Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 879
  • Last Modified:

How do I configure DNS so my computers can access the internet?

I have a windows 2003 Server running AD and DNS.  I don't understand what forward or reverse lookup zones are though.  How do I tell DNS server to look to my router to get internet DNS information.

Maybe thats a bad way to put it.  I want to be able to browse the web from my server and workstations.  Right now, I can't, but I do have internet access.  I can ping out of the building for example.
0
fekdep
Asked:
fekdep
  • 17
  • 9
  • 8
  • +2
1 Solution
 
JayPeeASCommented:
All you have to do is install the DNS server from Add/Remove Programs, Add WIndows Components and then point your server's DNS to itself and all the workstations to point their DNS Server to the Server's IP address.

You shouldn't need DNS FOrwarders.

Let me know if you need any specifics or if you need detailed instructions on how to do this.
0
 
fekdepAuthor Commented:
The DNS is installed.  It was working.  I ran a Windows Update and restarted.  Now nothing.

Not long ago I discovered that the Server was using the router as it's DNS.  I changed the DNS to itself.  I didn't restart.  This is the first restart since then.

Basically my question is this: If DNS is setup on my server and the server looks to itself to resolve names and all of the workstations look to the server to resolve names, how does that DNS server know where google.com is for example? Where does the DNS server get that information from?
0
 
Darius GhassemCommented:
The server will look at root hints to resolve external names if the server doesn't have forwarders setup. Forwarders will forward all external name space resolution to your ISP's DNS servers which is the better solution then root hints. You will get better performance. Also, using root hints is a security risk. If you want to use root hints you need to download the most updated hints from MS Update. Make sure your clients point to your internal DNS server and the server points to itself.


http://technet.microsoft.com/en-us/library/cc782142.aspx

http://technet.microsoft.com/en-us/library/cc773370.aspx
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
fekdepAuthor Commented:
I followed those instructions.  My router doesn't have a FQDN, I made one up and used it's IP.  Still nothing.

I'm asking here because what I have found on google isn't helping.

Any chance of a step by step?
0
 
Darius GhassemCommented:
You don't want the router to handle DNS for you. You want DNS to do that and you want forwarders to forward the requests.

Go to DNS then right-click your zone

Go to Properties

Select the Forwarders Tab.

Add your ISP DNS servers.
0
 
sensored2008Commented:
1. you need to configure your router of the network meaning connect it directly to a laptop or some pc and ensure u r getting internet
2. on the DC server recheck ip setting to ensure that router ip your gate way
3. now u should have internet unless u r using any internel (eg. isa) or external proxy(isp proxy) server to access internet
4 if u r using any proxy ensure u set it up on any machine to gain internet access
5. after that use gpo to configure proxy setting for the who network
0
 
ChiefITCommented:
I think you are getting bits and pieces and not the big picture. So, for your reference you can see where a DNS query goes using this info. It helps massively in troubleshooting.

The client sends out a DNS query:
The client has a couple records that it will try to resolve the query by itself:
1) The first place a client looks for is a cached entry. (You can flush the DNS cache by going to the command prompt and typing IPconfig /flushdns)
3) Then if your client doesn't have the cached entry, it will look at the client's C:\Windows\system32\drivers\ect\Host file for resolution. (You can look at and edit the host file with word pad. Check and see that there are no entries, except 1.0.0.127 local host file in that file. Manually configured host files can mess up DNS resolution.)

After the client can't determine its own DNS query it will look at the prefered DNS server: (To determine the prefered DNS server, it will be the first on on the list in an IPconfig /all of the client. The preferred DNS server for all your nodes on that network should be your internal DNS server, **not the router or an outside server**).

