Solved

DNS Configuration Issue

Posted on 2008-10-27
17
312 Views
Last Modified: 2012-05-05
Hi Experts,

We have a DNS problem with our SBS 2003 box. We have a single domain and single server which runs DHCP, Exchange and a variety of other things for about 8 PCs. The server has 2 NICs one which points internally to the network and the other which hooks into our router/firewall.

In the last 3 - 4 months we have had ever more frequent periods where the internet appears to drop out. This seems to happen randomly and more often than not is only brief 2-3 minutes before access appears to be restored. When this has happened I have logged onto the router and the WAN interface is still up. What alerted me to it being a DNS issue is last week when this happened again I manually changed my DNS settings on my laptop to be those of our ISP (as taken from our router) and had internet access while the other PCs did not.

Yesterday we had a proper internet outage which required a reset of all the hardware and since then the only way the PCs on the network can browse the internet is by them having the ISPs DNS servers manually added in the LAN connection. Also on the server we cannot send or receive email now unless the ISPs DNS servers are added to the external NIC connection. Previously they were never there and this may be the problem?

Basically what I would like to achieve is to have our server running DNS correctly so that PCs on our network do not require DNS settings to be manually added.

Any help is greatly appreciated.
0
Comment
Question by:timetracer
  • 7
  • 6
  • 4
17 Comments
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Hey,

Is your DNS server running with Forwarders configured? You'll find that if you open the  DNS Console, the properties for the server and the Forwarders tab.

The most common cause of a problem like this is Forwarders failing to respond in a timely fashion (even if those Forwarders appear to answer requests when used in TCP/IP configuration). So, to test this, if you have any configured try removing them.

Without Forwarders the server will use Root Hints to resolve public name requests. If we find the forwarders to be at fault we can either continue with Root Hints or attempt to find new servers to forward to.

Chris
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Why two nics???????????

Multihomed domains are always problematic.
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Hey Chris:

Ready to knock another one out?
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Last few before I go on holiday for a month at the end of the week :) I must remember to stick to those unlikely to be too serious.

Chris
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
So, do you think we should recommend one single nic for 8pcs, one SBS and a router/firewall, then straighten out DNS records afterwards?
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

Unless it's running ISA server, yes. I suspect it's just that the forwarders are throttling requests to reduce load, but that's not certain and any other avenue is worth exploring :)

Chris
0
 

Author Comment

by:timetracer
Comment Utility
Hi Chris,

the DNS is running with forwarders configured and this was done not so long ago as a solution to this problem we previously had:

http://www.experts-exchange.com/Networking/Protocols/DNS/Q_23770492.html

The issue I have with removing the forwarders is not being able to access certain websites (as in above issue).

We have 2 nics as we use a hardware firewall and at the time of implenting that, using 2 nics seemed the more secure way to go.

Also we are not running ISA.

Cheers
0
 
LVL 70

Accepted Solution

by:
Chris Dent earned 200 total points
Comment Utility

Okay, I see you're running RRAS on there, so all clients route through the server for internet access? I can't see that giving you any additional security over having clients talk directly to the Firewall. However, that should be put aside, it shouldn't have any impact on name resolution.

Can you try assigning 4.2.2.4 as a Forwarder and see if the problem still occurs? That server belongs to Verizon and should allow forwarding.

Is the problem with root hints restricted to www.firebirdsql.org? I also have a few issues resolving that domain because some of the authoritative name servers are slow to respond.

Chris
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:timetracer
Comment Utility
Yes we have RRAS routing our internet and VPN access. The main reason for the two NICs was to have physical separation of PCs from the internet.

I can try the Verizon servers, my only issue with that is that we are in Australia and I had configured the forwarders to Telstra (our ISP and biggest ISP in Oz) and we still had the issue so am unsure how far I would get with Verizon.

One question I do have regarding the NICs, what DNS should be in the TCP/IP config of the external NIC. To date it has just had the internal NIC as the DNS. Is this correct?

