Solved

Undeliverable email & ping could not find an external host

Posted on 2007-11-20
25
757 Views
Last Modified: 2013-11-30
What would cause SMTP outbound traffic and pinging any external web/IP address to fail? (ie. ping www.google.com = "Ping request could not find host www.google.com."

Several gremlins and changes have happened in our system over the last 5 days.  
1.We have changed our domain web host. - the mx record has been verified that it is pointed to our external IP address.  We are receiving e-mail.
2.Our firewall device has failed, been worked on, and is working properly now. - SPAM Filter is working much better than before all these problems.
3.Over the weekend (while the firewall was down) I explored several areas of the Server - DSN, DHCP, Routing and Remote Access, Services -  trying to get us up and running again - to my knowledge I don't remember changing anything significant that would affect the problems we are having - BUT I wouldn't rule it out.

I just don't know where to go with this problem.  I've tried numerous things on my own - but I'm just not smart enough for this problem.

ps. what is strange about the whole thing is 1. we can receive e-mail, 2. we can surf the internet through the proxy/firewall and active directory roles are working just fine.
0
Comment
Question by:cfscsm
  • 10
  • 9
  • 3
  • +1
25 Comments
 
LVL 3

Expert Comment

by:notfuzzi
ID: 20322010
Sounds to me like it's definately a DNS issue.  You may want to check DNS forwarders for your server by going to the DNS MMC snap-in in Control Panel -> Administrative Tools.  Right click your server name and go to properties.  Check the "Forwarders" tab.  Also, verify that your router is handing out correct DNS entries through DHCP, and make sure the server has the correct DNS server addresses.   Let us know if you find anything either way.
0
 
LVL 1

Expert Comment

by:cipher42
ID: 20322012
Are your DNS forwarders setup properly?  You can find them in dnsmgmt, right click on the server, choose properties and check the "Forwarders" tab.
0
 

Author Comment

by:cfscsm
ID: 20322215
I've been in the DNS forwarders.  I assumed the same.  Everything is the same as it always has been except for one host (A) record that I keep adding and deleting  = "www".  I know this one is strange to have but it has allowed in the past our intranet to see our external website.  If it is not there our workstations just time out on that particular website.

I'll be honest this area is not my specialty - I'm a database man.  So if there was something wrong in this area I might not catch it.  What I do see is that everything that has to do with our exchange/dsn/dhcp server is pointed to the correct IP address with-in our domain.  For my lack up understanding, I don't know why there are 2 zones (the confusing one is "_msdcs.ourdomainname.com).

What specific things in the DNS forwarders do I need to have there other than the host (A) records for all the computers in the domain?

0
 
LVL 6

Expert Comment

by:mickeyfan
ID: 20322239
Forwarders do not have to be used. You need to check if you have the root hints in you r dns managment. These are you external forward look up servers out on the internet. If they are not there then you may need to manually enter them. I have had this happen several times.

http://support.microsoft.com/kb/816567
0
 
LVL 1

Expert Comment

by:cipher42
ID: 20322240
When you are in the DNS Forwarders tab you should see "All other DNS domains" in the "DNS Domain" list box, then below that should be another list box labeled "Selected domain's forwarder IP address list."  In there should be a list of DNS servers from your ISP.

Cheers,
0
 
LVL 1

Expert Comment

by:cipher42
ID: 20322272
Root hints would work as well, but using forwards offloads the work to your ISPs server, not that handling DNS requests are all that resource intensive, but I always forward them.

Does your firewall that was reconfigured allow all outbound connections to go through?  What kind of firewall is it?
0
 
LVL 6

Expert Comment

by:mickeyfan
ID: 20322322
If the root hints are not in the DNS configuration then the DNS server is not getting out. It may off load the requests to the ISP but it also adds to a load on the external bandwidth. Why not let the DNS server do what it was designed for. Resolution. It can cache all requests. making resolution faster the more it is used.


Make sure port 53 is not being block on the outbound.
0
 
LVL 1

Expert Comment

by:cipher42
ID: 20322429
It's six of one, half dozen of another, in the long run it really doesn't matter, but using root hints would increase the bandwidth usage, not forwarders...

