What are the business impacts of how well businesses communicate during an IT incident? Targeting, speed, and transparency all matter. Find out more in this infographic.
Course Of The Month
5 days, 4 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
DNS on WIndows 2003 Web Edition
Posted on 2004-08-08
I am having trouble with DNS using Windows 2003 Web Edition on a small SOHO LAN.
Configuration:
Internet: SBC DSL via a Cayman Netopia 3546 router (does not support NAT U-turns). Five static IP’s mapped to private IP’s using the 3546’s IP Mapping. 67.122.187.65 -> 192.168.0.65 … 67.122.187.69 -> 192.168.0.69
Mewtow running Windows 2003 Web edition, private IP 192.168.0.66, visible to the outside world as 67.122.187.66. Running IIS hosting a couple of websites.
Various WIndowsXP machines on the LAN.
I need to run local DNS on some machine because the Cayman router does not support NTA U-turns which means I cannot reach my own websites via the public addressed. Example; motorcycle.johnocooper.com
DNS setup:
Two zones;
Cooper.pri (all local machines and devices)
Johnocooper.com (with CNAMES www and motorcycle and mail).
In the “Forwarders” setup of the server I have three DNS server addresses provided by SBC (206.13.28.12, 206.13.29.12, 206.13.30.12).
Workgroup name is: cooper.pri. for all machines on the LAN
Cooper.pri is also set as the DNS suffix so the fullname of the local computer is Mewtwo.cooper.pri.
This setup seems to work for a while then stops working. Basically local machines get proper DNS information for a few minutes then it appears that the DNS server stops forwarding to the SBC DNS servers for names it cannot resolve
Example: nslookup yahoo.com
Server: mewtwo.cooper.pri
Address: 192.168.0.66
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to mewtwo.cooper.pri timed-out.
HELP!
Configuration:
Internet: SBC DSL via a Cayman Netopia 3546 router (does not support NAT U-turns). Five static IP’s mapped to private IP’s using the 3546’s IP Mapping. 67.122.187.65 -> 192.168.0.65 … 67.122.187.69 -> 192.168.0.69
Mewtow running Windows 2003 Web edition, private IP 192.168.0.66, visible to the outside world as 67.122.187.66. Running IIS hosting a couple of websites.
Various WIndowsXP machines on the LAN.
I need to run local DNS on some machine because the Cayman router does not support NTA U-turns which means I cannot reach my own websites via the public addressed. Example; motorcycle.johnocooper.com
DNS setup:
Two zones;
Cooper.pri (all local machines and devices)
Johnocooper.com (with CNAMES www and motorcycle and mail).
In the “Forwarders” setup of the server I have three DNS server addresses provided by SBC (206.13.28.12, 206.13.29.12, 206.13.30.12).
Workgroup name is: cooper.pri. for all machines on the LAN
Cooper.pri is also set as the DNS suffix so the fullname of the local computer is Mewtwo.cooper.pri.
This setup seems to work for a while then stops working. Basically local machines get proper DNS information for a few minutes then it appears that the DNS server stops forwarding to the SBC DNS servers for names it cannot resolve
Example: nslookup yahoo.com
Server: mewtwo.cooper.pri
Address: 192.168.0.66
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to mewtwo.cooper.pri timed-out.
HELP!
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
5 Comments
Windows 2003 uses by default eDNS (extended DNS). My Cisco Pix 501 does not support eDNS by default. I had to manually "fixup" my DNS protocol packets to be >512 bytes. (the other solution is to dummy down 2k3 to use only dns). Just so you know.
Typical network configurations I use in the past, I have 2 machines running DNS. 1 Machine is low CPU machine running just 2003, and DNS for the outside world. The second machine is a more powerful (because its usually running exchange, sql server, sometimes its a SBS server) running DNS for internal users (along with DHCP). The reason I do this is because I don't see a way to serve the outside world and the internal users with the same DNS, because if the DNS points to inside IPs they are not accessable by the outside, and if they serve outside IPs, most firewalls do not support double NATing packets.
Typical network configurations I use in the past, I have 2 machines running DNS. 1 Machine is low CPU machine running just 2003, and DNS for the outside world. The second machine is a more powerful (because its usually running exchange, sql server, sometimes its a SBS server) running DNS for internal users (along with DHCP). The reason I do this is because I don't see a way to serve the outside world and the internal users with the same DNS, because if the DNS points to inside IPs they are not accessable by the outside, and if they serve outside IPs, most firewalls do not support double NATing packets.
