Solved

FQDN can not be resolved

Posted on 2004-09-21
19
1,078 Views
Last Modified: 2010-08-05
Hi,

I am currently running MS SBS2000 with IIS.  From a any web browser inside the network, i can type in the IP address for the server and it pull up in the internal web site.  However, if i try to type the FQDN of the server, it will not work.

Currently, i have a Smoothwall Firewall running that acts as a web proxy.  However, I have ensured that each client within the system has the Primary DNS set for the server and not set to obtain the DHCP.  The current DHCP is the Smoothwall.  I'm not exactly sure how to make sure that all name requests are bounced off the SBS instead of the firewall.

Regards,
Adrian
0
Comment
Question by:jerle
  • 11
  • 7
19 Comments
 
LVL 15

Expert Comment

by:scampgb
Comment Utility
Hi jerle,

We'll need to establish whether the problem is with the client or the server in this case.

If you do "ipconfig /all", what does it show as your DNS IP?

Are the PCs and the server on the same network, in the same IP range?

Go to a command prompt and type "nslookup".  You'll get a response like

Default Server:  server.mydomain.com
Address:  192.168.1.2

>

Make sure that the address it shows is that of your server.

Type the FQDN (with a full-stop/period at the end) in the line > and see what it returns.  

Check that the DNS service is running on your server and that the Zones are set up correctly.
Do the same "nslookup" test on the server itself.  That'll eliminate any network problems.

Sorry that the above is so brief, but let me know if you need any clarification once you've done those tests.
0
 

Author Comment

by:jerle
Comment Utility
hi scamp,

ok, the ipconfig command shows the correct DNS IP address.

nslookup returns>

*** Can't find server name for address 192.XXX.XXX.XXX: Non-existent domain
*** Default servers are not available
Default Server:  UnKnown
Address:  192.XXX.XXX.XXX

The IP addresses above are correct as well.

Typing in the FQDN returns:

Server: Unknown
Address:  192.XXX.XXX.XXX

Name: mydomain.local
Address: 192.XXX.XXX.XXX

I have no idea how to correct this error.

Regards,
jerle
0
 

Author Comment

by:jerle
Comment Utility
BTW...

on the server end, nslookup returns:

Server: localhost
address: 127.0.0.1

Name: osisecurity.local
Address: 192.XXX.XXX.XXX

R- jerle
0
 

Author Comment

by:jerle
Comment Utility
All the PCs are on the same network and within the same range:  

192.XXX.XXX.0 to 192.XXX.XXX.200

I;ve verified that DNS is running on the server.  Whether it's configured correctly or not, i'm not certain. There's only one forward lookup zone and it's  mydomain.local.  It has the correct IP address and FQDN in its properties.  
0
 
LVL 2

Assisted Solution

by:jasperomalley
jasperomalley earned 200 total points
Comment Utility
One problem is that you don't have a reverse zone for your network, which is why you get this error:

*** Can't find server name for address 192.XXX.XXX.XXX: Non-existent domain
*** Default servers are not available

Create the reverse zone and put a PTR record for the IP address of the DNS server in it.

This error shouldn't be causing forward lookups to fail, however.
0
 
LVL 15

Expert Comment

by:scampgb
Comment Utility
jerle,
Jasperomalley is right about the reverse lookup zone not being configured, but that's not the cause of the problem.
You ought to configure this though - instructions at http://www.stamey.nu/DNS/DNS-MSReverseLookups.asp

Reverse DNS lookup is what converts the IP address to a name.  It's the opposite of a DNS lookup :-)

You need a forward lookup zone for the domain itself.  For example, assume that your webserver is "internalserver.mydomain.org"
You will need to configure a forward lookup zone for "mydomain.org"
That zone will need to contain an "A" record for "internalserver" that points to the IP address of the server.

Also, check what your PCs are using as their "domain search suffix".  
Go to Control Panel
Networks
Right click on the network interface
Properties
Choose TCP/IP
Click Advanced
DNS tab
Check what it shows for the DNS suffixes.  Are these correct?
0
 

Author Comment

by:jerle
Comment Utility
ok,

thanks for the tip on the reverse lookup, Jasper.  That works good now.

The forward lookup zone is set up correctly, Scamp.  According to what you written, everything seems to check out ok.  As far as the "domain search suffix", i'm not completely sure where that is.  There doesn't appear to be anything taht says "search", however there are a few resolution settings.  Right now, it is set as follows:

"Append primary and connection specific DNS suffixes"
"Append parent suffixs of the primary DNS suffix." is enabled.

DNS suffix for thsi connection is set to mydomain.local

"Register this connection's address in DNS" is enabled.

From what i can tell, it appears that despite what i have set on the client, browser seems to want to query the Squid DNS server on the firewall.   I went ahead and set the proxy connection settings to not use the proxy server for the local domain and it started working, but if i understand things correctly, it should have been resolved by the DNS server before it even got to the proxy.  Am i wrong on that understanding?

-jerle
0
 
LVL 15

Expert Comment

by:scampgb
Comment Utility
Different versions of Windows display the "suffix" information differently.
What this means is that if you do a DNS lookup for "myserver" and your suffix is "mydomain.local", it'll actually do a lookup for "myserver.mydomain.local."