1) The first place the server looks for DNS records is its own DNS cache. (You can flush the cash by again going to the command prompt and typing ipconfig /flushdns)
2) Then the server will look at its own C:\Windows\system32\drivers\ect\Host file for resolution.
3)Then, the DNS server will have a list of Host A records for internal LAN queries. (It looks and sounds like you have a list of Host A records).
4) If the DNS server can't find the Host A, it will make an attempt to contact an outisde server. There are two types of contacts. One is a recursive and the other is an iteration query. There are also two types of lists to contact the outside server. One is called a forwarder and the other is called roothints.
---brief explaination of each:
---Recursive lookup: A recursive lookup is handled by the server. It will go out to a distant server and try to resolve DNS queries that it can't do on for the client. In other words, if the DNS server can't find an internal address, it will go out to other servers and ask them to look for it. If a resolution is provided. The resolution will be passed down to the client from the server. It is recommended to turn off recursive lookups for security reasons and performance reasons.
--Iteration: Iteration is done when the server can't resolve the query and tells the client, "I can't do it, ask another DNS server." The resolution comes from the remote server, not the local server. So, this is basically passing the buck.
---forwarders: forwarders are manually configured DNS servers that your server will forward queries to if your server can't make the resolution. (most folks configure the ISP's DNS server as the forwarders)
---Root Hints: Root Hints are a list of public DNS servers that your server forwards DNS queries to if your server can't resolve the DNS query

Forwarders use recursive lookups and are usually configured to either your router or to your ISP for outside resolution. (The reason you can use a router for forwarders is because the router will get your ISP's DNS address to look outside your domain for DNS queries automatically)

Root hints use iterative lookups and are a list of public servers that the query goes out to for resolution.

_______________________________________________________________________________
To answer your question on how to get outside resolution:

You will have to enable root hints or configure forwarders. Also, each node has to have a single gateway configured to show your computer the path to the outside. Most likely that is the path to your router.

So, Dariusq is absolutely right. You can configure root hints.


DNS-query.gif
0
 
sensored2008Commented:
@ChiefIT:
Whole picture!!! Dun u mean the whole book?
0
 
fekdepAuthor Commented:
Ok.  I reinstalled DNS so I would have a clean start.  The internet worked right away.  Then, I setup the forwarder and it continued to work.... for a couple of hours.

Now, nothing.


0
 
Darius GhassemCommented:
Do an nslookup and post.
0
 
fekdepAuthor Commented:
I redid the forwarders and flushed the DNS.  Right now it seams to be working.  

NS lookup:

DNS request timed out.
      timeout was 2 seconds.
***Can't find server name for address 192.168.4.200: Timed Out
Default Server: UnKnown
Adress: 192.168.4.200
0
 
JayPeeASCommented:
If you create a PTR record in the reverse lookup zone you'll get a proper nslookup result (without the DNS request time outs)

Is the internet working now?
0
 
fekdepAuthor Commented:
I don't know what a PTR record is or how to make one.

The internet is working now.  That said, it worked this morning for a couple of hours.
0
 
ChiefITCommented:
Sounds like you have an IP on a client computer that is the same as your gateway.

Go to the command prompt and type:

Ping -a xxx.xxx.xxx.xxx

Where xxx.xxx.xxx.xxx is the ip of your gateway. That should resolve the DNS name of the comptuer. Go to that computer, and change its IP.

@sensored2008:
""Whole picture!!! Dun u mean the whole book?""
LOL
0
 
ChiefITCommented:
Sounds like you have an IP on a client computer that is the same as your gateway.

Go to the command prompt and type:

Ping -a xxx.xxx.xxx.xxx

Where xxx.xxx.xxx.xxx is the ip of your gateway. That should resolve the DNS name of the comptuer. Go to that computer, and change its IP.

@sensored2008:
""Whole picture!!! Dun u mean the whole book?""
LOL
0
 
fekdepAuthor Commented:
did that, no name came up.

my DHCP scope starts at xxx....201  my gateway is .1
0
 
fekdepAuthor Commented:
and the internet stopped working again by the way.

I remove the forwarder and then it works.
0
 
Darius GhassemCommented:
Update your root hints through Windows Update. Lets see if the root hints fail.
0
 
fekdepAuthor Commented:
I just did a windows update.  Thats how I got in to this mess.  Prior to doing that on Saturday everything worked just fine.
0
 
Darius GhassemCommented:
Did you install this update KB 958644?
0
 
fekdepAuthor Commented:
I did all available updates.

