Link to home
Start Free TrialLog in
Avatar of mbu10
mbu10

asked on

dns in a multihomed, 2000 server

ok will explain have a 2000 server with 4 nics in with ip address of
192.168.1.1
192.168.2.1
192.168.3.1
192.168.4.1
with dns and wins running
now on each of the nics is a vpn router which over adsl connects all the time to diffrent offices
with these ip address ranges
192.168.5.1-10
192.168.6.1-10
192.168.7.1-10
192.168.8.1-10

now on the remote sites the machines there get there ip address from the local router ie 192.168.5.x
so all that working fine
so there settings would be
ip  192.168.5.2
mask   255.255.255.0
gate way of 192.168.5.1
dns is 192.168.1.1

so when i do a nslookup up on the server from the external machines it brings back no errors and show that the server has four ip addreess and list them
ie
192.168.1.1
192.168.2.1
192.168.3.1
192.168.4.1
 so no problem here
when i ping the server via the ip address ie for instance this time
192.168.1.1 returns quickly no drop outs and works fine
now if i ping the "server name" it comes back and trys to ping the wrong ip address this time try 192.168.3.1 which of course it cannot do as that not on the same (as it goes through the vpn )(now this is one of the servers ip's but has not returned the correct on for that pc on that subnet)
so returns the wrong ip address for the query then is unable to ping the server
but i check and ping the correct ip address for which connects and works fine
have a list of how the ip releate.
have also put routes in which tell it where to send traffic
ie
192.168.5.1 gateway

internal ip                      gateway to other          remote gateway            ip address
address of server             range(going                                               of remote site
                                          through router  
192.168.1.1 --------------------192.168.1.4--------192.168.5.4------------->192.168.5.1
192.168.2.1 --------------------192.168.2.1------->192.168.6.4------------>192.168.6.4
192.168.3.1 -------------------192.168.3.1------->192.168.7.4------------->192.168.7.4
192.168.4.1 -------------------192.168.4.1------->192.168.8.4------------->192.168.8.4



need any more get back to me
probley something simple just cannot see it
thanks


Avatar of dankennedy
dankennedy

Sounds like the DNS server is returning the IPs using round robin. The DNS server won't return IPs based on subnet the request comes from (as far as I know). You could try using a different server name for each subnet like ServerA, ServerB, ServerC. That way each subnet will always get the correct IP address for the server.

Read the following Microsoft Article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;168321
Avatar of mbu10

ASKER

yes thats what i had thought of to start with and i had turned off round robin.
problem is could be solved by adding other names to ip address for the server
but since the system is up and running and has been for quite a while
the map drives which they use would be harder to inplement as would need seperate scripts etc
there has to be another way of making sure the ip address ie 192.168.4.1  returns itself for lookups and does not return one of the other 3 it has
Sounds simple, but DNS is a fairly strict standard and as far as I know, you can't make it change which A record it uses based on the interface the request comes in on.

Is there any way you can change your IP scheme, so that the server only has one NIC card. It would solve all your problems and make your configuration a lot easier if you added another router so that the server only had one IP addresss.

Server --> Router --> |---->VPN Router 1 ---> Client 1
                                 |---->VPN Router 2 ---> Client 2
                                 |---->VPN Router 3 ---> Client 3
                                 |---->VPN Router 4 ---> Client 4

Avatar of mbu10

ASKER

unfotunatley i can not
as we are using 4 cable modems whic each router uses one for it self
basically a cheap way of getting more bandwidth by using 4 cable modems
as the mangers are cheap and have to have it set up like it is
just a idea if i joined all the vpn's into a switch then the switch in to each of the nics in the pc
so if a client does get a ip address that is not on the correct ie gets  192.168.1.1 instead of 192.168.4.1 for example
it could still get to 1.1 thorugh the switch and return is just a matter of it getting regular route though the switch
Yah, that's the idea I was getting at, except that you'd need a router to route the packets to the correct location.

If you did just plug all the VPN routers into a switch, you'd have to change the subnet mask on the server to something like 255.255.0.0. Then I think it should work without the extra router.

