Solved

DNS Forwards no longer working

Posted on 2008-10-08
21
447 Views
Last Modified: 2012-05-05
Hey Guys,
   Weird one here, nothing huge I'm sure, but I'm swamped and wanted to give you guys a crack at it first...

   We have a Windows 2003 Domain with our Domain Controller as our primary DNS server. The DNS handles our domain DNS and forwards requests for external domains to our ISPs DNS servers (in the same datacenter). This has been working fine for months, but last night DNS forwarding stopped working mysteriously. I look at the DNS server and everything internally is resolving properly, but external domains don't work. I tried to ping the DNS server from the machine and get a response:

Reply  [IP OF ROUTER]: Destination host unreachable.

I telnet into our Cisco router and ping the DNS server and it works perfectly... I can also ping external IP address (ie the Public IP address of google.com). However, when I try to ping them from the server behind the router I get the same result.

I can't reboot the router until tonight, because incoming traffic through that router is still working properly (ie, email, OWA, etc) so taking those down would make matters horrible, and the DNS servers there aren't in use by our company at our office so no users are screaming...

Our routing scheme consists of a default route 0.0.0.0 [route of ISP gateway], so it's not really all that complex, and no changes have been made to the configuration of the router overnight. Any way to narrow down the problem to make my troubleshooting tonight easier?  

As a side note, I DO have Remote Desktop Access into the servers in the datacenter, so I CAN change configs on both them and the router if need be...

Thanks EE.
0
Comment
Question by:hypknight
  • 8
  • 7
  • 2
  • +3
21 Comments
 
LVL 2

Assisted Solution

by:Shecky919
Shecky919 earned 200 total points
Comment Utility
Hmmm... With the idea that you cannot ping out to an IP address from the server says to me that it is not just a DNS issue. I would honestly check to make sure that the router is allowing traffic outbound. A reboot of the router might not hurt, but double check the routing tables first.
0
 
LVL 2

Author Comment

by:hypknight
Comment Utility
I can ping out of the router, and I've currently got VPN connections that are actively working attached to the same router. There's only 1 route and that's the default that's for all traffic to pass to the gateway.... quite strange...
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Your ISP took their DNS servers off line. You can go to the forwarders tab and disable recursive lookups. That will default you to Root Hints servers.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
Make sure you update your root hints if you are going to use them for now. Go to Windows Update to update them.
0
 
LVL 2

Author Comment

by:hypknight
Comment Utility
I see your point, but if I go to the router (my gateway) and ping to 69.54.32.13 or 69.54.32.14 (my ISPs DNS Server IPs), I get ping replies. If i ping those, or I ping google's IP address from the server itself, I get Destination host unreachable errors. This is the same from any server behind that router. I think the problem is with routing through the router, but I don't understand why it would crop up with no change to the configuration...
0
 

Assisted Solution

by:rob_geiger
rob_geiger earned 200 total points
Comment Utility
Your DNS server is working fine.
C:\Documents and Settings>nslookup google.com 69.54.32.14
Server:  cns2.implex.net
Address:  69.54.32.14

Non-authoritative answer:
Name:    google.com
Addresses:  209.85.171.99, 72.14.207.99, 64.233.187.99

it is possible that your ISP is having a routing problem. Or that your router is having an issue. Cisco routers sometimes exhibit what you are seeing. A reboot will usually fix it.
0
 
LVL 3

Assisted Solution

by:tismetoo
tismetoo earned 100 total points
Comment Utility
What do tracert and pathping on the IP addresses on the IP addresses which work from the Router, show for the server behind it? Does the traffic stop at the router?
0
 
LVL 2

Author Comment

by:hypknight
Comment Utility
tismetoo:

Yes, the traffic stops at the router.
0
 

Expert Comment

by:rob_geiger
Comment Utility
Can you ping the opendns routers at 208.67.222.222 and 208.67.220.220? If you can you may want to try using those addresses until your routing prolem is resolved.
0
 