Cheers
0
 

Author Comment

by:timetracer
Comment Utility
Also to add,  www.firebirdsql.org was the only site we had issues with.

Further to all this, I noticed yesterday that if the external NIC did not have our ISP in the DNS config we would not send or receive external email (we are using a POP3 connector).
0
 

Author Comment

by:timetracer
Comment Utility
Another update.

This morning we were having real issues with internet and as such could not even browse the microsoft site.

As you suggested I tried the Verizon DNS first on my laptop. Was able to browse all sites with no issue. Then I removed the forwarders for Telstra and put in the Verizon DNS on the serveer. Changed my LAN setting to obtain auto and flushed the DNS cache. Again I had no issue browsing all sites.

So what concerns me is why can I not use our ISP as a forwarder?

Cheers
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
So, your network topology looks like this?

WWW>>Router/Firewall natted to>>WAN side of server-RRAS- to LAN side of server>>LAN

If so, you may consider putting your Forwarders as your inner Router IP. The reason I say that is because, let's say your ISP changes a DNS server or brings it off line. The dynamic change will have to be done manually in Forwarders, but it is passed down to the router. So, using the router will not require you to change forwarders in the event your ISP changes a few things.

0
 

Author Comment

by:timetracer
Comment Utility
Yes our topology is basically as you listed:

modem ==> router/FW (192.168.1.1) ==> External NIC (192.168.1.5) ==> RRAS ==> Internal NIC (192.168.16.2) ==> Nodes (192.168.16.x)

I just tried adding the router as a forwarder and was unable to browse any websites. I have put it back to Verizon. As I mentioned I found it odd that our own ISPs DNS were not working correctly. Should this be something I take up with them?

Cheers
0
 
LVL 38

Expert Comment

by:ChiefIT
Comment Utility
Your on the same subnet as your internal LAN. I thought you were double natting.

@Chris:
He mentioned that the reason for RRAS was to segregate the clients from the WWW. The router/firewall will do that for him, yah?

It would be much easier to break the RRAS connection and use one NIC. Otherwis I think he will have to change the subnet between the inner router and outer server. Then, go into DNS and make sure both SRV records are not on the server.

What say you, Chris?
0
 

Author Comment

by:timetracer
Comment Utility
Update:

Chief and Chris, have been running Verizon's DNS for about a week now and don't seem to have had any issues. Is this solution then sustainable? Or should we be looking at a different config as per what you are illuding to in the above post?

Cheers
0
 
LVL 38

Assisted Solution

by:ChiefIT
ChiefIT earned 150 total points
Comment Utility
I think Chris went on vacation for about a month.

This is my personal opinion, some may disagree:

Dual NICs on a server are usually problematic. Let me explain why:

For DNS, 2003 server has a quirk that register both SRV records within DNS. SRV (Service) records will show the way to the Authentication server (AD server)

For DHCP, unless told not to in DHCP configuration, your server could try and provide DHCP for both NIC bindings.

For Netbios and SMB shares: More often than not the bindings seem to be messed up in a dual nic configuration. This means you can have browser election problems or be bound to the wrong NIC for file and print sharing.

For internet: Let's say you have two gateways configured. You could end up with intermittent Web access. Also, consider the fact that you might have two Host A records in DNS, (one for each nic). So, you may have intermittent DNS.

Routing over the server is OK if you don't have a hardware router. With a hardware router/firewall in place, routing over the server is just extra-->>> unnecessary traffic over the server.


You are probably good to go, but you might want to consider breaking away from routing over the server. Most of my EE solutions come from folks that haven't configured multihomed servers correctly.
0
 

Author Comment

by:timetracer
Comment Utility
Chief, many thanks for your help with this. We haven't seem to have had any issues for about 2 weeks now. I understand what you have mentioned above and it is something I will probably look into in the new year when we have some downtime here.

Cheers
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Numerous times I have been asked this questions that what is it that makes my machine log on so slow, there have been cases where computers took 23 minute exactly after taking password and getting to the desktop. Interesting thing was the fact th…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now