This is what I'd recommend if you don't have the budget for another router. Change all the subnet masks on all the server NICS and all the VPN router interfaces to 255.255.0.0, then plug all the NICS and all the VPN routers into one switch, then turn round robin DNS back on (otherwise all the traffic will go through one VPN router).

I think that should work, if I understand your situation correctly.
Avatar of mbu10

ASKER

ok that much i have figured out and guess in a way would work but by putting a hub in stead of a switch the broadcast when the hub transffers data would be picked up by the correct VPN and would move the right information across
which i had a feeling is one way of doing it.
would like a server way of doing it though
so the server always returns the correct ip address's for the right subnet from which it has been asked
i know is a tall one but hey nothing that easy
I run a multi homed DNS server using DDNS and intergrated with WIN (abeit only two Interfaces and no VPN), but it does complicate the issue, or at lease uniquely twist the enviroment.  DNS is assumed to be simple, however, I disagree DNS can be complex depending on the requirements.

This is your problem, at least with the macro view I have.

With round robin (see RFC 1794) it will return all address for the HOST, but the client will always use the first one.  By default (with "SubNet when the query is recieved on a specific standard subnet it will automatically reorder the "A" records for the response.  Based on this...

IP Config:
ip  192.168.5.2
mask   255.255.255.0
gate way of 192.168.5.1
dns is 192.168.1.1

will not work, because the DNS server will order the DNS response per the the subnet that the query was recieved on (i.e. the subnet that the routers internal interface is on).
So that is why it is failing...

You are going to either need to change your subnetting (maybe the safest option) or hack at your DNS server (if it working fine, I prefer not to touch DNS, but that is just me).  This will help.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/standard/sag_DNS_imp_LocalSubnetPriority.asp

Hope this helps and keep us posted!  

-Eric
Avatar of mbu10

ASKER

ok i see where you are coming from the
as the guy above said change the whole subnets to a 255.255.0.0 which is easy enough to do as can access everything and all on dhcp
but
when doing a nslookup would still return the 4 dns server ip address
and would use the first one availble as they all on the same subnet
but could cut the 3 oclet in to diffrent subnets which might work
just wondering the option of fastening a hub to all ports then all vpn's to that hub
so that say come in via say 192.168.5.10 machine which gets routed thought 192.168.5.4 (across net here) to the router at  192.168.1.4 which then moves it on the  network now if i pout a hub in here so all the nics are tied into one hub and the vpn are all tied
so a 192.168.2.1 ping request could be got to
might need to add a route to all the remote routers that if 192.168.X.X is always sent down the vpn
Errr....
With round robin (see RFC 1794) it will return all address for the HOST, but the client will always use the first one.  By default (with "SubNet when the query is recieved on a specific standard subnet it will automatically reorder the "A" records for the response.  Based on this...
---CORRECTION---
With round robin (see RFC 1794) it will return all addresses for the HOST, but the client will always use the first one.  By default (with "SubNet Ordering" enabled) when the query is recieved on a specific standard subnet it will automatically reorder the "A" records for the response, making the subnet that recieved query the first in the list.  Based on this...

IP Config:
ip  192.168.5.2
mask   255.255.255.0
gate way of 192.168.5.1
dns is 192.168.1.1

will not work, because the DNS server will order the DNS response per the the subnet that the query was recieved on (i.e. the subnet that the routers internal interface is on).  But this also depends on how it is subnetted.  
Either DNS recieves the queries as from 192.168.0.0/16 source network, then decides no network prioritization is needed OR sees them from a remote network (i.e. 192.168.5.x/24)and again, no prioritization is done.  I believe in your case, it is the second.  Therefor all will querys are handled via round robin ordering.
So that is why it is failing...

you can try running this:
ipconfig /flushdns
ping <hostname>
ipconfig /flushdns
ping <hostname>
ipconfig /flushdns
ping <hostname>
ipconfig /flushdns
ping <hostname>

This will test round robin, as long this is the only query being made on that interface.  One of them should resolve to the correct interface and return.