Agreed I cannot serve bith the indie LAN and the outside WAN but I do not need to do so. My sites are DNS for the public on a DNS service (DYNDNS.com). ALl I need is internal DNS w/o resorting to host files
As I mentioned it works and then stops working then starts working. It always works for its own sites but outside sites (mocrosoft.com for example) will fail then for no apparent reason start working again.
As I mentioned it works and then stops working then starts working. It always works for its own sites but outside sites (mocrosoft.com for example) will fail then for no apparent reason start working again.
Since you have gone thru the trouble of setting up your own DNS server, why dont you just point your Domain host to your DNS server. What device do you have Natting your network. If you have some device that supports DNS "fixup" then you can support both inside and outside requests from the same DNS server rather than having 2 servers.
ErkiPhilips, since you have a PIX 501, you can do something like this
static (inside, outside) GLOBALIP INSIDEIP dns
where global ip is the IP address you want the outside world to see. The inside IP is the actual IP of the inside DNS/WEB/Whatever server.
now the DNS keyword at the end of the static will basically do the "fixup" on the DNS packets. What this means is when a packet comes on the outside for GLOBALIP, it will convert the IP address to the INSIDEIP on the inside. Similarly when a packet goes out, it will convert it to an outside IP. It will also change the IP address in the payload (data). An example will make this clear.
For example lets consider this scenario
client -----internet-------PIX --------dnserver-------web
X.Y.Z.W 192.168.1.11 192.168.1.12 192.168.1.13
The intermediate device could be anything that supports DNS fixup, not necessarily a PIX.
lets say the webserver is www.mydomain.com
also
192.168.1.11 is natted to X.Y.Z.A with dns fixup
192.168.1.12 is natted to X.Y.Z.B with dns fixup
192.168.1.13 is natted to X.Y.Z.C with dns fixup
Now when
client X.Y.Z.W asks for www.mydomain.com, the packet should eventually get to X.Y.Z.A which is the natted IP of the DNS server. The DNS server will reply saying the requested IP address is 192.168.1.12. The PIX or intermediate device will look into the DNS packet payload and change IP address 192.168.1.12 to the outside natted IP which is X.Y.Z.B and hence the outside client will be able to reach the webserver since this IP is internet routable.
Similarly when inside host 192.168.1.13 tries to reach www.mydomain.com, the DNS server will say its IP is 192.168.1.12. Since the PIX doesnt come into the picture now, the inside host will be able to reach 192.168.1.13 without a problem.
Both inside and outside will work.
Hope this help you all
Hit me back if you got questions.
ErkiPhilips, since you have a PIX 501, you can do something like this
static (inside, outside) GLOBALIP INSIDEIP dns
where global ip is the IP address you want the outside world to see. The inside IP is the actual IP of the inside DNS/WEB/Whatever server.
now the DNS keyword at the end of the static will basically do the "fixup" on the DNS packets. What this means is when a packet comes on the outside for GLOBALIP, it will convert the IP address to the INSIDEIP on the inside. Similarly when a packet goes out, it will convert it to an outside IP. It will also change the IP address in the payload (data). An example will make this clear.
For example lets consider this scenario
client -----internet-------PIX --------dnserver-------web
X.Y.Z.W 192.168.1.11 192.168.1.12 192.168.1.13
The intermediate device could be anything that supports DNS fixup, not necessarily a PIX.
lets say the webserver is www.mydomain.com
also
192.168.1.11 is natted to X.Y.Z.A with dns fixup
192.168.1.12 is natted to X.Y.Z.B with dns fixup
192.168.1.13 is natted to X.Y.Z.C with dns fixup
Now when
client X.Y.Z.W asks for www.mydomain.com, the packet should eventually get to X.Y.Z.A which is the natted IP of the DNS server. The DNS server will reply saying the requested IP address is 192.168.1.12. The PIX or intermediate device will look into the DNS packet payload and change IP address 192.168.1.12 to the outside natted IP which is X.Y.Z.B and hence the outside client will be able to reach the webserver since this IP is internet routable.
Similarly when inside host 192.168.1.13 tries to reach www.mydomain.com, the DNS server will say its IP is 192.168.1.12. Since the PIX doesnt come into the picture now, the inside host will be able to reach 192.168.1.13 without a problem.
Both inside and outside will work.
Hope this help you all
Hit me back if you got questions.
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail. The methods are covered in more detail in o…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses
Course of the Month5 days, 4 hours left to enroll
Earn Certification
Cisco CCNA R&S: ICND2 v3
$197.00$177.30
Earn Certification
Cisco CCNA Data Center: DCICT
$197.00$177.30
688 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.