• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 670
  • Last Modified:

Internal DNS servers not resolving external addresses

2003 enterprise DC's.

Internal DNS servers not resolving external addresses ex...www.msn.com.  The internal DNS servers do have forward entries which forward to the DMZ,  iisted in the forward tab....DMZ servers are 2000 server.
0
handymanaly
Asked:
handymanaly
  • 4
  • 4
  • 2
  • +1
9 Solutions
 
QBRadCommented:
Why do you think your internal DNS servers should resolve addresses such as MSN.com.

This should be handled by external DNS servers hosted on the internet.  Your ISP should provide you with DNS servers which they host for you to use for external websites.  If your servers were to resolve that address you would need to have dns entries for every website on the internet.........MILLIONS.  You need to set the forwarders to your ISPs dns servers.

Sounds like you getting confused on internal and external dns.  If you host your own external DNS that means that you resolve the name to ip address for servers which you broadcast to the outside world such as your webservers (websites) or email (outlook web access), etc.  This doesn't mean that you resolve names such as msn.com or yahoo.com.
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Can your DMZ DNS servers resolve Internet hosts like msn.com and google.com? Do they forward to your ISP or another's DNS servers or do they use the root hints?

QBRad, I don't think I agree with your definition of "Resolve". Resolving a DNS record is the process of finding out what that record says. DNS clients resolve DNS records.
http://technet.microsoft.com/en-us/library/bb727005.aspx
0
 
QBRadCommented:
Yes you are right DNS resolves the name, but why would their internal DNS servers or whatever servers (i'm guessing DNS) they have in their DMZ resolve msn.com.  My point was simply that msn.com would not be resolved on your own dns server.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
If the internal DNS server doesn't resolve msn.com, how could it pass that information on to the client? (remember that the workstation do recursive queries, not iterative)
0
 
handymanalyAuthor Commented:
The internal does not resolve outside adresses, it fowards them to the DMZ.......if an Nslookup is done on an internal DNS server for an outside address such as www.msn.com it returns a non authoritative answer at it should ....But the internal server was unable to give out unauthoritive answers, i restarted the service which solved the problem.....i am curious as to why this might happen?  
0
 
QBRadCommented:
it doesn't resolve msn.com, it FORWARDS it to an internet DNS server.  This server which eventually can resolve msn.com then replies to the client in question with the name to ip mapping and therefore provides the answer to the client.

client pc sends request to dns server configured in it's setup asking what is ip address for msn.com.  Local (internal) dns server checks its data and says "i dont know msn.com", if it is configured with forwarders then it passes to internet dns server in configuration.  Internet DNS server say i know MSN.com and replies back to client pc.  the internal dns server didn't do any resolution, it simply passed request to next dns server.
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
handymanaly, the event log may give you some clues as to why it stopped forwarding. It's kinda hard to find out when things are working.


QBRad, I think we're dealing with semantics.
Last thing before I just let this drop: when a server performs a query, it will cache that info for subsequent queries until the TTL expires. So in your scenario, when another client requests that same record it gives it straight out of its cache without having to query any other server. So is that also called forwarding?
0
 
QBRadCommented:
No you are correct in that case if you have it setup to cache then yes it can supply for the TTL time.  but i'm looking at the bigger picture, if it cant even resolve the first time around who cares about caching, it has nothing to cache if it was never resolved in the first place.

Not trying to argue or be an A$$ just hate when you cant get a point across without typing, its not the same as explaining in your own words.
0
 
Jeremy WeisingerSenior Network Consultant / EngineerCommented:
Well you obviously have a good grasp of DNS and I think we're just arguing (discussing) over terminology.

I know when you're wanting to explain it in your own words. =)
0
 
handymanalyAuthor Commented:
This is a case where the internal DNS would not forward its request to the DMZ  ? Because an non authoritative answer was not given.  I restarted the DNS service and it was then able to unauthoritative answer.  i wil chweck the event log..just checking for any other issues that might cause this thanks,...
0
 
The--CaptainCommented:
>If your servers were to resolve that address you would need to have dns entries
>for every website on the internet.........MILLIONS.  You need to set the forwarders
>to your ISPs dns servers.

That is just patently false.   I run my own internal DNS servers, and they resolve external DNS just fine without millions of entries - I simply have my resolvers ask the roots, and then recurse it from there - this ISP's nameservers never get involved (sorry, my resolvers run the one true resolving service [BIND on unix], so I can't help you with specific microsoft weirdness - however, I *know* that the behaviour of my DNS servers is not specific to linux - you can do it with windows).

Yeah, I may be wasting some of my own bandwidth rather than letting my ISP do it, but when something goes wrong, I can fix it immediately (unlike my ISP).

Cheers,
-Jon

0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 4
  • 4
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now