Using root hints, the internal DNS server would make multiple DNS requests to multiple DNS servers trying to find the address for the host you're looking for.  Using forwarders, the internal DNS server makes one request to your ISP's DNS server. Both ways result in a cached DNS entry...
0
 
LVL 3

Expert Comment

by:notfuzzi
ID: 20322538
Chris-Dent has an awesome, easy-to-understand explanation of forwarders vs. root hints here:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_21558360.html

Hopefully that will calm the debate so we can get back on topic to helping out cfscsm.  You shouldn't have A records listed in the Forwarders tab.  You should have the two or so DNS server addresses given to you by your ISP.  You may even want to try some other common DNS addresses.  I used to use 4.2.2.2 and 4.2.2.3 for testing purposes, but I'm not 100% sure that one is still around.  Comcast uses 68.87.68.162 and 68.87.74.162.  Also check out the link above, it's a great intro for a database man.  DNS is essentially linked databases anyway.
0
 

Author Comment

by:cfscsm
ID: 20322901
For all of you who mentioned the root hints (especially notfuzzi - I read through your supplied link), if I were to delete all of the root hints... is that disaster for me.  The reason I ask is that there are root hints for (a - m).root-server.net. All going to IP address that I've never seen before.  Furthermore, most of them look like internal IP's that are not at all in our structure (ie. 198's & 192's) nor have I ever seen them before. We use a 172.

ps. I called my ISP and I have changed the the forwards to some possible better IP's.  He thought I was crazy and we had a long talk about why I needed them.  Anyway - If I delete the root hints - is that a bad thing - especially if I don't have a clue where any of those address are going?
0
 
LVL 3

Expert Comment

by:notfuzzi
ID: 20323071
As far as I understand, you only use root hints if you don't have forwarders enabled.
0
 

Author Comment

by:cfscsm
ID: 20323334
Well...I've wrote the root hints down before I deleted them. I tried pinging again - still doesn't work.  I looked at the queues on Exchange... they are still not going anywer.  The FTP Traffic still doesn't go anywhere.  Our "CA" antivirus on the workstations still come back with a "The server name could not be resolved."  I even added the comcast Forward 67.50.135.146 to the list and still no go.

Firewall: answer for Cypher42 - In talking with the tech guys who manage our firewall they say that they are not blocking any outbound traffic that is related to this issue (i trust them) - the divice is from a company called aimconnect.com.  This problem sure is acting like a firewall problem though.

Any other suggestions anyone?
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 1

Expert Comment

by:cipher42
ID: 20325168
I'm not familiar with with aimconnect firewalls...  a quick (very quick) perusal of their web site says they run FreeBSD, have the firewall guys make sure they are allowing DNS REPLIES through the firewall (port 53, UDP.)

I just got to thinking...  Make sure you can ping your forwarder IP addresses.  Then, open up a command port and type:

nslookup www.google.com

and paste the response here.

then, type:

nslookup www.google.com server IPADDRESSOFFORWARDER

and paste the results here.  Where IPADDRESSOFFORWARDER is enter the ip address of one of your ISP's DNS servers, or the 4.2.2.2 ip address previously suggested by notfuzzi.

This should hopefully return something, if it times out it's most likely a firewall problem.  Either at the perimeter of your network, or the software firewall on your server.


0
 
LVL 1

Expert Comment

by:cipher42
ID: 20325177
Sorry, that should read "open up a command prompt" not port, it's been a long day.
0
 

Author Comment

by:cfscsm
ID: 20358765
Hey all, just got back from the holiday's.
 
cipher42 - just tried your suggestion and here are the results.  Not sure if I typed what asked correctly.  Double check my work.

C:\Documents and Settings\Administrator>ping www.google.com
Ping request could not find host www.google.com. Please check the name and try a
gain.

C:\Documents and Settings\Administrator>nslookup www.google.com
Server:  something.ourdomain.com
Address:  172.16.0.10

DNS request timed out.
    timeout was 2 seconds.
*** Request to something.ourdomain.com timed-out

C:\Documents and Settings\Administrator>nslookup www.google.com server 172.16.0.10
Usage:
   nslookup [-opt ...]             # interactive mode using default server
   nslookup [-opt ...] - server    # interactive mode using 'server'
   nslookup [-opt ...] host        # just look up 'host' using default server
   nslookup [-opt ...] host server # just look up 'host' using 'server'

C:\Documents and Settings\Administrator>nslookup www.google.com server 4.2.2.2
Usage:
   nslookup [-opt ...]             # interactive mode using default server
   nslookup [-opt ...] - server    # interactive mode using 'server'
   nslookup [-opt ...] host        # just look up 'host' using default server
   nslookup [-opt ...] host server # just look up 'host' using 'server'

--- I also went back and added "4.2.2.2" to the forward pointer list and placed it first. Unfortunatly same results.  Your saying then that this is firewall related?
I went the exchange server on a hunch and tried to go to the Windows Firewall through the control pannel and recieved this error message:
 "Windows Firewall cannot run because another program or service is running that might use the network address translation component (lpnat.sys)."  Could this all be related?
0
 
LVL 1

Expert Comment

by:cipher42
ID: 20358981
Good morning,

Sorry those aren't the results I was hoping for, my mistake though.  Let's try this:

-type: nslookup
--You'll then get the nslookup interractive prompt.
-Then type: server IPADDRESSOFFORWARDER
-Then type: www.google.com

Repeat for the 4.2.2.2 DNS server.

