Problems with DNS
Hello All……..
We’ve been having problems lately when the vpn connection goes down and I really would appreciate some help to see where the problem is.
We have 3 DC’s, which are also our DNS servers in an AD domain. All DC’s are W2K3 SP1. We have a vpn connection to our root domain which replicates AD and DNS traffic. On our DNS servers we have the forwarders as 3 DNS servers in the root domain and 2 DNS servers for the local ISP.
The problem is that when the VPN tunnel connection in RRAS connection on our ISA server goes down, which happens a couple of times a week usually, no clients can browse the internet because domain names aren’t being resolved, if the IP address is inserted on the browser then there’s no problem. Also the SMTP queue in Our Email (Exchange 2003) is backed up with email. Obviously this seems like a DNS problem to me, but I don’t understand why the local ISP DNS servers aren’t allowing the resolution. I tested them and they are pingable and they resolve domain names through the internet if I connect a pc directly to the external WAN switch, bypassing our ISA server.
I ran a dcdiag /dnsall and /fix and our DNS servers pass without problems.
How can I make sure that when the vpn connection goes down that we can rely on the local ISP DNS servers for our internet browsing and SMTP routing? Could this be a rule in ISA that should be created for this traffic?
Thanks Guys,
Tolinrome!
We’ve been having problems lately when the vpn connection goes down and I really would appreciate some help to see where the problem is.
We have 3 DC’s, which are also our DNS servers in an AD domain. All DC’s are W2K3 SP1. We have a vpn connection to our root domain which replicates AD and DNS traffic. On our DNS servers we have the forwarders as 3 DNS servers in the root domain and 2 DNS servers for the local ISP.
The problem is that when the VPN tunnel connection in RRAS connection on our ISA server goes down, which happens a couple of times a week usually, no clients can browse the internet because domain names aren’t being resolved, if the IP address is inserted on the browser then there’s no problem. Also the SMTP queue in Our Email (Exchange 2003) is backed up with email. Obviously this seems like a DNS problem to me, but I don’t understand why the local ISP DNS servers aren’t allowing the resolution. I tested them and they are pingable and they resolve domain names through the internet if I connect a pc directly to the external WAN switch, bypassing our ISA server.
I ran a dcdiag /dnsall and /fix and our DNS servers pass without problems.
How can I make sure that when the vpn connection goes down that we can rely on the local ISP DNS servers for our internet browsing and SMTP routing? Could this be a rule in ISA that should be created for this traffic?
Thanks Guys,
Tolinrome!
I think your last sentence is correct. It sounds like ISA is not allowing DNS queries (or responses) to your ISP. Perhaps the rule is set so that traffic (DNS) is only allowed to your other internal network? An easy way to test that is to enable ISA monitoring and watch it when this problem occurs.
ASKER
Ive tried again with new ISA access rules allowing DNS protocol inbound/outbound to external/internal and local host and our DNS servers. Ive tried every DNS rule I can think of and still we cant resolve domain names when pinging, no internet browsing and smtp mail queue is forzen with mail building up. We can ping the local ISP's DNS server IP addresses no problem from any pc in the domain, its the resolution fromdomain names thats not working. From our ISA server or any DNS server on our domain if I run an nslookup and type in a url (www.yahoo.com) for example, the connection times out to our DNS servers but as soon as the vpn connection to our AD domain is reconnected everything works fine.
I want to make sure that when the vpn connection in our AD domain is down withthe root domain that at least we can still have our smtp mail and internet web browsing working. Im stuck here. Any suggestions???
Thanks!
I want to make sure that when the vpn connection in our AD domain is down withthe root domain that at least we can still have our smtp mail and internet web browsing working. Im stuck here. Any suggestions???
Thanks!
Please can you post more details about how the forwarders are set on your DNS servers. Are you using conditional forwarding to the other domain based DNS servers? If so, this would normally be because you have more than one Windows domain - is that the case?
What does the list of forwarders look like when "All other DNS domains" is selected. Is the box ticked that says "Do not use recursion for this domain"?
Which DNS server do workstations use as their preferred DNS server? Is it always the one on the nearest domain controller (i.e. one that can be reached even when VPN is down)?