I'd check now, but naturally I can't do that without an internet connection.
0
 
Darius GhassemCommented:
If you look through your Add Remove Programs do you see this update installed? What AV are your running? This update has been causing network connectivity issues.
0
 
fekdepAuthor Commented:
Yes, that update is there.

I'm using McAfee AV with the firewall disabled.
0
 
Darius GhassemCommented:
There have been a fix posted yet but you can get free tech support from MS if you are having a problem with an update.

How to obtain help and support for this security update
For home users, no-charge support is available by calling 1-866-PCSAFETY in the United States and Canada or by contacting your local Microsoft subsidiary. For more information about how to contact your local Microsoft subsidiary for support issues with security updates, visit the Microsoft International Support Web site:
http://support.microsoft.com/common/international.aspx?rdpath=4 (http://support.microsoft.com/common/international.aspx?rdpath=4)
North American customers can also obtain instant access to unlimited no-charge e-mail support or to unlimited individual chat support by visiting the following Microsoft Web site:
http://support.microsoft.com/oas/default.aspx?&prid=7552 (http://support.microsoft.com/oas/default.aspx?&prid=7552)
For enterprise customers, support for security updates is available through your usual support contacts.
0
 
fekdepAuthor Commented:
I don't want to hire someone.  

I've uninstalled that update and restarted the server.  As of now, I have internet access.  For a temporary fix on the workstations I've added the ISP's DNS to the DHCP.  Hopefully that update was the issue.  I'll know soon enough I suppose.
0
 
Darius GhassemCommented:
Even with the update removed users still had issues but hopefully you will be one of the ones that won't. You should remove the internet dns server out of your TCP\IP settings because of Domain problems that will come about if you have external DNS server listed in your internal network's TCP\IP properties. The update problems are free if you call MS.
0
 
ChiefITCommented:
Go to Start>>Run>>services.msc and see if the Windows firewall service is on automatic and Started.

I just noticed that even though control pannel said my firewall was off, the service applet was actually ON. Maybe you are having the same issue.

I disabled Windows firewall in services with no fix to the KB problem. My issue started with updates as well. Maybe disabling the firewall will work for you. Of course I can't recommend you disable all firewall in leiu of another firewall. So, the decision is up to you.

0
 
sensored2008Commented:
are both your router and server acting as dhcp severs
0
 
sensored2008Commented:
make sure ur router is acting as gateway only not dhcp, if dhcp is enabled there  disable it
0
 
fekdepAuthor Commented:
Ok, I'm still having problems with this.  I followed all of the instructions and it worked for a while.

I removed DNS and reinstalled.
I removed my DHCP scope and reconfigured.
My router is not acting as a DHCP server.

My DNS forwards all unknown lookups to my ISP's DNS.

Is there a way to trace from the client side where DNS lookups are going?  DNS seems pretty simple:
COMPUTER asks SERVER "Where is John?"
SERVER responds "John is over there --->"
COMPUTER asks "Where is Google--->"
SERVER responds "I don't know, ask ISP"
ISP responds to COMPUTER "Google is over there ---->"

Case closed.  What is wrong with my setup?
0
 
Darius GhassemCommented:
Ok. So, your local DNS only points to itself. The clients point to the server for DNS only. You have forwarders setup in DNS. What is happening right now that isn't working.
0
 
fekdepAuthor Commented:
Yes.... and no.

As an interim solution I have added the ISP's DNS to the DHCP scope.  These people need a couple of hours to check their mail etc...

However, when it is setup correctly (to the best of my knowledge), the server points to itself for DNS.  The clients point to the server.  The server has a forwarder setup to the ISP's DNS.

What doesn't work is browsing.  All the clients can ping outside of the building but cannot resolve names.  So, I can ping my mail server for example, but not if I ping mail.company.com

Another problem that coincides with this is internal data corruption.  They run a program that connects to the server that is constantly corrupting itself.

