Solved

DNS Hell !!

Posted on 2002-04-22
12
219 Views
Last Modified: 2012-05-04
Here's my dilemma..
Win2K DNS server, internal with AD integrated, trying to get forwarders to work.
I have added my External DNS server, running linux, ip address to my Internal DNS server in the forwarders option tab. My intention is for my Internal DNS to reply to queries for FQDN out on the Internet. DNS services have been stopped and restarted.
I do not have a root zone in my Internal DNS server (the . zone).
I can ping my External DNS server from the Internal DNS server, so firewall is setup properly for Internal DNS to access External DNS and viceversa.
When I use NSLOOKUP from Internal DNS server and change the SERVER option to point to External DNS server (or any external DNS server)...I can resolve Internet FQDNs just fine; however, if I change this setting back to Internal DNS server... I can no longer resolve Internet domains.
I've installed NetMon and I cannot see any packets trying to access any External DNS server from the Internal DNS; I can see all DNS traffic directed to the Internal DNS from my clients...

I'm at a loss here...any help will be greatly appreciated.
0
Comment
Question by:edgonz99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
12 Comments
 
LVL 1

Expert Comment

by:ymash
ID: 6960791
a few things to look at:

- what is the forward time-out setting? 1 second is good.
- under advanced tab, make sure the name checking is set to All names.
- Make sure the server is listening on teh proper IP address. I would set it to all addresses just to be safe.
- do you have any forward lookup zones?

hope this helps.
0
 

Author Comment

by:edgonz99
ID: 6960859
Ymash,

- what is the forward time-out setting? 1 second is good.
****Ok, I made this change...I had it set to 0..I set it to 1.

- under advanced tab, make sure the name checking is set to All names.
*****Ok, I made this change also.

- Make sure the server is listening on teh proper IP address. I would set it to all addresses just to
be safe.
*****Yes, server is listening to all IP addresses

- do you have any forward lookup zones?
*****Yes, I only have the one for my AD Domain..(Internal)
Do I need a separate one?

Thanks for the pointers.


Edward
0
 
LVL 1

Expert Comment

by:ymash
ID: 6961087
Nope, I'm sure you already know htis, but just be aware that it will try to resolve all requests for yourdomain.com locally and won't forward requests for that perticular domain.

Let me know if it works.
0
Transaction Monitoring Vs. Real User Monitoring

Synthetic Transaction Monitoring Vs. Real User Monitoring: When To Use Each Approach? In this article, we will discuss two major monitoring approaches: Synthetic Transaction and Real User Monitoring.

 

Author Comment

by:edgonz99
ID: 6961187
Ymash,

Hmmm...Ok, correct me if I'm wrong. I , probably, am wrong.
I have a forward lookup zone...mycompany.com (internal dns)... that's all I have for my Internal DNS.
External DNS however defines the zone for my company's FQDN for the Internet. It sounds as if I'm missing something in my Internal DNS.
Oh, btw, I'm also able to telnet externaldnsip 53 and I'm able to see connection logs on my firewall from the Inside DNS to the External DNS, so I'm positive is not a connection/firewall issue.

Thanks
0
 
LVL 1

Expert Comment

by:ymash
ID: 6961224
to resolve you company domain you will need to do one of two:

- set you internal DNS server as a secondary and pull form the external DNS. Which you can't do because you need it to be primary or intergrated for active directory to work.

- recreat the entries manually on the internal DNS server. This means that every time you make a change to you external domain, you will also need to do it for your internal DNS server.

Well, if you can do an NSlookup from the internal DNS server to the external one and it works, then the problem is probably not with the firewall, just be sure that you have both UDP and TCP port 53 open. Did you try an nslookup after you did the changes?
0
 

Author Comment

by:edgonz99
ID: 6962492
I had opened those ports previously. As a matter of fact, that was the very first thing I did before I even added the external IP address to the internal DNS server, forwarders tab.
Yes, Nslookup works ONLY if I manually change the 'server' to the external DNS server. If I use the defaults, the internal server, it won't work.
0
 
LVL 7

Expert Comment

by:jatcan
ID: 6962809
Ya got IP chains running on the box? Did you re-configure to allow for the new 2k server? Seems to me the linux box is blocking the win2k box..but then again, what do I know anyway...I haven't learned even half of what I am reading about in this post...I just wanted to post something so I would get the email and I could learn something from THIS post...

Thanks guys....but check the chains.
0
 
LVL 5

Expert Comment

by:matt023
ID: 6963147
check your root hints.  If the root servers specified in your root hints are your internal DNS servers, removed them and add the Internet root servers.

0
 
LVL 3

Expert Comment

by:hnminh
ID: 6965032
You should have root hint servers for your DNS server to work as caching DNS server (the default dns.cache file when you install DNS service).

Usually when you dont have this root hint information, AD at installation time will assum it hosts the root and will not go anywhere else for query other domain. If this is the case, you will see "." primary zone alone with you company domain zone in you DNS server. To add hint servers back, remove this "com" zone and "." zone if one exists, refresh DNS management console, open DNS's properties and manually add root hint servers into Root Hints tab. These root hints could be found in dns.cache file. At this point your DNS server should work if the firewall does not block DNS traffic from the Internet.

Then you can set the external DNS server as forwarder for your internal DNS server. To make sure the internal server does not contact any other DNS servers but the external one, you can check the "Do not use recursion" option.
0
 

Expert Comment

by:andyp2912
ID: 6971113
edgonz99, you might have missed a very important point in one of ymash's answers (at least it never showed up in any one of the later posts), so I want to repeat it here:
- your internal DNS server does resolve names belonging to
  the mycompany.com zone
- your external DNS server does also resolve names belonging
  to the mycompany.com zone

So, if your client is set to use your internal DNS server and then tries to resolve a name from mycompany.com that only exists in your external DNS server, this name will never be resolved! Your internal DNS server is authoritive for the zone mycompany.com, so if it cannot resolve a name from mycompany.com it will never forward it to your external DNS server (as your internal DNS server is authoritive it will never ask anybody else, asuming that it knows itself everything that is to know about mycompany.com). It will only forward queries, asking for any other zone, e.g. anothercompany.com.
Therefore,, if you want to use the same zone for your internal and your external DNS you will have to (as stated before by ymash) manually insert all DNS entries from your external DNS server into your internal DNS server.
0
 
LVL 7

Expert Comment

by:jmiller47
ID: 7139953
andyp2912, welcome to EE! Please be respectful of other experts and please do not propose an answer until you are absolutely sure that this will fix the users problem. I have personally already posted step by step instructions as to the creation of a mirror. Whilst you have proposed an answer you have also locked the question so that no other experts may comment. Please post comments and if the user sees that it will fix their problems then they can accept it as an answer.
0
 

Accepted Solution

by:
SpideyMod earned 0 total points
ID: 8277015
All,
I am unlocking this question in preparation for cleanup.  I will return in 7 days to finalize this question.  Please leave any recommendations for the final state of this question, I will take all recommendations into consideration.  Failing any feedback, I may decide in 7 days to delete or PAQ this question with no refund.  Thanks.

SpideyMod
Community Support Moderator @Experts Exchange
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question