What does the list of forwarders look like when "All other DNS domains" is selected. Is the box ticked that says "Do not use recursion for this domain"?
Which DNS server do workstations use as their preferred DNS server? Is it always the one on the nearest domain controller (i.e. one that can be reached even when VPN is down)?
ASKER
Thanks so much for replying, We are a child domain to the parent (root) domain that we have the vpn connection with. On our 3 DNS servers the list of forwarders looks like this when "All other DNS domains" is selected:
x.x.x.x. (root domain DNS server IP)
x.x.x.x. (root domain DNS server IP)
x.x.x.x. ((root domain DNS server IP)
x.x.x.x. (Local ISP DNS server IP)
x.x.x.x. (Local ISP DNS server IP)
Yes, the box is ticked for "Do not use recursion for this domain"? (Although Im not sure what that means)
I dont know much about DNS so I dont know if conditional forwarding is being used to the other domain, but I will investigate that.
Yes, the clients use the 3 internal DNS servers on our domain as the preferred DNS servers but when the VPN goes down there is no name resolution for the internet browsing or smtp mail.
x.x.x.x. (root domain DNS server IP)
x.x.x.x. (root domain DNS server IP)
x.x.x.x. ((root domain DNS server IP)
x.x.x.x. (Local ISP DNS server IP)
x.x.x.x. (Local ISP DNS server IP)
Yes, the box is ticked for "Do not use recursion for this domain"? (Although Im not sure what that means)
I dont know much about DNS so I dont know if conditional forwarding is being used to the other domain, but I will investigate that.
Yes, the clients use the 3 internal DNS servers on our domain as the preferred DNS servers but when the VPN goes down there is no name resolution for the internet browsing or smtp mail.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
fepitas,
Even after Ive read up on conventional forwarding, I still cant understand why the there was no resolution to the ISP IP's since they were still in the list of the dns forward tab?
Even after Ive read up on conventional forwarding, I still cant understand why the there was no resolution to the ISP IP's since they were still in the list of the dns forward tab?
Yes, good point. I would guess that resolution failed because the client application timed out before the local DNS server had worked its way through the list of forwarders.
Your list had three internal servers first, then the two ISP servers. It would try them one at a time in the order given. If it has to wait for 5 seconds on each before trying the next one, then you've got at least 15s before it tries the first ISP server. That is probably too long for the client app to wait so it reports that the name cannot be resolved.
As an aside, did you know that Exchange 2003 can be configured to use its own list of DNS servers for SMTP delivery?
Your list had three internal servers first, then the two ISP servers. It would try them one at a time in the order given. If it has to wait for 5 seconds on each before trying the next one, then you've got at least 15s before it tries the first ISP server. That is probably too long for the client app to wait so it reports that the name cannot be resolved.
As an aside, did you know that Exchange 2003 can be configured to use its own list of DNS servers for SMTP delivery?
ASKER
That makes sense about the time outs. Yes, I saw that about the Exchange using its own list of DNS servers. We have ours setup to forward all of our SMTP mail through a smart host. Thanks alot for all your help on this, Ive learned some good points. I would like now to read up on how I can strategically setup our DNS servers in the most secure and sensible way. I read somewhere about having only one DNS server point to the internet as a forwarder and use the rest to point to that one, instead of exposing all to the internet on the forward IP's.
Thanks alot.
Thanks alot.
Glad to be of help.
I learnt most of what I know about DNS from the book 'Mastering Windows Server 2003' by Mark Minasi. Its a great book and certainly covers the DNS setup that you just mentioned. The only drawback with that book is its size - he tends to repeat himself, gives tons of examples and explains every little detail so using it as a quick reference is hard simply because of the difficulty in finding the right pages. On the other hand reading it from cover to cover would be a lifetime's work!
I learnt most of what I know about DNS from the book 'Mastering Windows Server 2003' by Mark Minasi. Its a great book and certainly covers the DNS setup that you just mentioned. The only drawback with that book is its size - he tends to repeat himself, gives tons of examples and explains every little detail so using it as a quick reference is hard simply because of the difficulty in finding the right pages. On the other hand reading it from cover to cover would be a lifetime's work!
ASKER
I just ordered the book, I'll let you know in a couple of years how it went! 6.5 pounds!
Thanks again.
Thanks again.