Secondary DNS will not answer

Posted on 2007-12-05
Medium Priority
Last Modified: 2012-06-22
I have set up two servers. as primary, and as secondary. I get no errors on any of my tests, but once I take the primary DNS server off line, I cannot surf the web nor do any of test hosted sites (through IIS on come up. I have connectivity only when the primary name server is up. Isn't everything supposed to fall back on the secondary name server?

(DNSReports shows everything perfect, except that I have open DNS servers, and that they will do recursive lookups. But I cannot lock them down, since if I do I can't get on the Net from that machine. All my updates fail, etc.)

But anyways, any ideas where to look or how to fix this secondary DNS not doing it's share of the work here, will be greatly appreciated.

Thank you
Question by:mikec101

Assisted Solution

darkeryu earned 400 total points
ID: 20409794

you can use dhcp give two dns setting in scope options.
LVL 70

Assisted Solution

KCTS earned 400 total points
ID: 20409803
1. have you set up the client with the preferred and alternate DNS server IPs (either on the DNS option in the TCP/IP Properties or via DHCP options)?

2. Have you set up both DNS servers to forward external resolution to your ISPs Servers ? - see http://www.petri.co.il/configure_dns_forwarding.htm
LVL 39

Assisted Solution

ChiefIT earned 400 total points
ID: 20409984
Does the router have a manually entered list of primary and secondary DNS in the list of LAN DNS servers.

Does the server have the default gateway entered into the IP stack?
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!


Author Comment

ID: 20410307
Maybe I should have mentioned that these name servers are on two separate networks? So correctly I should say NS1 is on and NS2 is on Sorry, I didn't think of that.

I've had SBC delegate reverse DNS to me, so there is no other ISP.

In the Forwarders tab of NS1 I have "All Other domains" and in the "Select domain's forwarder IP address list" I have the IP of NS2 (

In the Forwarders tab of NS2 I have "All Other domains" and in the "Select domain's forwarder IP address list" I have the IP of NS1 (

"Do not use recursion for this domain" is checked on both servers.

There is no "router", just a DSL modem with 6 static IPs.

NS1 has the Default Gateway on it's own network,
Prim. DNS: (itself)
Sec. DNS: (NS2)

NS2 has the Default Gateway on it's own network,
Prim. DNS: (itself)
Sec. DNS: (NS1)

Before the delegation, SBC asked me what the name servers will be. So maybe I should point my primary DNS to itself (or maybe my OWN other name server) and the secondary DNS to SBC's DNS server?

I'm confused. If I still point to SBC, then what's the point in setting up my own DNS?


Author Comment

ID: 20410331
If I try to do nslookup on any domains on my network, like test_site1.com, I get this:

Default server: ns2.domain.com
Name: test_site1.com

(the sites are hosted on NS1, on a different IP)

If I do nslookup google.com, I get this:

Default server: ns2.domain.com
DNS request timed out.
        timeout was 2 seconds.
*** Request to ns2.type3.net timed-out.



Accepted Solution

lavazzza earned 800 total points
ID: 20412863
First off, I would change forwards on your DNS servers to external sources.  That said, I am not totally convinced that the issue is DNS related.

First:  To answer your question regarding why your SBC is relegating to your servers to resolve DNS is that you can add, remove, and modify A, CNAME, MX records, etc for your domain.  

How is your network laid out?  What kind of router do you have and are you using NAT to both the 192.168.10 and the 10.0.0 networks? If so do you have the proper translations (port 53 or the IP of the DNS servers?)  If the 10.0.0 network is a subnet within the network (a double nat situation) do you have  the appropriate routes loaded in the nat router?  Go to www.DNSstuff.com and do a domain lookup and see first if it can see any of your DNS servers.  From the inside, make sure that the two servers can be pinged from your host.

Are the DNS servers Active Directory Integrated? If not, are they set to replicate to one another or are you just making host entries to each machine.  If you are using these boxes for external DNS resolution of your domain, I would not recommend AD integration because it will expose all the pc's in your network.  Additionally, you will essentially need 2 different DNS zones, one with the public IP's so that people on the internet who are trying to resolve machines you are making public can reach them (you will not point to these from machines on the inside) and one which Active Directory uses and all your internal machines point to as the primary.

Could you provide a network layout of how the 2 dns servers are connected to the network and then the way the inside communicates with the outside network.

Author Comment

ID: 20413560
NS1 (all IPs bound to one NIC)   DNS   IIS   MX2

NS2 (both IPs bound to one NIC)   DNS   MX1

On 10.0.0.x there are two servers: (NS2) and another box with WMCE 2005, on WMCE cannot join a domain (well, it _can_ but it stops being a media server, so I don't care about it being inside the domain). So there isn't much of a "network" - just one server at one location and a server and a workstation at another location.

Like I said, I am not using NAT - I have enough IPs to do what I want. It's that that damn NS2 doesn't take over NS1's job as a name server once I take NS1 off line.

I do have Active Directory, but I can dump that. I just put it on to try it out. There are no other computers on 192.160.10.x, so I don't think it's a NAT issue. Since there is only one server at that location, it's NS1 itself that can't access the Net once I stop the DNS service. I thought it should fall back to NS2, since NS2 is set as it;s secondary DNS server.


Expert Comment

ID: 20415445
Are these two servers at two separate locations?  If so are they connected via VPN? How does the 192 network physically communicate with the 10 network?

Author Comment

ID: 20416064
192 has 10 as it's primary DNS, and 10 has 192 as _its_ primary DNS. NS2 is part of the the DOMAIN.COM domain. I have set up a computer account in AD for NS2 on NS1, and I just joined that domain.

As DNS servers, DOMAIN.COM has NS1.domain.com and NS2.domain.com. I can ping and nslookup NS1 from NS2 and vice-versa, over the Net.

From NS1
Reply from bytes=32 time=16ms TTL=124
Packets: Sent = 4, Lost = 0 (0% loss)

From NS2
Reply from bytes=32 time=17ms TTL=124
Packets: Sent = 4, Lost = 0 (0% loss)

I'm not using DHCP. I have static IPs, so the servers are live all the time. I ahve opened the proper ports on both, and I can ping mail, "telnet main_mail.domain.com 25" from NS1, and "telnet mail_bk.domain.com 25." from NS2, etc.

On NS2 I also have ( mapped to the NIC, and on the WMCE box I have mapped to _its_ NIC. So I mount and  share drives/folders between NS2 and WMCE box through those non-routable IPs, since they are both connected to the same 5 port hub. I can then "tail -f" my DNS logs from NS2 on the WMCE box through a network share of NS2\\DNS_LOG.


Author Comment

ID: 20416180

On N1, Forwarders tab, remove from "Selected domain's forwarder IP address list"

On N2, Forwarders tab, remove from "Selected domain's forwarder IP address list"

Thanks for all your help. It was the VPN and DHCP that triggered it.

Thank a million!

Featured Post

Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This article will help to fix the below errors for MS Exchange Server 2016 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
If you are looking for an automated solution for backup single or multiple Office 365 user mailboxes to Outlook data file, then you can use Kernel Office 365 Backup & Restore tool. Go through the video to check out the steps to backup single or mult…
From store locators to asset tracking and route optimization, learn how leading companies are using Google Maps APIs throughout the customer journey to increase checkout conversions, boost user engagement, and optimize order fulfillment. Powered …

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question