DNS Hell !!

Posted on 2002-04-22
Last Modified: 2012-05-04
Here's my dilemma..
Win2K DNS server, internal with AD integrated, trying to get forwarders to work.
I have added my External DNS server, running linux, ip address to my Internal DNS server in the forwarders option tab. My intention is for my Internal DNS to reply to queries for FQDN out on the Internet. DNS services have been stopped and restarted.
I do not have a root zone in my Internal DNS server (the . zone).
I can ping my External DNS server from the Internal DNS server, so firewall is setup properly for Internal DNS to access External DNS and viceversa.
When I use NSLOOKUP from Internal DNS server and change the SERVER option to point to External DNS server (or any external DNS server)...I can resolve Internet FQDNs just fine; however, if I change this setting back to Internal DNS server... I can no longer resolve Internet domains.
I've installed NetMon and I cannot see any packets trying to access any External DNS server from the Internal DNS; I can see all DNS traffic directed to the Internal DNS from my clients...

I'm at a loss here...any help will be greatly appreciated.
Question by:edgonz99

Expert Comment

ID: 6960791
a few things to look at:

- what is the forward time-out setting? 1 second is good.
- under advanced tab, make sure the name checking is set to All names.
- Make sure the server is listening on teh proper IP address. I would set it to all addresses just to be safe.
- do you have any forward lookup zones?

hope this helps.

Author Comment

ID: 6960859

- what is the forward time-out setting? 1 second is good.
****Ok, I made this change...I had it set to 0..I set it to 1.

- under advanced tab, make sure the name checking is set to All names.
*****Ok, I made this change also.

- Make sure the server is listening on teh proper IP address. I would set it to all addresses just to
be safe.
*****Yes, server is listening to all IP addresses

- do you have any forward lookup zones?
*****Yes, I only have the one for my AD Domain..(Internal)
Do I need a separate one?

Thanks for the pointers.


Expert Comment

ID: 6961087
Nope, I'm sure you already know htis, but just be aware that it will try to resolve all requests for locally and won't forward requests for that perticular domain.

Let me know if it works.

Author Comment

ID: 6961187

Hmmm...Ok, correct me if I'm wrong. I , probably, am wrong.
I have a forward lookup (internal dns)... that's all I have for my Internal DNS.
External DNS however defines the zone for my company's FQDN for the Internet. It sounds as if I'm missing something in my Internal DNS.
Oh, btw, I'm also able to telnet externaldnsip 53 and I'm able to see connection logs on my firewall from the Inside DNS to the External DNS, so I'm positive is not a connection/firewall issue.


Expert Comment

ID: 6961224
to resolve you company domain you will need to do one of two:

- set you internal DNS server as a secondary and pull form the external DNS. Which you can't do because you need it to be primary or intergrated for active directory to work.

- recreat the entries manually on the internal DNS server. This means that every time you make a change to you external domain, you will also need to do it for your internal DNS server.

Well, if you can do an NSlookup from the internal DNS server to the external one and it works, then the problem is probably not with the firewall, just be sure that you have both UDP and TCP port 53 open. Did you try an nslookup after you did the changes?

Author Comment

ID: 6962492
I had opened those ports previously. As a matter of fact, that was the very first thing I did before I even added the external IP address to the internal DNS server, forwarders tab.
Yes, Nslookup works ONLY if I manually change the 'server' to the external DNS server. If I use the defaults, the internal server, it won't work.
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline


Expert Comment

ID: 6962809
Ya got IP chains running on the box? Did you re-configure to allow for the new 2k server? Seems to me the linux box is blocking the win2k box..but then again, what do I know anyway...I haven't learned even half of what I am reading about in this post...I just wanted to post something so I would get the email and I could learn something from THIS post...

Thanks guys....but check the chains.

Expert Comment

ID: 6963147
check your root hints.  If the root servers specified in your root hints are your internal DNS servers, removed them and add the Internet root servers.


Expert Comment

ID: 6965032
You should have root hint servers for your DNS server to work as caching DNS server (the default dns.cache file when you install DNS service).

Usually when you dont have this root hint information, AD at installation time will assum it hosts the root and will not go anywhere else for query other domain. If this is the case, you will see "." primary zone alone with you company domain zone in you DNS server. To add hint servers back, remove this "com" zone and "." zone if one exists, refresh DNS management console, open DNS's properties and manually add root hint servers into Root Hints tab. These root hints could be found in dns.cache file. At this point your DNS server should work if the firewall does not block DNS traffic from the Internet.

Then you can set the external DNS server as forwarder for your internal DNS server. To make sure the internal server does not contact any other DNS servers but the external one, you can check the "Do not use recursion" option.

Expert Comment

ID: 6971113
edgonz99, you might have missed a very important point in one of ymash's answers (at least it never showed up in any one of the later posts), so I want to repeat it here:
- your internal DNS server does resolve names belonging to
  the zone
- your external DNS server does also resolve names belonging
  to the zone

So, if your client is set to use your internal DNS server and then tries to resolve a name from that only exists in your external DNS server, this name will never be resolved! Your internal DNS server is authoritive for the zone, so if it cannot resolve a name from it will never forward it to your external DNS server (as your internal DNS server is authoritive it will never ask anybody else, asuming that it knows itself everything that is to know about It will only forward queries, asking for any other zone, e.g.
Therefore,, if you want to use the same zone for your internal and your external DNS you will have to (as stated before by ymash) manually insert all DNS entries from your external DNS server into your internal DNS server.

Expert Comment

ID: 7139953
andyp2912, welcome to EE! Please be respectful of other experts and please do not propose an answer until you are absolutely sure that this will fix the users problem. I have personally already posted step by step instructions as to the creation of a mirror. Whilst you have proposed an answer you have also locked the question so that no other experts may comment. Please post comments and if the user sees that it will fix their problems then they can accept it as an answer.

Accepted Solution

SpideyMod earned 0 total points
ID: 8277015
I am unlocking this question in preparation for cleanup.  I will return in 7 days to finalize this question.  Please leave any recommendations for the final state of this question, I will take all recommendations into consideration.  Failing any feedback, I may decide in 7 days to delete or PAQ this question with no refund.  Thanks.

Community Support Moderator @Experts Exchange

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
In this article, you will read about the trends across the human resources departments for the upcoming year. Some of them include improving employee experience, adopting new technologies, using HR software to its full extent, and integrating artifi…
Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now