LVL 2

Author Comment

by:hypknight
Comment Utility
I can ping them from my router, but I can't ping them from the server... I'm probably going to have to reboot the router, but I can't do it until close of business... I'd like to know for sure before the reboot that it will fix the problem however... if there's any way to know for sure that'd be fantastic. If not, I'll wait and see what the reboot does and let you know...
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Expert Comment

by:rob_geiger
Comment Utility
It is also possible that pings are being blocked and you have another problem. Try this command
nslookup google.com 69.54.32.14
Which is using your secondary router.
Then try
nslookup google.com 208.67.222.222
whic will resolve the name using the opendns  dns server.
0
 

Expert Comment

by:rob_geiger
Comment Utility
Also from the command line of the server you can look at your routes by typing:
route print
0
 
LVL 2

Author Comment

by:hypknight
Comment Utility
the request is timing out, can't reach the dns server
0
 
LVL 2

Author Comment

by:hypknight
Comment Utility
>nslookup google.com 69.54.32.14
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 69.54.32.14: Timed out
Server:  UnKnown
Address:  69.54.32.14

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

>route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 11 43 fe 0c af ...... Intel(R) PRO/1000 MB Dual Port Server Connec
tion
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0        10.10.7.1      10.10.7.200     10
     10.1.101.136  255.255.255.255        10.10.7.1      10.10.7.200     10
        10.10.7.0    255.255.255.0      10.10.7.200      10.10.7.200     10
      10.10.7.200  255.255.255.255        127.0.0.1        127.0.0.1     10
   10.255.255.255  255.255.255.255      10.10.7.200      10.10.7.200     10
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
        224.0.0.0        240.0.0.0      10.10.7.200      10.10.7.200     10
  255.255.255.255  255.255.255.255      10.10.7.200      10.10.7.200      1
Default Gateway:         10.10.7.1
===========================================================================
Persistent Routes:
  None


10.10.7.200 is the IP of the Domain Controller
10.10.7.1 is the gateway
0
 

Expert Comment

by:rob_geiger
Comment Utility
The error indicates that the DNS server does not know a route back to your internal network. If you have Internet addressable addressess on yuor network, it is probably a routing problem with the ISP. If you are natting, it is possible that natting is not working correctly.  Try pinging 64.233.187.99 (google.com)
You may also try putting that Ip address into your browsers url http:\\64.233.187.99 to see if googles page loads
0
 

Expert Comment

by:rob_geiger
Comment Utility
Your routing on your server looks fine
0
 

Expert Comment

by:rob_geiger
Comment Utility
Are you accessing the servers through a VPN?
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
I am not sure if I have this straight:

You can't contact by IP or FQDN:

If so, this is a common problem that can be fixed while the router is enabled. Cisco has quirk in it that makes you choose the exact same mode of operation with switches and servers in order to communicate between them. You might think that a switch set to AUTOMATIC would communicate with a 100 mb / full duplex router. They don't. You may experience intermittent comms with the switches and router as a result.

Both switches and routers for Cisco products have to be on the exact same mode of operation. I set all mine to AUTO.
0
 
LVL 2

Author Comment

by:hypknight
Comment Utility
rob:
    Yes, I'm connecting to the servers over a VPN tunnel that is currently up between our office and the datacenter. This VPN tunnel is terminated between the router in question, and a router in our office.

ChiefIT:
   We have all of the link modes explicitly defined. The solution has been working for well over 9 months. It just up and stopped passing traffic outbound last night. I can reboot the router, but not until the clsoe of business...
0
 
LVL 3

Expert Comment

by:tismetoo
Comment Utility
hypknight

I think you have come to the conclusion that you have a problem with the router. If a reboot of the router didn't fix it then restoring a recent config might - if you have a backup. Failing that you need to look at the config and understand why traffic is not been allowed out to the internet when traffic for a VPN ( which also goes via the internet ) is fine and dandy.
0
 
LVL 2

Accepted Solution

by:
hypknight earned 0 total points
Comment Utility
Hi Guys,
    The target of the post was to confirm my suspicions about the router and to see if there was a known method of restoring functionality that didn't require service disruption. I rebooted the router and everything works perfectly. I'm going to do a points split here, for all people with related solution recommendations.

Thanks EE!
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Suggested Solutions

Learn about cloud computing and its benefits for small business owners.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now