Problems with DNS resolving external addresses for internal computers

So what we have setup is AD, Exchange, and DNS ... all has been working great for the past two years (Why it stopped now who knows?) but i've tried setting it up two different ways. The first is having the DNS servers on the DNS server only point to itself ( and have the DNS configured with forwarders... this one seemed to work great for a very long time, but then randomly we would lose internet (Because the dns wouldn't resolve like

So we kept the forwarders and just added one of our ISP DNS servers into the secondary on the DNS Server so that it had itself ( and our ISP DNS ( This worked great also, if our local dns forwarders for some reason didn't return anything, it would just hit the ISP DNS directly.

Our problem now comes in where if our DNS server doesn't respond, It naturally goes to the next one in the list which is our ISP DNS ... which gives an incorrect address for our internal machines (obviously). I can't find anything in the event logs... i'm totally lost.

Is it a problem with our DNS? Too many requests?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I am assuming you are forwarding to because that is a Verizon top level DNS server.

Your DNS servrer should have a forward lookup zone with named after your domain. You should only forward other domain lookups to the ISP not yours.
ryanj1987Author Commented:
Hmm I may have explained things wrong (I'm SO far from knowing anything about DNS). We aren't forwarding to (I don't think?)... I can't remember where I read it but they said put that instead of putting the servers IP Address ( in the primary DNS on the actual adapter on the DNS Server

So here is how things are setup now...

DNS Server

Domain Forwarders: <<ISP DNS>>

Even with that setup, it's still acting the same as it was with the in DNS1, it doesn't happen a lot, but when it gets an internal address from an external DNS server it pulls a completely wrong address (Naturally, cause it's not our dns server).
Brian PiercePhotographerCommented:
Your ISPs servers should NOT appeat in any of the Preferred or Alternate DNS settings on ANY machines including servers. Clients should point to your own internal DNS server ONLY and the DNS servers at themselves for preferred DNS server.

Your ISPs DNS servers should ONLY appear on the forwarders TAB.

If you have multiple DNS servers then either make sure forwarders are configured on them all.
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Madison PerkinsConsultantCommented:
Active directory DNS on server 2003.

assume you have two DC's with active directory integrated dns, AD01 and AD02. the dns settings for AD01 would be the ipaddy of ad02 listed first and ad01 listed second in the NIC configuration. if you want to use forwarders place then in the Forwarders tab with all other DNS domains. if you don't want to use forwarders make sure that you allow for DNS traffic through your firewall. If you want to understand why its not working look at the Debug Logging tab and turn on logging.
ryanj1987Author Commented:

That is how we had it configured the first time around, but then the client would request a page (i.e. and it wouldn't get resolved... I'm assuming it's a problem with the DNS responding in a timely manor, because it wouldn't happen 100% of the time, maybe 5% at best, but when it did happen it would basically kill the internet for the client unless they were connecting using an IP Address... That's the only reason why we put the ISP DNS in the Secondary on our DNS Server. Once we remove it, it starts happening again.
Madison PerkinsConsultantCommented:
extend the number of seconds before forward queries times out may help.  make sure the Do not use recursion for this domain is NOT checked.  use multiple forwarders.  clear the dns cache. make sure root hints are being updated.
if you use an external dns server in your prefered dns settings it will cause local dns resolution problems and/or AD probelms.

I have had a similar problem in an AD dns domain where there was only one DNS server and i was using forwarders.   removing all forwarders resolved the problem for me.  

dns server

in dns i added as a forwarder as the customer was using swbell for their isp.  it worked for a very long time and then some pages would not display properly and others would.
ryanj1987Author Commented:
Here is how we have it setup...


DNS Service
Forwarders: (ISP DNS1), (ISP DNS2)
Forward Timeout: 15 (It was 5)
Do Not Use Recursion: NOT checked

Here is the problem we had with this setup: Inside network would connect to local server (For Example VS1) and the DNS query would get forwarded for some reason, even though there is an entry in our local DNS for VS1.

Does that make any sense?
Madison PerkinsConsultantCommented:
when the dns resolution problem occurs are all machines affected?  aka resolving vs1, vs2, vs3 ect will fail over to a forwarder from anywhere.

when the dns request is made from a client are all clients affected?  aka workstation1, workstation2 and memberserver1 try to resolve vs1 and they all fall over to a forwarder?

can you verify that nslookup from a client defaults to the internal server and if so can the internal server resolve vs1.domain.local but not resolve vs1. (could be a domain search suffix problem)

can you run dnsdiag against the dns server when the problem occurs and post the results?  dnsdiag is found in the server 2003 resource kit.

ryanj1987Author Commented:
Yes, it effects all machines when the problem happens.

All workstations get the same results - it's almost like the DNS service just starts forwarding all querys instead of checking itself first. Then once the problem is over the dns cache needs to be cleared on the machines before it will get the real address (Because it just gets it from the cache for another hour).

I'll check both of those when I get in tomorrow, I may not be able to do a dnsdiag because generally the problem only happens for maybe 2 minutes tops and by the time I get made aware of it, i've got about a 30 second window to do anything before it just starts working again.
Madison PerkinsConsultantCommented:
do a dnsdiag as well as a dcdiag /test DNS before the problem occurs as well as when it occurs(if possible) to have a before and after view of your dns.  
Change the list of DNS servers on your router to the internal DNS servers.

What will happen is the client will make a DNS query. The query will be sent through the router to the server, if the server doesn't have the DNS record, it will forward it out to the DNS servers you forward to, (the ISP).

The router is the middle man between server and client. If your router has an outside DNS, your clients will go to an outsid DNS for its queries and skip your server.
ryanj1987Author Commented:
ChiefIT -

The only problem with that is it won't be able to download virus, antispyware, filtering updates, ect.
Not true:

If you put your DNS servers in the router's list, the DNS query from the client will go through the router to your DNS server first. If your DNS server doesn't have a DNS record to resolve the query, it will "forward" the request to the outside DNS servers you have listed under the DNS "forwarders" tab. Or it could go do a recursive look up of outside DNS servers. In either case an outside DNS server will provide you with the DNS query for your programs you want from the outside.

So, you want the clients to go through your router to the local DNS server, then let your DNS server decide if it needs to be forwarded out to an outside DNS server.
ryanj1987Author Commented:
Hmm ... we tried to do that back in the day, and it couldn't reach outside the network. It might have been before forwarders were setup correctly on our DNS (It makes sense how it should work like that). Let me try it tonight and i'll let you know :)
Also, follow what KCTS wrote:

Outside DNS should only be in the forwarders tab of your DNS server. Not on any network bindings or on the router. This includes not having an outside DNS on the server's bindings. ONLY in Forwarders.

Some, clients may still hold onto that outside DNS server as a cached setting. So, you may need to flush the DNS on the client and do an IPconfig /all on the client to make sure it goes only to the server for DNS. Let the server make the determination of when it should go to an outside DNS.  

Furthermore, some clients may not have a DNS record on the server. A quick IPconfig /registerdns will resolve that.

Change the router's list of DNS servers to your DNS servers
Go to the client and type IPcongfig /flushDNS in the command prompt, if necessary.
Also on the client, IPconfig /registerDNS
Check your work by going to the client and typing IPconfig /all.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.