-Eric
Avatar of mbu10

ASKER

ok just done this
left round robin off
now done a ping server  came back with 192.168.1.1
now flushed dns and did again and came back with the same ip address
did again same answer
now did at another site and did exactly the same thing again
via the length of time to login (60 sec about)
i presume when it does not get a answer it trys the other ones, one by one  and then goes in and maps drives via server name correctly when it get a response from the one of the ip address
Avatar of mbu10

ASKER

so it not doing any sort of prioritization its just giving the first dns servers ip address everytime
With round robin disabled it will return the list as is in that order.  It will not rotate first to last with the order.  With round robin disabled, with netmask ordering enabled, it should return the address on interface it was recieved IF the source address is within THAT subnet.  Since the source is x.x.5.x it is just returning the address in the default order.  

The resolution is subnetting.
Force the address range to that of a B and subnet the class B into C's or subnet the class C's.  Assuming the capabilities on your switch/router, this will provide network isolation, maintaining broadcast domains and DNSsubnet prioritization should reorder correctly.  

-Eric
You may want to convert to a 172.16.x.x - 172.31.x.x design.  This gives more flexibility and more freedom in regards to making your DHCP redundant and is less limiting with host ranges when subnetting.  This will also resolve the issue.

Remember DNS WITH round robin and subnet prioritization enabled piortizes RR's in this order, once a method is chosen it does not recurse to other methods for THAT query:
<default preferance> Subnet Prioritization
Source address's network ID is compared to the RR's network ID, if it is the same, the order of RR's is subnet prioritized
-IF multiple RRs have the same network ID and the query source network ID is the same, the order is subnet prioritizes, however the order of all qualifiying RR's are then ordered by round robin
-IF the source network ID is a remote network, order method is defaulted to round robin and all RR's are rotated in a first to last succession
-IF Round Robin is disabled, the above behavior will return the order as they are listed within DNS
-IF subnet prioritization is disabled, all ordering will default to the round robin method
-IF both are disabled, ordering will always default to the listing order in DNS.  (i.e. the first A record for the host will ALWAYS be at the top of the order)

-Eric
Avatar of mbu10

ASKER

ok yeah i agree then to split the 255.255.255.0 class c in to 4 seperate parts
so providing i have max only 10 hosts in any one subnet and need a minimum of 4 subnet what would be the subnet masks then
sorry hate subnetting always get lost even though i can do it just want to make sure i agoing to get it right
Well....you always want to give your self some room.  So for an even 4 way: 255.255.255.192
gives you 62 hosts.

-Eric
Class C IP range: 192.168.x.x/26
Subnet: 255.255.255.192
                              Hosts
Network ID          From  To          Broadcast
192.168.x.0          .1     - .62         .63
192.168.x.64        .65   - .126       .127
192.168.x.128      .129  - .190       .191
192.168.x.192      .193  - .254       .255

Larger Networks are more forgiving.  The larger number, look more menacing than they are.  Thanks to Pthyagoras, we eventually learned exponetial notation to deal with these numbers.  A larger mask (the private class B for example) is more flexible and from there you can subnet all the way down to a /30 of you wish.

just my opinions...  Hope this helps.

-Eric
Avatar of mbu10

ASKER

ok sorry for the late reply as been so dam busy today racing after other things
ok just to summurize this is correct
all gateways are the first ip address in any range
(1)
192.168.1.(1-62)
255.255.192.0

(2)
192.168.2.(65-126)
255.255.192.0

(3)
192.168.3.(129-190)
255.255.192.0

(4)
192.168.4.(193-254)
255.255.192.0

with gateways set accordingly
now with remote sites which there is 5 of them i do not need to count these as there is a routing table anyway and there getting routed to the correct ie 192.168.5.1-->192.168.1.1
is this correct in my assuption
thanks
p.s Eric the point are yours or will be shortly as you have helped the most


Avatar of mbu10

ASKER

yeah yeah i know worked that out wrong there the 1,2,3,4 are all 0 ok
i think
now with this configeration with every say on the say 192.168.2.x(accroding to the subnet host bit 1,65,129,193 for instance for the router address
when doing a dns query it will return using the correct ip address info
is that what i have just confirmed there
thanks again
martin
OK...
You are now subnetting a class "B".  You can force a class B, using class C "ranges".  It is actually good that you thought that as you are mentally playing with bits in the right way.  If you want to switch to a class B I would suggest using the established class B ranges (172.16.0.0 - 172.31.0.0)

Ohh my bad...I just looked at what I typed....was in a hurry...

