DNS Hell !!

Posted on 2002-04-22
Medium Priority
Last Modified: 2012-05-04
Here's my dilemma..
Win2K DNS server, internal with AD integrated, trying to get forwarders to work.
I have added my External DNS server, running linux, ip address to my Internal DNS server in the forwarders option tab. My intention is for my Internal DNS to reply to queries for FQDN out on the Internet. DNS services have been stopped and restarted.
I do not have a root zone in my Internal DNS server (the . zone).
I can ping my External DNS server from the Internal DNS server, so firewall is setup properly for Internal DNS to access External DNS and viceversa.
When I use NSLOOKUP from Internal DNS server and change the SERVER option to point to External DNS server (or any external DNS server)...I can resolve Internet FQDNs just fine; however, if I change this setting back to Internal DNS server... I can no longer resolve Internet domains.
I've installed NetMon and I cannot see any packets trying to access any External DNS server from the Internal DNS; I can see all DNS traffic directed to the Internal DNS from my clients...

I'm at a loss here...any help will be greatly appreciated.
Question by:edgonz99
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 6960791
a few things to look at:

- what is the forward time-out setting? 1 second is good.
- under advanced tab, make sure the name checking is set to All names.
- Make sure the server is listening on teh proper IP address. I would set it to all addresses just to be safe.
- do you have any forward lookup zones?

hope this helps.

Author Comment

ID: 6960859

- what is the forward time-out setting? 1 second is good.
****Ok, I made this change...I had it set to 0..I set it to 1.

- under advanced tab, make sure the name checking is set to All names.
*****Ok, I made this change also.

- Make sure the server is listening on teh proper IP address. I would set it to all addresses just to
be safe.
*****Yes, server is listening to all IP addresses

- do you have any forward lookup zones?
*****Yes, I only have the one for my AD Domain..(Internal)
Do I need a separate one?

Thanks for the pointers.


Expert Comment

ID: 6961087
Nope, I'm sure you already know htis, but just be aware that it will try to resolve all requests for yourdomain.com locally and won't forward requests for that perticular domain.

Let me know if it works.
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users


Author Comment

ID: 6961187

Hmmm...Ok, correct me if I'm wrong. I , probably, am wrong.
I have a forward lookup zone...mycompany.com (internal dns)... that's all I have for my Internal DNS.
External DNS however defines the zone for my company's FQDN for the Internet. It sounds as if I'm missing something in my Internal DNS.
Oh, btw, I'm also able to telnet externaldnsip 53 and I'm able to see connection logs on my firewall from the Inside DNS to the External DNS, so I'm positive is not a connection/firewall issue.


Expert Comment

ID: 6961224
to resolve you company domain you will need to do one of two:

- set you internal DNS server as a secondary and pull form the external DNS. Which you can't do because you need it to be primary or intergrated for active directory to work.

- recreat the entries manually on the internal DNS server. This means that every time you make a change to you external domain, you will also need to do it for your internal DNS server.

Well, if you can do an NSlookup from the internal DNS server to the external one and it works, then the problem is probably not with the firewall, just be sure that you have both UDP and TCP port 53 open. Did you try an nslookup after you did the changes?

Author Comment

ID: 6962492
I had opened those ports previously. As a matter of fact, that was the very first thing I did before I even added the external IP address to the internal DNS server, forwarders tab.
Yes, Nslookup works ONLY if I manually change the 'server' to the external DNS server. If I use the defaults, the internal server, it won't work.

Expert Comment

ID: 6962809
Ya got IP chains running on the box? Did you re-configure to allow for the new 2k server? Seems to me the linux box is blocking the win2k box..but then again, what do I know anyway...I haven't learned even half of what I am reading about in this post...I just wanted to post something so I would get the email and I could learn something from THIS post...

Thanks guys....but check the chains.

Expert Comment

ID: 6963147
check your root hints.  If the root servers specified in your root hints are your internal DNS servers, removed them and add the Internet root servers.


Expert Comment

ID: 6965032
You should have root hint servers for your DNS server to work as caching DNS server (the default dns.cache file when you install DNS service).

Usually when you dont have this root hint information, AD at installation time will assum it hosts the root and will not go anywhere else for query other domain. If this is the case, you will see "." primary zone alone with you company domain zone in you DNS server. To add hint servers back, remove this "com" zone and "." zone if one exists, refresh DNS management console, open DNS's properties and manually add root hint servers into Root Hints tab. These root hints could be found in dns.cache file. At this point your DNS server should work if the firewall does not block DNS traffic from the Internet.

Then you can set the external DNS server as forwarder for your internal DNS server. To make sure the internal server does not contact any other DNS servers but the external one, you can check the "Do not use recursion" option.

Expert Comment

ID: 6971113
edgonz99, you might have missed a very important point in one of ymash's answers (at least it never showed up in any one of the later posts), so I want to repeat it here:
- your internal DNS server does resolve names belonging to
  the mycompany.com zone
- your external DNS server does also resolve names belonging
  to the mycompany.com zone

So, if your client is set to use your internal DNS server and then tries to resolve a name from mycompany.com that only exists in your external DNS server, this name will never be resolved! Your internal DNS server is authoritive for the zone mycompany.com, so if it cannot resolve a name from mycompany.com it will never forward it to your external DNS server (as your internal DNS server is authoritive it will never ask anybody else, asuming that it knows itself everything that is to know about mycompany.com). It will only forward queries, asking for any other zone, e.g. anothercompany.com.
Therefore,, if you want to use the same zone for your internal and your external DNS you will have to (as stated before by ymash) manually insert all DNS entries from your external DNS server into your internal DNS server.

Expert Comment

ID: 7139953
andyp2912, welcome to EE! Please be respectful of other experts and please do not propose an answer until you are absolutely sure that this will fix the users problem. I have personally already posted step by step instructions as to the creation of a mirror. Whilst you have proposed an answer you have also locked the question so that no other experts may comment. Please post comments and if the user sees that it will fix their problems then they can accept it as an answer.

Accepted Solution

SpideyMod earned 0 total points
ID: 8277015
I am unlocking this question in preparation for cleanup.  I will return in 7 days to finalize this question.  Please leave any recommendations for the final state of this question, I will take all recommendations into consideration.  Failing any feedback, I may decide in 7 days to delete or PAQ this question with no refund.  Thanks.

Community Support Moderator @Experts Exchange

Featured Post

How Blockchain Is Impacting Every Industry

Blockchain expert Alex Tapscott talks to Acronis VP Frank Jablonski about this revolutionary technology and how it's making inroads into other industries and facets of everyday life.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses
Course of the Month15 days, 4 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question