Just out of curiosity, the 172.16.0.10 is your ISP's DNS server IP address?  Are you sure?

0
 

Author Comment

by:cfscsm
ID: 20359303
cipher42 - I mis-read the ISP's DNS IP address - Below is the results - as you can see I couldn't get to the point of entering an website (ie. google) because each time it would time out.

C:\Documents and Settings\Administrator>nslookup
Default Server:  something.ourdomain.com
Address:  172.16.0.10

> 67.50.135.146
Server:  something.ourdomain.com
Address:  172.16.0.10

DNS request timed out.
    timeout was 2 seconds.
*** Request to something.ourdomain.com  timed-out
> 66.133.170.2
Server:  something.ourdomain.com
Address:  172.16.0.10

DNS request timed out.
    timeout was 2 seconds.
*** Request to something.ourdomain.com  timed-out
> 68.87.68.162
Server:  something.ourdomain.com
Address:  172.16.0.10

DNS request timed out.
    timeout was 2 seconds.
*** Request to something.ourdomain.com  timed-out
> 4.2.2.2
Server:  something.ourdomain.com
Address:  172.16.0.10

DNS request timed out.
    timeout was 2 seconds.
*** Request to something.ourdomain.com  timed-out
0
 
LVL 1

Expert Comment

by:cipher42
ID: 20359882
Ok, we'll deal with the time outs in a sec...  Make sure the DNS service is running on your DNS server, I'm sure it is, but double check...

After you start nslookup, where you're typing in the ISP's DNS servers, make sure you're typing in "server" first, it doesn't look like you are...  So the command you will type is "server 66.133.170.2" (without the quotes.)

What this does is uses the ISP's DNS server for name resolution, then when you type in "www.google.com" it will bypass your internal DNS server, this way we will see if is a firewall problem at the perimeter...  
0
 

Author Comment

by:cfscsm
ID: 20359947
Can you tell I'm new to this :)?  OK one more time.  PS. Did you see my comment about the ""Windows Firewall cannot run because another program or service is running that might use the network address translation component (lpnat.sys)."  Could this all be related?"

C:\Documents and Settings\Administrator>nslookup
Default Server:  something.ourdomain.com
Address:  172.16.0.10

> server 66.133.170.2
DNS request timed out.
    timeout was 2 seconds.
Default Server:  [66.133.170.2]
Address:  66.133.170.2

> www.google.com
Server:  [66.133.170.2]
Address:  66.133.170.2

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to [66.133.170.2] timed-out
> server 4.2.2.2
DNS request timed out.
    timeout was 2 seconds.
Default Server:  [4.2.2.2]
Address:  4.2.2.2

> www.google.com
Server:  [4.2.2.2]
Address:  4.2.2.2

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to [4.2.2.2] timed-out
>
0
 

Author Comment

by:cfscsm
ID: 20361410
cipher42 - I'm looking back through the post and revisiting other areas on the server.  I went to the root hints and all the [a-m]root-servers.net addresses that I deleted are back agian.  I deleted them again and restarted the server and they are back agian.  Does this info help in our problem solving?
0
 
LVL 1

Expert Comment

by:cipher42
ID: 20361474
What is this server's function?  DNS obviously, it's not your perimeter firewall is it?  How about VPN server?
0
 

Author Comment

by:cfscsm
ID: 20361563
This server only is DNS, DHCP, Exchange (which has a CA antivirus for Exchange - no firewall), Active Directory/Domain Controler.  There is a backup domain controler with no Exchange on it.  I used to remote in to this server - but after we made some website hosting changes a while back I could never get that working agian so I abandened it. Today I have disabled the Routing and Remote Access (my mistake... I thought I was just stopping the service... now all those settings are gone)  I think that is it.
0
 

Accepted Solution

by:
cfscsm earned 0 total points
ID: 20369244
Problem solved!

After many hours of tech-support through many different sorces - I solved the problem myself.

The issue was the firewall, but here is the catch that no one understands why it worked.  We simply unplugged and bypassed the firewall straight to the internet (made the appropriate gateway changes), got it working, then re-plugged into the firewall and everything started working again.  After all that work - unplug and replug was the solution.  Sorry for wasting everyone's time.

Thanks all for the attempted help.
0
 

Author Comment

by:cfscsm
ID: 23394556
Our ISP is just terrible to work with - they were the cause to the original problem.  They change setting with out telling the customer.
0

Featured Post

Do email signature updates give you a headache?

Do you feel like all of your time is spent managing email signatures? Too busy to visit every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now