Problems with DNS

Hello All……..
We’ve been having problems lately when the vpn connection goes down and I really would appreciate some help to see where the problem is.

We have 3 DC’s, which are also our DNS servers in an AD domain. All DC’s are W2K3 SP1. We have a vpn connection to our root domain which replicates AD and DNS traffic. On our DNS servers we have the forwarders as 3 DNS servers in the root domain and 2 DNS servers for the local ISP.

The problem is that when the VPN tunnel connection in RRAS connection on our ISA server goes down, which happens a couple of times a week usually, no clients can browse the internet because domain names aren’t being resolved, if the IP address is inserted on the browser then there’s no problem. Also the SMTP queue in Our Email (Exchange 2003) is backed up with email. Obviously this seems like a DNS problem to me, but I don’t understand why the local ISP DNS servers aren’t allowing the resolution. I tested them and they are pingable and they resolve domain names through the internet if I connect a pc directly to the external WAN switch, bypassing our ISA server.

I ran a dcdiag /dnsall and /fix and our DNS servers pass without problems.

How can I make sure that when the vpn connection goes down that we can rely on the local ISP DNS servers for our internet browsing and SMTP routing? Could this be a rule in ISA that should be created for this traffic?

Thanks Guys,
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

feptiasConnect With a Mentor Commented:
You should *not* include the three other root domain DNS servers in your list of forwarders for "All other DNS domains". You should only have the two ISP DNS servers. That will be the reason why DNS fails for external names whenever the VPN is down.

However, you will probably need to use conditional forwarding to resolve names in local windows domains hosted on remote DC's connected via VPN. Conditional forwarding just means that instead of using the "All other DNS domains", you specify a particular domain name for which any name resolution requests should be forwarded to another DNS server.

For example, suppose you have the following:
Remote domain controller, DC1, hosts mydomain.local
Local domain controller, DC2, hosts child.mydomain.localdomain

Forwarders on DC2 should be set to:
"mydomain.local" -> forward to DC1
"All other DNS domains" -> forward to local ISP DNS servers

To add a conditional forwarder, click the New... button just to the right of the box containing the item "All other DNS domains". Each domain you add will have it's own list of IP addresses in the section called "Selected domains forwarder IP address list" and these are not the same as the list of IP addresses for "All other DNS domains".
I think your last sentence is correct. It sounds like ISA is not allowing DNS queries (or responses) to your ISP. Perhaps the rule is set so that traffic (DNS) is only allowed to your other internal network? An easy way to test that is to enable ISA monitoring and watch it when this problem occurs.

tolinromeAuthor Commented:
Ive tried again with new ISA access rules allowing DNS protocol inbound/outbound to external/internal and local host and our DNS servers. Ive tried every DNS rule I can think of and still we cant resolve domain names when pinging, no internet browsing and smtp mail queue is forzen with mail building up. We can ping the local ISP's DNS server IP addresses no problem from any pc in the domain, its the resolution fromdomain names thats not working. From our ISA server or any DNS server on our domain if I run an nslookup and type in a url ( for example, the connection times out to our DNS servers but as soon as the vpn connection to our AD domain is reconnected everything works fine.

I want to make sure that when the vpn connection in our AD domain is down withthe root domain that at least we can still have our smtp mail and internet web browsing working. Im stuck here. Any suggestions???
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Please can you post more details about how the forwarders are set on your DNS servers. Are you using conditional forwarding to the other domain based DNS servers? If so, this would normally be because you have more than one Windows domain - is that the case?

What does the list of forwarders look like when "All other DNS domains" is selected. Is the box ticked that says "Do not use recursion for this domain"?

Which DNS server do workstations use as their preferred DNS server? Is it always the one on the nearest domain controller (i.e. one that can be reached even when VPN is down)?
tolinromeAuthor Commented:
Thanks so much for replying, We are a child domain to the parent (root) domain that we have the vpn connection with. On our 3 DNS servers the list of forwarders looks like this when "All other DNS domains" is selected:

x.x.x.x. (root domain DNS server IP)
x.x.x.x. (root domain DNS server IP)
x.x.x.x. ((root domain DNS server IP)
x.x.x.x. (Local ISP DNS server IP)
x.x.x.x. (Local ISP DNS server IP)

Yes, the box is ticked for "Do not use recursion for this domain"? (Although Im not sure what that means)
I dont know much about DNS so I dont know if conditional forwarding is being used to the other domain, but I will investigate that.

Yes, the clients use the 3 internal DNS servers on our domain as the preferred DNS servers but when the VPN goes down there is no name resolution for the internet browsing or smtp mail.
tolinromeAuthor Commented:
Even after Ive read up on conventional forwarding, I still cant understand why the there was no resolution to the ISP IP's since they were still in the list of the dns forward tab?
Yes, good point. I would guess that resolution failed because the client application timed out before the local DNS server had worked its way through the list of forwarders.

Your list had three internal servers first, then the two ISP servers. It would try them one at a time in the order given. If it has to wait for 5 seconds on each before trying the next one, then you've got at least 15s before it tries the first ISP server. That is probably too long for the client app to wait so it reports that the name cannot be resolved.

As an aside, did you know that Exchange 2003 can be configured to use its own list of DNS servers for SMTP delivery?
tolinromeAuthor Commented:
That makes sense about the time outs. Yes, I saw that about the Exchange using its own list of DNS servers. We have ours setup to forward all of our SMTP mail through a smart host. Thanks alot for all your help on this, Ive learned some good points. I would like now to read up on how I can strategically setup our DNS servers in the most secure and sensible way. I read somewhere about having only one DNS server point to the internet as a forwarder and use the rest to point to that one, instead of exposing all to the internet on the forward IP's.

Thanks alot.
Glad to be of help.

I learnt most of what I know about DNS from the book 'Mastering Windows Server 2003' by Mark Minasi. Its a great book and certainly covers the DNS setup that you just mentioned. The only drawback with that book is its size - he tends to repeat himself, gives tons of examples and explains every little detail so using it as a quick reference is hard simply because of the difficulty in finding the right pages. On the other hand reading it from cover to cover would be a lifetime's work!
tolinromeAuthor Commented:
I just ordered the book, I'll let you know in a couple of years how it went! 6.5 pounds!
Thanks again.
All Courses

From novice to tech pro — start learning today.