Solved

DNS does not escalate for its own domain name

Posted on 2004-10-16
10
343 Views
Last Modified: 2010-04-10
Situation:
an inhouse net with AD domain "mydomain.com".
outside ISP with web server: www.mydomain.com and some more subdomains as: x.mydomain.com, y.mydomain.com,...
The ISP provides 2 DNS server: NS1 and NS2
My inhouse DNS server has all inhouse ip mapped to names.

I could access by IE6 all inhouse of mydomain and all other (not my domain)  targets outside (usual web access)
>>> I could not access my (outside) www and subdomains!
Obviously my DNS does not resolve the outside domains when it has to look for inhouse domain names outside (escalating to the ISP provided 2 DNS server).

The outside domains has 2 DNS server (provided by the ISP) which are listed as 2nd and 3rd when listing with ipconfig /all
First DNS server is my inhouse DNS server.

I made a test by moving one of the outside DNS server to position 1 in my list.
Now I have access to all outside and "www.mydomain.com" too. but i.e. Outlook doesn't resolve to my (local /inhouse) Exchange2003 server. It says the server maybe down. But the problem the local server is not found as its name is not resolved. (MY! inhouse DNS server doesn't obviously resolve it as it is not asked or not asked early enough when it is a timing problem.)

Internet access is by DSL and an dynamic IP for the DSL-Router

Whats wrong?
Could it be that timing plays a role. How should I over came that?
How could I make my DNS server escalating an unresolved name to DNS 2 and DNS3? As it obviously does for all foreign domains but not for the AD (inhouse) domain?

Any help would be really appreciated.
Juergen Loewner
0
Comment
Question by:JLoewner
10 Comments
 
LVL 15

Expert Comment

by:scampgb
Comment Utility
Hi JLoewner,
If the DNS server is configured to be authoritative for "mydomain.com" (which is is) then it won't refer to another DNS server if it doesn't have a record that matches the request.
Instead it'll just return that the record can't be found.
This is correct behaviour.

What you'll have to do is add "A" records to your Internal DNS zone on your server that points to the external IPs.  For example "www.mydomain.com" A 1.2.3.4

Does that help?
0
 

Author Comment

by:JLoewner
Comment Utility
This I have done already. It works.

But I don't want to care about the mappings locally as it is intended to have lots of subdomains as some diferent other domains..
As everything is on the ISPs NS1 and NS2 why can't it work this way: if it is not resolved here lets look as usual in the listed DNS server?

Or is there a workaround gain this?

0
 
LVL 3

Expert Comment

by:_Jochen_
Comment Utility
tell your internal DNS server the IP of the external DNS Servers for a Forwarding Lookup Zone.
All unkown names will be forewarded to the external Servers.
Something general: Dont use the same DNS Name for internal net, as you use for external net.
0
 

Author Comment

by:JLoewner
Comment Utility
>>tell your internal DNS server the IP of the external DNS Servers for a Forwarding Lookup Zone

I guess I have already done that:
in DNS admin I added an record i.e.: nameserver (NS) ns27.1and1.com

That hasn't worked.

Or do you mean someting different?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:JLoewner
Comment Utility
>>tell your internal DNS server the IP of the external DNS Servers for a Forwarding Lookup Zone

some additional info to this:

When I tied this I had the following effect:
nslookup found my external name.
But I couldn't ping it.
And I couldn't reach it by IE6
0
 
LVL 15

Expert Comment

by:scampgb
Comment Utility
_Jochen_:
> tell your internal DNS server the IP of the external DNS Servers for
> a Forwarding Lookup Zone.
> All unkown names will be forewarded to the external Servers.

That's not quite the whole story.  Any request for a domain for which the DNS server doesn't have a cached response will be sent on to the forwarders UNLESS the DNS server itself is authoritative for that zone.

If the Internal domain zone is the same as one hosted elsewhere you will need to duplicate your "external" entries on your Internal DNS server.

LJowner: you could consider subdomain delegation for handling the subdomains, but the "mydomain.com" Internal zone will still need to have entries from your External one.
0
 

Author Comment

by:JLoewner
Comment Utility
So I have to stick with my 1st comment:
All external xyz.mydomain.com (varying xyz) have to be entered manually at my local DNS server!?

This is not very satisfying.
It is ok for 1 or 2 servers outside.

But if you have to care for a bunch of it with changing entries on a nearly weekly basis this is an foreseeable error prone work.

No workaround?
No flash of inspiration folks?
0
 
LVL 15

Expert Comment

by:scampgb
Comment Utility
JLoewner:
Sorry - the only "solution" is for you to be using a different DNS zone for your Internal network.
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 100 total points
Comment Utility

Split Brain DNS (mutliple "Start of Authority" Servers for a single Domain) is a far from ideal set-up (aka high maintainance).

You could always rename your Private Domain, then requests would be handled as you want by your Internal DNS.

http://www.microsoft.com/windowsserver2003/downloads/domainrename.mspx
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now