[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 467
  • Last Modified:

DNS Forwards no longer working

Hey Guys,
   Weird one here, nothing huge I'm sure, but I'm swamped and wanted to give you guys a crack at it first...

   We have a Windows 2003 Domain with our Domain Controller as our primary DNS server. The DNS handles our domain DNS and forwards requests for external domains to our ISPs DNS servers (in the same datacenter). This has been working fine for months, but last night DNS forwarding stopped working mysteriously. I look at the DNS server and everything internally is resolving properly, but external domains don't work. I tried to ping the DNS server from the machine and get a response:

Reply  [IP OF ROUTER]: Destination host unreachable.

I telnet into our Cisco router and ping the DNS server and it works perfectly... I can also ping external IP address (ie the Public IP address of google.com). However, when I try to ping them from the server behind the router I get the same result.

I can't reboot the router until tonight, because incoming traffic through that router is still working properly (ie, email, OWA, etc) so taking those down would make matters horrible, and the DNS servers there aren't in use by our company at our office so no users are screaming...

Our routing scheme consists of a default route 0.0.0.0 [route of ISP gateway], so it's not really all that complex, and no changes have been made to the configuration of the router overnight. Any way to narrow down the problem to make my troubleshooting tonight easier?  

As a side note, I DO have Remote Desktop Access into the servers in the datacenter, so I CAN change configs on both them and the router if need be...

Thanks EE.
0
hypknight
Asked:
hypknight
  • 8
  • 7
  • 2
  • +3
4 Solutions
 
Shecky919Commented:
Hmmm... With the idea that you cannot ping out to an IP address from the server says to me that it is not just a DNS issue. I would honestly check to make sure that the router is allowing traffic outbound. A reboot of the router might not hurt, but double check the routing tables first.
0
 
hypknightAuthor Commented:
I can ping out of the router, and I've currently got VPN connections that are actively working attached to the same router. There's only 1 route and that's the default that's for all traffic to pass to the gateway.... quite strange...
0
 
ChiefITCommented:
Your ISP took their DNS servers off line. You can go to the forwarders tab and disable recursive lookups. That will default you to Root Hints servers.
0
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

 
Darius GhassemCommented:
Make sure you update your root hints if you are going to use them for now. Go to Windows Update to update them.
0
 
hypknightAuthor Commented:
I see your point, but if I go to the router (my gateway) and ping to 69.54.32.13 or 69.54.32.14 (my ISPs DNS Server IPs), I get ping replies. If i ping those, or I ping google's IP address from the server itself, I get Destination host unreachable errors. This is the same from any server behind that router. I think the problem is with routing through the router, but I don't understand why it would crop up with no change to the configuration...
0
 
rob_geigerCommented:
Your DNS server is working fine.
C:\Documents and Settings>nslookup google.com 69.54.32.14
Server:  cns2.implex.net
Address:  69.54.32.14

Non-authoritative answer:
Name:    google.com
Addresses:  209.85.171.99, 72.14.207.99, 64.233.187.99

it is possible that your ISP is having a routing problem. Or that your router is having an issue. Cisco routers sometimes exhibit what you are seeing. A reboot will usually fix it.
0
 
tismetooCommented:
What do tracert and pathping on the IP addresses on the IP addresses which work from the Router, show for the server behind it? Does the traffic stop at the router?
0
 
hypknightAuthor Commented:
tismetoo:

Yes, the traffic stops at the router.
0
 
rob_geigerCommented:
Can you ping the opendns routers at 208.67.222.222 and 208.67.220.220? If you can you may want to try using those addresses until your routing prolem is resolved.
0
 
hypknightAuthor Commented:
I can ping them from my router, but I can't ping them from the server... I'm probably going to have to reboot the router, but I can't do it until close of business... I'd like to know for sure before the reboot that it will fix the problem however... if there's any way to know for sure that'd be fantastic. If not, I'll wait and see what the reboot does and let you know...
0
 
rob_geigerCommented:
It is also possible that pings are being blocked and you have another problem. Try this command
nslookup google.com 69.54.32.14
Which is using your secondary router.
Then try
nslookup google.com 208.67.222.222
whic will resolve the name using the opendns  dns server.
0
 
rob_geigerCommented:
Also from the command line of the server you can look at your routes by typing:
route print
0
 
hypknightAuthor Commented:
the request is timing out, can't reach the dns server
0
 
hypknightAuthor Commented:
>nslookup google.com 69.54.32.14
DNS request timed out.
    timeout was 2 seconds.
*** Can't find server name for address 69.54.32.14: Timed out
Server:  UnKnown
Address:  69.54.32.14

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

>route print

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 11 43 fe 0c af ...... Intel(R) PRO/1000 MB Dual Port Server Connec
tion
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0        10.10.7.1      10.10.7.200     10
     10.1.101.136  255.255.255.255        10.10.7.1      10.10.7.200     10
        10.10.7.0    255.255.255.0      10.10.7.200      10.10.7.200     10
      10.10.7.200  255.255.255.255        127.0.0.1        127.0.0.1     10
   10.255.255.255  255.255.255.255      10.10.7.200      10.10.7.200     10
        127.0.0.0        255.0.0.0        127.0.0.1        127.0.0.1      1
        224.0.0.0        240.0.0.0      10.10.7.200      10.10.7.200     10
  255.255.255.255  255.255.255.255      10.10.7.200      10.10.7.200      1
Default Gateway:         10.10.7.1
===========================================================================
Persistent Routes:
  None


10.10.7.200 is the IP of the Domain Controller
10.10.7.1 is the gateway
0
 
rob_geigerCommented:
The error indicates that the DNS server does not know a route back to your internal network. If you have Internet addressable addressess on yuor network, it is probably a routing problem with the ISP. If you are natting, it is possible that natting is not working correctly.  Try pinging 64.233.187.99 (google.com)
You may also try putting that Ip address into your browsers url http:\\64.233.187.99 to see if googles page loads
0
 
rob_geigerCommented:
Your routing on your server looks fine
0
 
rob_geigerCommented:
Are you accessing the servers through a VPN?
0
 
ChiefITCommented:
I am not sure if I have this straight:

You can't contact by IP or FQDN:

If so, this is a common problem that can be fixed while the router is enabled. Cisco has quirk in it that makes you choose the exact same mode of operation with switches and servers in order to communicate between them. You might think that a switch set to AUTOMATIC would communicate with a 100 mb / full duplex router. They don't. You may experience intermittent comms with the switches and router as a result.

Both switches and routers for Cisco products have to be on the exact same mode of operation. I set all mine to AUTO.
0
 
hypknightAuthor Commented:
rob:
    Yes, I'm connecting to the servers over a VPN tunnel that is currently up between our office and the datacenter. This VPN tunnel is terminated between the router in question, and a router in our office.

ChiefIT:
   We have all of the link modes explicitly defined. The solution has been working for well over 9 months. It just up and stopped passing traffic outbound last night. I can reboot the router, but not until the clsoe of business...
0
 
tismetooCommented:
hypknight

I think you have come to the conclusion that you have a problem with the router. If a reboot of the router didn't fix it then restoring a recent config might - if you have a backup. Failing that you need to look at the config and understand why traffic is not been allowed out to the internet when traffic for a VPN ( which also goes via the internet ) is fine and dandy.
0
 
hypknightAuthor Commented:
Hi Guys,
    The target of the post was to confirm my suspicions about the router and to see if there was a known method of restoring functionality that didn't require service disruption. I rebooted the router and everything works perfectly. I'm going to do a points split here, for all people with related solution recommendations.

Thanks EE!
0

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 8
  • 7
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now