We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

SBS 2003 w/ Sonicwall TZ 170 - Unable to resolve domain names

kbayer
kbayer asked
on
Medium Priority
772 Views
Last Modified: 2008-02-01
I'm sure there's an easy answer to this one, but it has me scratching my head. I'm setting up a network with SBS 2003 and a Sonicwall TZ 170 behind our ISP's router. The problem is, I can't get the Sonicwall to allow me to resolve domain names.

Here's my setup:

Sonicwall:
Wan IP - xx.xxx.xxx.162
Subnet - 255.255.255.224
Wan Router: xx.xxx.xxx.161
LAN IP Address - 192.168.1.1
LAN Subnet - 255.255.255.0

SBS 2003 NIC 1(Internal Network):
IP - 192.168.0.2
Subnet - 255.255.255.0
Default Gateway: Blank
Preferred DNS: 192.168.0.2 (forwarder set to 192.168.1.1)

SBS 2003 NIC 2(External to Sonicwall):
IP - 192.168.1.10
Subnet - 255.255.255.0
Default Gateway: 192.168.1.1
Preferred DNS: 192.168.0.2

Using the DNS Name Lookup utility on the Sonicwall I can resolve any domain I pick. The problem occurs trying to access a webpage from the server - the request times out looking for the DNS server.

The Sonicwall log shows:
UDP Packet from LAN dropped
Source: 192.168.1.10, 1068, LAN
Destination: 192.168.1.1, 53, LAN
Notes: Name Service (DNS)

I've tried creating a number of different rules such as (format is Source-Destination-Service-Action):
1) LAN-LAN-Name Service(DNS)-Allow
2) LAN-WAN-Name Service(DNS)-Allow
3) LAN-192.168.1.1(LAN)-Name Service(DNS)-Allow

Please tell me it's just something stupid on my part and let me be done with it!

Thanks!!
Comment
Watch Question

It's something stupid on your part.  There.  I told you.  But seriously, it probably is.  Have you tried making a rule opening ALL PORTS in both directions as a test?  This sometimes helps.  

And is the request really timing out looking for DNS?  How do you know this?  Can you manually type the IP address and it works?  If it doesn't work maybe your Port 80 is blocked.  Something to think about.  

Also your preferred DNS for external is pointing to the internal NICs IP on a different network.  Does this machine have DNS?  If so try changing the IP to the 1.10 IP since it is the same machine anyway and this will be on the same network.

Tell me what you are trying to accomplish with this set up.  Because it is very confusing...  Are you just trying to use the SBS 2003 as a bridge for the two networks?

Mark

Author

Commented:
Alright, now that we know it's something stupid, we 've gotten that out of the way!

I can access sites manually typing in their IP addresses from the browser so I know that isn't the problem.

Opening all ports (rule was set up: Source: *, Destination: *, Service: Any, Action: Allow) didn't work. I guess I'm just assuming it times out because it can never find the servers - I don't know for sure.

I know the preferred DNS points to the other NIC and it does have DNS running on it (with a DNS forwarder to the Sonicwall). The setup is actually the suggested setup for a multihomed server with a firewall/router on Smallbizserver.net <A Href="http://www.smallbizserver.net/Articles/tabid/266/articleType/ArticleView/articleId/76/Two-Nics-a-static-IP-address-ISA-router.aspx"> (http://www.smallbizserver.net/Articles/tabid/266/articleType/ArticleView/articleId/76/Two-Nics-a-static-IP-address-ISA-router.aspx)</A>

The log continues to list the DNS request as being dropped:
UDP Packet from LAN dropped
Source: 192.168.1.10, 1068, LAN
Destination: 192.168.1.1, 53, LAN
Notes: Name Service (DNS)

(Note that the source is from the external NIC's IP)

Thanks.
What is the purpose of this server?  What are you trying to do with it?  A webserver, mailserver?  And why the 2 internal IP ranges on different nics.  Explain to me what it is you are trying to do.  

Mark

Author

Commented:
It's a file and Exchange server for a small company network.

The first NIC (internal network) connects to a hub for the networked computers, the second (external) connects to the firewall to sgregated the rest of the network from the Internet.

Does your Server has microsoft's ISA server installed?  Because thats necessary for the documents you referenced earlier.

So the Internal Network NIC and clients attached there to you do not want to allow internet access and the External NIC that connects to the firewall you do want connected to the network?  

Mark

Author

Commented:
I've actually read a number of posts with the same configuration and SBS 2003 Standard (no ISA) and everytihng worked fine.

The networked computers will access the DNS and Internet through the SBS server, which will  do so by using the external card to the firewall.

How would you suggest I set the network up, Mark?
I am not sure I know what you want to do but here goes..

You have 2 LANs.  One you want to be restricted from accessing the internet but have full access to the exchange server and file sharing.  The other LAN you want to give full access to the internet and to the file server and exchange server.

Is this correct?


Mark
What is the IP address of the DNS server?

Mark
Commented:
The SBS is using the SonicWALL as DNS server? IIRC this is an option that has to be enabled on the SonicWALL.

Personally, I have bad experiences using static DNS forwarders. Windows Server 2003 can use root hints to find its DNS Servers!

If you have a '.' (dot) domain in the  DNS console, remove it (seriously). Restart the DNS console, it should be gone.

Make sure that the use of forwarders is disabled on the properties tab of the DNS server.

Now, try accessing a web site again. The server should now look for nameservers by itself, caching the TLD's so root servers don't get burdened.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Thanks guys, I think I got it figured out.
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.