Right now, I'm waiting for a call back from Microsoft.  I followed up on your advice there.

Thanks for everything so far.  It has been a lot of help.
0
 
ChiefITCommented:
There are only a couple possibilities this could be:

1) Please download and install SP2.

SP1 has a bug in it that chokes the MTU (maximum transfer unit) channels and causes a NIC flood. The flood can result on any of the ports that do the most traffic. You can test this by going in and doing an MTU ping.

http://help.expedient.com/broadband/mtu_ping_test.shtml
http://www.dslreports.com/faq/5793

2) Check your corporate Firewall for a blockage on port 80.

3) Change from forwarders to root hints to make sure the DNS forwarding server is not problem. You may have a forwarder configured of a server that doesn't exist or is down for maintenance. You can test this by going back to root hints servers. To do this disable recursive lookups. You can also try to ping your ISP's DNS server to see if it is on line. You may/may not get a reply. This will depend upon if your ISP has ICMP reply enabled on that server.

4) You may have configured IPv6 on your LAN. A super quick test is to go into the command prompt and type: IPconfig /all. If you see some funky IPs and a line that says toredo tunnel, you are running IPv6. Now, IPv6 can work with DNS, but has to be configured right.

Here is an example of IPv6 on an improperly configured network:
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_23604907.html

0
 
fekdepAuthor Commented:
I'm already running SP2.

The ISP DNS server is online.  If I enter it manually on a machine, I have internet.  I also support a another customer in this building using the same provider.  No problems there.

I disabled recursion and renewed a client IP.  I'm dead again.  What is recursion?

No IPv6
0
 
ChiefITCommented:
---Recursive lookup: A recursive lookup is handled by the server. It will go out to a distant server and try to resolve DNS queries that it can't do on for the client. In other words, if the DNS server can't find an internal address, it will go out to other servers and ask them to look for it. If a resolution is provided. The resolution will be passed down to the client from the server. It is recommended to turn off recursive lookups for security reasons and performance reasons.
--Iteration: Iteration is done when the server can't resolve the query and tells the client, "I can't do it, ask another DNS server." The resolution comes from the remote server, not the local server. So, this is basically passing the buck.
---forwarders: forwarders are manually configured DNS servers that your server will forward queries to if your server can't make the resolution. (most folks configure the ISP's DNS server as the forwarders)
---Root Hints: Root Hints are a list of public DNS servers that your server forwards DNS queries to if your server can't resolve the DNS query

Forwarders use recursive lookups and are usually configured to either your router or to your ISP for outside resolution. (The reason you can use a router for forwarders is because the router will get your ISP's DNS address to look outside your domain for DNS queries automatically)

Root hints use iterative lookups and are a list of public servers that the query goes out to for resolution.
0
 
ChiefITCommented:
One thing we haven't tried is to reset the winsock
netsh winsock reset

I also know that zone alarm has a problem with DNS some service packs.
0
 
fekdepAuthor Commented:
I've got nothing in the way of firewall at the moment.  First thing I went for.

MS is in to the machine doing that voodoo that they doo to screw you.

After I explained that the problem was that I had no internet access they asked me to go to support.microsoft.com/ea  so I don't have much faith that they will help.
0
 
ChiefITCommented:
Doing some further research...Was just on a site where:

AVG
AD-Aware
Winsock
and Zone alarm

Were causing the issues.

Also some DLL's were not registered correclty. (Lots of potential fixes here)
http://en.kioskea.net/forum/affich-5044-can-t-browse-but-can-ping?page=4
0
 
fekdepAuthor Commented:
In the end there was some Kind of corruption due to an update gone wrong.  Microsoft took care of the problem.
0
 
fekdepAuthor Commented:
Thanks for all the help and tutorials.  Ultimately, you were right and I should have called MS earlier.
0

Featured Post

Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

  • 17
  • 9
  • 8
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now