192.168.x.0          .1     - .62         .63
192.168.x.64        .65   - .126       .127
192.168.x.128      .129  - .190       .191
192.168.x.192      .193  - .254       .255

x=Class C/24 (in this case you are only using 1 class C address space,

Here is an example of a subnetting a class C:
192.168.100.0/26 (i.e. a mask of 255.255.255.192)

192.168.100.0          .1-.62         .63
192.168.100.64         .65-.126     .127
192.168.100.128       .129-.190    .191
192.168.100.192       .193-.254    .255

So what is going on in the above example is a Class C/24 (i.e. 192.168.100.0-192.168.100.255), masked to create 4 separate networks with 62 avail. hosts per net.
These are your four networks:
192.168.100.0/26
192.168.100.64/26
192.168.100.128/26
192.168.100.192/26

Each subnet within a class reduces the availiable hosts by 2.  One for the network ID and one for the broadcast.  

See what I am sayin?

-Eric
Avatar of mbu10

ASKER

ok late and mind is messed up from today and tored but been tearing hair out as subnet just always have done my head in ok figured this
based on 27 bit
MAXIMUM AMOUNT OF SUBNETS IS 8
Subnet           Mask                    Subnet Size                          Host Range               Broadcast
192.168.0.0     255.255.255.224          30      192.168.0.1  to  192.168.0.30         192.168.0.31
192.168.0.32   255.255.255.224          30      192.168.0.33  to  192.168.0.62         192.168.0.63
192.168.0.64    255.255.255.224          30      192.168.0.65  to  192.168.0.94         192.168.0.95
192.168.0.96    255.255.255.224          30      192.168.0.97  to  192.168.0.126        192.168.0.127
192.168.0.128  255.255.255.224          30      192.168.0.129  to  192.168.0.158        192.168.0.159
192.168.0.160  255.255.255.224          30      192.168.0.161  to  192.168.0.190        192.168.0.191
192.168.0.192  255.255.255.224           30      192.168.0.193  to  192.168.0.222        192.168.0.223
192.168.0.224  255.255.255.224          30      192.168.0.225  to  192.168.0.254        192.168.0.255

so on the nic card the setting would be as follows(correct me if i am wrong here)
NIC1
ip   192.168.0.1
netmask255.255.224.0
gateway192.168.0.4 (THE VPN  CONNECTION)

NIC2  
ip    192.168.1.33
netmask  255.255.224.0
gateway  192.168.0.37  (THE VPN CONNECTION)

NIC3
ip  192.168.0.65
netmask 255.255.224.0
gateway 192.168.0.68 (THE VPN CONNECTION)

NIC4
ip  192.168.0.97
netmask 255.255.224.0
gateway 192.168.0.100 (THE VPN  CONNECTION)

Now the remote sites i am not taking in to account here, as the remote address can stay the same i guess as 192.168.(5,6,7,8,9,10,11).(X this provided by the remote dhcp)
in the settings for the vpn it says
Remote IP Network   ...  x.x.x.x
Remote IP Netmask   ...  x.x.x.x

so i presume it will just move it so can be accessed by the appropite nic card
now when the card responds it the dns query from then remote site
so say 192.168.0.1 --VPN HERE--> 192.168.5.1
when 102.168.5.x querys dns at 192.168.0.1 the dns will respond with it own address only for it own name on that sub net 192.168.0.1

is this correct
please tell me if i have this all right
as need to make sure
thanks for all your help

sorry just got a e-mail saying some one replyed
so if this is wasted i hope not



Avatar of mbu10

ASKER

sorry small mistake there none of them have gateways on bar one
which is the way to the internet
all i have to do is add routes according to the existing ip/subnet
Again....the mask of 255.255.224.0 is for a class B.  So based on that mask the network is 192.168.0.0/19

CIDR Notation (x.x.x.x/n) in the above example:
255.255.224.0
11111111.11111111.11100000.00000000
Again....class B.  This is wrong, however as any any good math professor would do, your logic and methods are correct.  Just an incorrect metal point of start...and "GI-GO" the equalizer overrides the solution.

