?
Solved

DNS Server resolving internal IP's as external addresses

Posted on 2007-10-02
6
Medium Priority
?
691 Views
Last Modified: 2011-10-05
Hi,

We have just put in a new Windows 2003 R2 domain controller (the 2nd 2003 DC in a Win2k server environment) but are having issues with the DNS server. The DNS has been configured pretty much as a default install and has replicated from the existing Windows 2000 DNS server ok. Although the IP scope is now a public scope (this was put in a long time before I was here!) it all works 100% fine on the existing internal 2000 DNS server (89.0.0.0/255.255.255.0)(yep, I know the subnet is wrong too!).
The new 2003 server's NIC has a static IP and the DNS points to itself. It also has secondary DNS addresses of our ISP.
NIC TCP/IP Advanced > DNS:
Append primary and connection specific DNS suffixes - Yes
Append parent suffixes - Yes
DNS suffix for the connection: ourlocal.domain
Register this connections address in DNS - Yes
Use the connection's DNS suffix in DNS registration - Yes

All root-hints are populated in the DNS server settings correctly. The IP forwarders are set to the ISP DNS server for all other domain queries. It is AD Integrated, and is set for non-secure and secure updates.
From this server, CMD > NSLOOKUP returns the following:
Default Server:  89.0.0.45.dynamic.barak-online.net
Address:  89.0.0.45
...which obviously is correct if it is resolving an external IP, which it shouldn't be! Running the same from the existing Windows 2000 server returns the following:
Default Server:  dc.localdomain.co.uk
Address:  89.0.0.56
From the new Win2k3 server, pinging a computer by hostname returns the correct IP, pinging the computer by IP responds ok too, but pinging an IP using a -a switch to resolve returns the following:
J:\>ping -a 89.0.0.168
Pinging 89.0.0.168.dynamic.barak-online.net [89.0.0.168] with 32 bytes of data:
Reply from 89.0.0.168: bytes=32 time<1ms TTL=128
Reply from 89.0.0.168: bytes=32 time<1ms TTL=128
Ping statistics for 89.0.0.168:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

...which again has resolved externally.
Can anbody shed any light on why the DNS server does not see resolved IP's as internal and instead looks externally for a resolution?!

Lee
0
Comment
Question by:fishcake999
  • 3
  • 3
6 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 19997068

Hi Lee,

It should all boil down to this:

> It also has secondary DNS addresses of our ISP.

This is incorrect.

You should only ever use DNS Servers in TCP/IP configuration that can answer questions about the local AD Domain.

As ISPs DNS Servers cannot they shouldn't be there at all on any domain member / domain controller.

You have Forwarders or Root Hints for resolving External Requests, and you seem to have those configured perfectly well.

That makes this bit:

> CMD > NSLOOKUP returns the following:
> Default Server:  89.0.0.45.dynamic.barak-online.net
> Address:  89.0.0.45

Less than helpful, your server should query a local DNS Server, never anything outside except through the internal DNS Service.

HTH

Chris
0
 
LVL 1

Author Comment

by:fishcake999
ID: 19997084
Hi Chris,

I completely agree! However, only this morning I had added the external DNS addresses to the TCP/IP properties as I was duplicating the existing server details as a last resort. Previously I had configured this without using the external addresses (which I did presume was correct) and still the same results were occuring.

Lee
0
 
LVL 1

Author Comment

by:fishcake999
ID: 19997086
Sorry, just as an additional note, the existing Windows 2000 server seems to work all ok with the external DNS server addresses listed as previously mentioned which just add's to the confusion!

Lee
0
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

 
LVL 71

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 19997178

Hi Lee,

You need to make it as simple as possible again first.

Get rid of the ISPs DNS Server from TCP/IP Configuration, it won't do you any favours at all in the long run. Having it there results in Chance based Name Resolution, the DNS Resolve *might* pick the right internal server and everything could be fine. However, it may also pick the External one and everything will fail.

Once done, a few more experiments with NSLookup are in order.

From the above it seems like you have a Reverse Lookup Zone configured, is that 89.0.0.x (0.0.89.in-addr.arpa)?

If so, can you run an NSLookup for the IP Address against the Internal DNS Server? i.e.:

NSLookup
> 89.0.0.168

And verify that the 168 PTR Record exists within the Reverse Lookup Zone?

Bear in mind that if you're mixing Private and Public DNS Servers you have a DNS Cache to contend with on the Client (DNS Client, rather than Network Client). NSLookup won't show results from anything but the Name Servers Cache, but Ping -a will show results from the Client Cache.

To see what's in that do "ipconfig /displaydns" on the command line. If you have an entry there resolving 89.0.0.168 to 89.0.0.168.dynamic.barak-online.net your server will use that rather than sending the query off to the DNS Server.

Chris
0
 
LVL 1

Author Comment

by:fishcake999
ID: 19997385
That's solved it! A missing PTR record for the 2003 server! I can't believe I missed that, but at least it was an easy cure!

This is going to be the main DNS server by this week so the external DNS's will stay out and have it all configured correctly from the start! If only it wasn't such a task to change the IP scope!

Thanks very much Chris.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 19997390

You're welcome, I'm glad you found it :)

Chris
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have a multi-homed DNS setup in windows, you can have issues with connectivity to the server that hosts the DNS services (or even member servers of your domain if this same DNS server is a DC). This is because windows registers all of its IPs…
I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question