edgonz99
asked on
DNS Hell !!
Here's my dilemma..
Win2K DNS server, internal with AD integrated, trying to get forwarders to work.
I have added my External DNS server, running linux, ip address to my Internal DNS server in the forwarders option tab. My intention is for my Internal DNS to reply to queries for FQDN out on the Internet. DNS services have been stopped and restarted.
I do not have a root zone in my Internal DNS server (the . zone).
I can ping my External DNS server from the Internal DNS server, so firewall is setup properly for Internal DNS to access External DNS and viceversa.
When I use NSLOOKUP from Internal DNS server and change the SERVER option to point to External DNS server (or any external DNS server)...I can resolve Internet FQDNs just fine; however, if I change this setting back to Internal DNS server... I can no longer resolve Internet domains.
I've installed NetMon and I cannot see any packets trying to access any External DNS server from the Internal DNS; I can see all DNS traffic directed to the Internal DNS from my clients...
I'm at a loss here...any help will be greatly appreciated.
Win2K DNS server, internal with AD integrated, trying to get forwarders to work.
I have added my External DNS server, running linux, ip address to my Internal DNS server in the forwarders option tab. My intention is for my Internal DNS to reply to queries for FQDN out on the Internet. DNS services have been stopped and restarted.
I do not have a root zone in my Internal DNS server (the . zone).
I can ping my External DNS server from the Internal DNS server, so firewall is setup properly for Internal DNS to access External DNS and viceversa.
When I use NSLOOKUP from Internal DNS server and change the SERVER option to point to External DNS server (or any external DNS server)...I can resolve Internet FQDNs just fine; however, if I change this setting back to Internal DNS server... I can no longer resolve Internet domains.
I've installed NetMon and I cannot see any packets trying to access any External DNS server from the Internal DNS; I can see all DNS traffic directed to the Internal DNS from my clients...
I'm at a loss here...any help will be greatly appreciated.
ASKER
Ymash,
- what is the forward time-out setting? 1 second is good.
****Ok, I made this change...I had it set to 0..I set it to 1.
- under advanced tab, make sure the name checking is set to All names.
*****Ok, I made this change also.
- Make sure the server is listening on teh proper IP address. I would set it to all addresses just to
be safe.
*****Yes, server is listening to all IP addresses
- do you have any forward lookup zones?
*****Yes, I only have the one for my AD Domain..(Internal)
Do I need a separate one?
Thanks for the pointers.
Edward
- what is the forward time-out setting? 1 second is good.
****Ok, I made this change...I had it set to 0..I set it to 1.
- under advanced tab, make sure the name checking is set to All names.
*****Ok, I made this change also.
- Make sure the server is listening on teh proper IP address. I would set it to all addresses just to
be safe.
*****Yes, server is listening to all IP addresses
- do you have any forward lookup zones?
*****Yes, I only have the one for my AD Domain..(Internal)
Do I need a separate one?
Thanks for the pointers.
Edward
Nope, I'm sure you already know htis, but just be aware that it will try to resolve all requests for yourdomain.com locally and won't forward requests for that perticular domain.
Let me know if it works.
Let me know if it works.
ASKER
Ymash,
Hmmm...Ok, correct me if I'm wrong. I , probably, am wrong.
I have a forward lookup zone...mycompany.com (internal dns)... that's all I have for my Internal DNS.
External DNS however defines the zone for my company's FQDN for the Internet. It sounds as if I'm missing something in my Internal DNS.
Oh, btw, I'm also able to telnet externaldnsip 53 and I'm able to see connection logs on my firewall from the Inside DNS to the External DNS, so I'm positive is not a connection/firewall issue.
Thanks
Hmmm...Ok, correct me if I'm wrong. I , probably, am wrong.
I have a forward lookup zone...mycompany.com (internal dns)... that's all I have for my Internal DNS.
External DNS however defines the zone for my company's FQDN for the Internet. It sounds as if I'm missing something in my Internal DNS.
Oh, btw, I'm also able to telnet externaldnsip 53 and I'm able to see connection logs on my firewall from the Inside DNS to the External DNS, so I'm positive is not a connection/firewall issue.
Thanks
to resolve you company domain you will need to do one of two:
- set you internal DNS server as a secondary and pull form the external DNS. Which you can't do because you need it to be primary or intergrated for active directory to work.
- recreat the entries manually on the internal DNS server. This means that every time you make a change to you external domain, you will also need to do it for your internal DNS server.
Well, if you can do an NSlookup from the internal DNS server to the external one and it works, then the problem is probably not with the firewall, just be sure that you have both UDP and TCP port 53 open. Did you try an nslookup after you did the changes?
- set you internal DNS server as a secondary and pull form the external DNS. Which you can't do because you need it to be primary or intergrated for active directory to work.