So you are correct that this will give you 8 subnets, with 8190 hosts addresses each:
192.168.0.0          192.168.0.1-192.168.31.254         192.168.31.255
192.168.32.0         192.168.32.1-192.168.63.254       192.168.63.255
192.168.64.0         192.168.64.1-192.168.95.254       192.168.95.255
192.168.96.0         192.168.96.1-192.168.127.254     192.168.127.255
192.168.128.0       192.168.128.1-192.168.159.254    192.168.159.255
192.168.160.0       192.168.160.1-192.168.191.254    192.168.191.255
192.168.192.0       192.168.192.1-192.168.223.254    192.168.223.255
192.168.224.0       192.168.224.1-192.168.255.254    192.168.255.255


So you see the relationship between the mask and the network ID?

-Eric

 
DO you use any IM software?...I gotta run, but I should be back in a couple hours.  
MSNIM: tNoOtSePnAtManz@hotmail.com (use only the lowercase letters) and do not email that address it is largely unmonitored and frequently the inbox gets dumped

-Eric
ASKER CERTIFIED SOLUTION
Avatar of NetwerkMerc
NetwerkMerc

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of mbu10

ASKER

yeah i use msn messenger
with my mail as
m.underdown@ntlworld.com
just thinking through now so
now ll thi is so users login quicker at the moment they login but takes alittle time 1.3 min but with this sorted should take very much less, the internet is provided by there remote router


so on the nic card the setting would be as follows(correct me if i am wrong here)

local NIC1
ip   192.168.1.xx
netmask255.255.224.0
gateway192.168.0.4 internet cconnection for the main office

remote office  1
ip   192.168.2.xx
netmask255.255.224.0
(has it own gateway to the net which will also automatically transfer any ip address trafic  listed in the vpn to the correct remote subnet)(but is the ip address of the router/vpn on the remote side)this also gives clients on this side of the vpn dhcp addresses)




local NIC2  
ip    192.168.33.xx
netmask  255.255.224.0

remote office  2
ip   192.168.34.xx
netmask255.255.224.0
(has it own gateway to the net which will also automatically transfer any ip address trafic  listed in the vpn to the correct remote subnet)(but is the ip address of the router/vpn on the remote side)this also gives clients on this side of the vpn dhcp addresses)




local NIC3
ip  192.168.65.xx
netmask 255.255.224.0

remote office  3
ip   192.168.66.xx
netmask255.255.224.0
(has it own gateway to the net which will also automatically transfer any ip address trafic  listed in the vpn to the correct remote subnet)(but is the ip address of the router/vpn on the remote side)this also gives clients on this side of the vpn dhcp addresses)



Local NIC4
ip  192.168.97.xx
netmask 255.255.224.0

remote office  4
ip   192.168.98.xx
netmask255.255.224.0
(has it own gateway to the net which will also automatically transfer any ip address trafic  listed in the vpn to the correct remote subnet)(but is the ip address of the router/vpn on the remote side)this also gives clients on this side of the vpn dhcp addresses)



this would be it i think that all the remote office are on the same subnet as the local subnet to which it phsicaly connects to via the vpn
also if i am right it would be possible to add further subnets
ie if wanted to add another vpn at local 4 could just add 192.168.99.xx
is that correct

sorry dropped my laptop yesterday so took longer to answer you
thanks

 
 
Avatar of mbu10

ASKER

WOW
net merk gets the lot
so much help unbelivable
even let me phone him and had agood old natter about the problem and other things
good bloke
all points awarded to him
eric great one man
thanks so much
martin
Too kind mate!  Been MIA, for a while but I'm back!!!  With a striped vol of 3 18GB Ultrastar drives :D   and a loaded poweredge 2300 that I got for 140 bucks...Well...hope so see everyone around and help out where I can.

-Eric
Security and Virus forum moderator:
www.computerrepair.com 
http://members.cox.net/eapelton/index.html