS server. This means that every time you make a change to you external domain, you will also need to do it for your internal DNS server.

Well, if you can do an NSlookup from the internal DNS server to the external one and it works, then the problem is probably not with the firewall, just be sure that you have both UDP and TCP port 53 open. Did you try an nslookup after you did the changes?

Author Comment

ID: 6962492
I had opened those ports previously. As a matter of fact, that was the very first thing I did before I even added the external IP address to the internal DNS server, forwarders tab.
Yes, Nslookup works ONLY if I manually change the 'server' to the external DNS server. If I use the defaults, the internal server, it won't work.

Expert Comment

ID: 6962809
Ya got IP chains running on the box? Did you re-configure to allow for the new 2k server? Seems to me the linux box is blocking the win2k box..but then again, what do I know anyway...I haven't learned even half of what I am reading about in this post...I just wanted to post something so I would get the email and I could learn something from THIS post...

Thanks guys....but check the chains.

Expert Comment

ID: 6963147
check your root hints.  If the root servers specified in your root hints are your internal DNS servers, removed them and add the Internet root servers.


Expert Comment

ID: 6965032
You should have root hint servers for your DNS server to work as caching DNS server (the default dns.cache file when you install DNS service).

Usually when you dont have this root hint information, AD at installation time will assum it hosts the root and will not go anywhere else for query other domain. If this is the case, you will see "." primary zone alone with you company domain zone in you DNS server. To add hint servers back, remove this "com" zone and "." zone if one exists, refresh DNS management console, open DNS's properties and manually add root hint servers into Root Hints tab. These root hints could be found in dns.cache file. At this point your DNS server should work if the firewall does not block DNS traffic from the Internet.

Then you can set the external DNS server as forwarder for your internal DNS server. To make sure the internal server does not contact any other DNS servers but the external one, you can check the "Do not use recursion" option.

Expert Comment

ID: 6971113
edgonz99, you might have missed a very important point in one of ymash's answers (at least it never showed up in any one of the later posts), so I want to repeat it here:
- your internal DNS server does resolve names belonging to
  the mycompany.com zone
- your external DNS server does also resolve names belonging
  to the mycompany.com zone

So, if your client is set to use your internal DNS server and then tries to resolve a name from mycompany.com that only exists in your external DNS server, this name will never be resolved! Your internal DNS server is authoritive for the zone mycompany.com, so if it cannot resolve a name from mycompany.com it will never forward it to your external DNS server (as your internal DNS server is authoritive it will never ask anybody else, asuming that it knows itself everything that is to know about mycompany.com). It will only forward queries, asking for any other zone, e.g. anothercompany.com.
Therefore,, if you want to use the same zone for your internal and your external DNS you will have to (as stated before by ymash) manually insert all DNS entries from your external DNS server into your internal DNS server.

Expert Comment

ID: 7139953
andyp2912, welcome to EE! Please be respectful of other experts and please do not propose an answer until you are absolutely sure that this will fix the users problem. I have personally already posted step by step instructions as to the creation of a mirror. Whilst you have proposed an answer you have also locked the question so that no other experts may comment. Please post comments and if the user sees that it will fix their problems then they can accept it as an answer.

Accepted Solution

SpideyMod earned 0 total points
ID: 8277015
I am unlocking this question in preparation for cleanup.  I will return in 7 days to finalize this question.  Please leave any recommendations for the final state of this question, I will take all recommendations into consideration.  Failing any feedback, I may decide in 7 days to delete or PAQ this question with no refund.  Thanks.

Community Support Moderator @Experts Exchange

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
This tutorial will teach you the special effect of super speed similar to the fictional character Wally West aka "The Flash" After Shake : http://www.videocopilot.net/presets/after_shake/ All lightning effects with instructions : http://www.mediaf…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question