The DNS lookup should be happening on your SBS server, if that's the IP address that's defined as the DNS server on the client.
However, it's possible that the MS DNS server is forwarding the request to the sonicwall DNS.  That's quite likely if it can't resolve the name itself (and the server can't resolve *all* domains!).

Can you please do the nslookup test again on both the server and workstation?
Please can you post the full 192.168 addresses (there's no security issue here as you're NATing the address through your firewall)?

0
 

Author Comment

by:jerle
Comment Utility
U:\>nslookup
Default Server:  perseus.osisecurity.local
Address:  192.168.135.1

> osisecurity.local
Server:  perseus.osisecurity.local
Address:  192.168.135.1

Name:    osisecurity.local
Address:  192.168.135.1

DNS is set to 192.168.135.1
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:jerle
Comment Utility
BTW... the clients are W2K Pro SP4.

-jerle
0
 
LVL 15

Expert Comment

by:scampgb
Comment Utility
Sorry, I'm getting a little confused now.  From the nslookup, it looks OK.
I'm probably missing something though.

Let me know which bit is wrong here:
You go to "http://osisecurity.local/" on your web browser and encounter a DNS error
The IP address of the webserver you're trying to access (osisecurity) is 192.168.165.1



0
 

Author Comment

by:jerle
Comment Utility
oh...... the nslookup is returns the same for both server and client now.
0
 

Author Comment

by:jerle
Comment Utility
Hey scamp,

sorry about all the comfusion.  here's the exact error my browser returns.  it's clearly coming from the smoothwall, but it should be checking the names off the SBS and NOT the smoothwall.  that's what i'm trying to make sure happens here:  -jerle


The requested URL could not be retrieved

While trying to retrieve the URL: http://osisecurity.local/

The following error was encountered:

Unable to determine IP address from host name for osisecurity.local
The dnsserver returned:

Name Error: The domain name does not exist.
This means that:

 The cache was not able to resolve the hostname presented in the URL.
 Check if the address is correct.
Your cache administrator is webmaster.

Generated Thu, 23 Sep 2004 14:53:42 GMT by swxprs-osi (squid/2.5.STABLE4)
0
 
LVL 15

Expert Comment

by:scampgb
Comment Utility
Well, that's very interesting!

Try this test:
Go to a command prompt and type:
telnet osisecurity.local 80                 (you should get a blank screen)
GET /


(the two blank lines are important)
You should get a bunch of HTML code from your internal webserver

If that's what's happening, then you're correct that the full URL is being forwarded straight to the sonicwall, which then doesn't know how to resolve it.

Couple of questions:
In Internet Explorer, go to Tools > Internet Options > Connections tab > LAN settings
Can you tell me what options are supplied in there?

Also, is there any client software for the SonicWall installed on the machine?
For example - ISA server has a firewall client that can forward network requests straight to the ISA server.  I'm wondering if SonicWall has something similar.


0
 

Author Comment

by:jerle
Comment Utility
ok...

The telnet worked fine.  I didn't have any problems with that.  The IE settings are set to use the proxy.  It proxy points to the firewall with the option to bypass proxy for local addresses enabled.  As i mentioned, by default there are no exceptions in the advanced tab.  When i add the internal site to the exceptions, everything works fine, but why should i have to?  

Perhaps i should just figure out way to configure the proxy server to use the SBS as a NS and just push the IE settings through the registry on the logon script.  At this point, i think it would just be easier.

R-
jerle
0
 
LVL 15

Accepted Solution

by:
scampgb earned 300 total points
Comment Utility
jerle,
> the option to bypass proxy for local addresses enabled.
I've found this to be a bit flaky - sometimes it can't identify "local" addresses properly, so sends it to the proxy anyway.

> Perhaps i should just figure out way to configure the proxy server to use the SBS as a NS and just push the IE settings through the registry on the logon script

That's what I'd do.  You'd then have control over the DNS (it'll be on SBS) and how IE behaves.
If you're in an AD domain, you can do this as part of the group policy.


0
 

Author Comment

by:jerle
Comment Utility
scamp,

It's funny you mention the GPO.  I've tried using the GPO before and THAT is REALLY flaky!!  half the computers take it and the other half don't care.  What's worse is that sometimes the GPO will assign the SBS as the proxy server INSTEAD of the settings i put in the GPO.  I think it all has to do with the "sbsclnt.exe" that runs first.  If you've never used Small Business Server, you prolly have never seen that program.  It sux.  i hate it, but it's useful when installing apps on all the machines.  Aside from that, it's the flakiest program i've ever seen.  It used to hang up half the machines that were on the novell network here.

anyway, all that aside. i'm just gonna use the logon script.  thanks for everyone's help!  i'm gonna post another questions about exchange 2000 in the OS portion now.

Regards,
~jerle~
0
 
LVL 15

Expert Comment

by:scampgb
Comment Utility
jerle,
I've never had the "pleasure" of using SBS.  I tend to stick to the real thing ;-)

I've found that GPOs work very well - as long as you plan it all well in advance!

Good luck :-)
0
 

Author Comment

by:jerle
Comment Utility

"Pleasure" was exactly the word i was looking for.  hehe.....  thanks again for your help.  SBS is fine for this company.  It's screwy, but i can only work with what i have.  ttyl

jerle
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now