- recreat the entries manually on the internal DNS server. This means that every time you make a change to you external domain, you will also need to do it for your internal DNS server.
Well, if you can do an NSlookup from the internal DNS server to the external one and it works, then the problem is probably not with the firewall, just be sure that you have both UDP and TCP port 53 open. Did you try an nslookup after you did the changes?
ASKER
I had opened those ports previously. As a matter of fact, that was the very first thing I did before I even added the external IP address to the internal DNS server, forwarders tab.
Yes, Nslookup works ONLY if I manually change the 'server' to the external DNS server. If I use the defaults, the internal server, it won't work.
Yes, Nslookup works ONLY if I manually change the 'server' to the external DNS server. If I use the defaults, the internal server, it won't work.
Ya got IP chains running on the box? Did you re-configure to allow for the new 2k server? Seems to me the linux box is blocking the win2k box..but then again, what do I know anyway...I haven't learned even half of what I am reading about in this post...I just wanted to post something so I would get the email and I could learn something from THIS post...
Thanks guys....but check the chains.
Thanks guys....but check the chains.
check your root hints. If the root servers specified in your root hints are your internal DNS servers, removed them and add the Internet root servers.
You should have root hint servers for your DNS server to work as caching DNS server (the default dns.cache file when you install DNS service).
Usually when you dont have this root hint information, AD at installation time will assum it hosts the root and will not go anywhere else for query other domain. If this is the case, you will see "." primary zone alone with you company domain zone in you DNS server. To add hint servers back, remove this "com" zone and "." zone if one exists, refresh DNS management console, open DNS's properties and manually add root hint servers into Root Hints tab. These root hints could be found in dns.cache file. At this point your DNS server should work if the firewall does not block DNS traffic from the Internet.
Then you can set the external DNS server as forwarder for your internal DNS server. To make sure the internal server does not contact any other DNS servers but the external one, you can check the "Do not use recursion" option.
Usually when you dont have this root hint information, AD at installation time will assum it hosts the root and will not go anywhere else for query other domain. If this is the case, you will see "." primary zone alone with you company domain zone in you DNS server. To add hint servers back, remove this "com" zone and "." zone if one exists, refresh DNS management console, open DNS's properties and manually add root hint servers into Root Hints tab. These root hints could be found in dns.cache file. At this point your DNS server should work if the firewall does not block DNS traffic from the Internet.
Then you can set the external DNS server as forwarder for your internal DNS server. To make sure the internal server does not contact any other DNS servers but the external one, you can check the "Do not use recursion" option.
edgonz99, you might have missed a very important point in one of ymash's answers (at least it never showed up in any one of the later posts), so I want to repeat it here:
- your internal DNS server does resolve names belonging to
the mycompany.com zone
- your external DNS server does also resolve names belonging
to the mycompany.com zone
So, if your client is set to use your internal DNS server and then tries to resolve a name from mycompany.com that only exists in your external DNS server, this name will never be resolved! Your internal DNS server is authoritive for the zone mycompany.com, so if it cannot resolve a name from mycompany.com it will never forward it to your external DNS server (as your internal DNS server is authoritive it will never ask anybody else, asuming that it knows itself everything that is to know about mycompany.com). It will only forward queries, asking for any other zone, e.g. anothercompany.com.
Therefore,, if you want to use the same zone for your internal and your external DNS you will have to (as stated before by ymash) manually insert all DNS entries from your external DNS server into your internal DNS server.
- your internal DNS server does resolve names belonging to
the mycompany.com zone
- your external DNS server does also resolve names belonging
to the mycompany.com zone
So, if your client is set to use your internal DNS server and then tries to resolve a name from mycompany.com that only exists in your external DNS server, this name will never be resolved! Your internal DNS server is authoritive for the zone mycompany.com, so if it cannot resolve a name from mycompany.com it will never forward it to your external DNS server (as your internal DNS server is authoritive it will never ask anybody else, asuming that it knows itself everything that is to know about mycompany.com). It will only forward queries, asking for any other zone, e.g. anothercompany.com.
Therefore,, if you want to use the same zone for your internal and your external DNS you will have to (as stated before by ymash) manually insert all DNS entries from your external DNS server into your internal DNS server.
andyp2912, welcome to EE! Please be respectful of other experts and please do not propose an answer until you are absolutely sure that this will fix the users problem. I have personally already posted step by step instructions as to the creation of a mirror. Whilst you have proposed an answer you have also locked the question so that no other experts may comment. Please post comments and if the user sees that it will fix their problems then they can accept it as an answer.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
- what is the forward time-out setting? 1 second is good.
- under advanced tab, make sure the name checking is set to All names.
- Make sure the server is listening on teh proper IP address. I would set it to all addresses just to be safe.
- do you have any forward lookup zones?
hope this helps.