timetracer
asked on
DNS Configuration Issue
Hi Experts,
We have a DNS problem with our SBS 2003 box. We have a single domain and single server which runs DHCP, Exchange and a variety of other things for about 8 PCs. The server has 2 NICs one which points internally to the network and the other which hooks into our router/firewall.
In the last 3 - 4 months we have had ever more frequent periods where the internet appears to drop out. This seems to happen randomly and more often than not is only brief 2-3 minutes before access appears to be restored. When this has happened I have logged onto the router and the WAN interface is still up. What alerted me to it being a DNS issue is last week when this happened again I manually changed my DNS settings on my laptop to be those of our ISP (as taken from our router) and had internet access while the other PCs did not.
Yesterday we had a proper internet outage which required a reset of all the hardware and since then the only way the PCs on the network can browse the internet is by them having the ISPs DNS servers manually added in the LAN connection. Also on the server we cannot send or receive email now unless the ISPs DNS servers are added to the external NIC connection. Previously they were never there and this may be the problem?
Basically what I would like to achieve is to have our server running DNS correctly so that PCs on our network do not require DNS settings to be manually added.
Any help is greatly appreciated.
We have a DNS problem with our SBS 2003 box. We have a single domain and single server which runs DHCP, Exchange and a variety of other things for about 8 PCs. The server has 2 NICs one which points internally to the network and the other which hooks into our router/firewall.
In the last 3 - 4 months we have had ever more frequent periods where the internet appears to drop out. This seems to happen randomly and more often than not is only brief 2-3 minutes before access appears to be restored. When this has happened I have logged onto the router and the WAN interface is still up. What alerted me to it being a DNS issue is last week when this happened again I manually changed my DNS settings on my laptop to be those of our ISP (as taken from our router) and had internet access while the other PCs did not.
Yesterday we had a proper internet outage which required a reset of all the hardware and since then the only way the PCs on the network can browse the internet is by them having the ISPs DNS servers manually added in the LAN connection. Also on the server we cannot send or receive email now unless the ISPs DNS servers are added to the external NIC connection. Previously they were never there and this may be the problem?
Basically what I would like to achieve is to have our server running DNS correctly so that PCs on our network do not require DNS settings to be manually added.
Any help is greatly appreciated.
Why two nics???????????
Multihomed domains are always problematic.
Multihomed domains are always problematic.
Hey Chris:
Ready to knock another one out?
Ready to knock another one out?
Last few before I go on holiday for a month at the end of the week :) I must remember to stick to those unlikely to be too serious.
Chris
So, do you think we should recommend one single nic for 8pcs, one SBS and a router/firewall, then straighten out DNS records afterwards?
Unless it's running ISA server, yes. I suspect it's just that the forwarders are throttling requests to reduce load, but that's not certain and any other avenue is worth exploring :)
Chris
ASKER
Hi Chris,
the DNS is running with forwarders configured and this was done not so long ago as a solution to this problem we previously had:
https://www.experts-exchange.com/questions/23770492/Can't-access-certain-websites-DNS-issue.html
The issue I have with removing the forwarders is not being able to access certain websites (as in above issue).
We have 2 nics as we use a hardware firewall and at the time of implenting that, using 2 nics seemed the more secure way to go.
Also we are not running ISA.
Cheers
the DNS is running with forwarders configured and this was done not so long ago as a solution to this problem we previously had:
https://www.experts-exchange.com/questions/23770492/Can't-access-certain-websites-DNS-issue.html
The issue I have with removing the forwarders is not being able to access certain websites (as in above issue).
We have 2 nics as we use a hardware firewall and at the time of implenting that, using 2 nics seemed the more secure way to go.
Also we are not running ISA.
Cheers
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes we have RRAS routing our internet and VPN access. The main reason for the two NICs was to have physical separation of PCs from the internet.
I can try the Verizon servers, my only issue with that is that we are in Australia and I had configured the forwarders to Telstra (our ISP and biggest ISP in Oz) and we still had the issue so am unsure how far I would get with Verizon.
One question I do have regarding the NICs, what DNS should be in the TCP/IP config of the external NIC. To date it has just had the internal NIC as the DNS. Is this correct?
Cheers
I can try the Verizon servers, my only issue with that is that we are in Australia and I had configured the forwarders to Telstra (our ISP and biggest ISP in Oz) and we still had the issue so am unsure how far I would get with Verizon.
One question I do have regarding the NICs, what DNS should be in the TCP/IP config of the external NIC. To date it has just had the internal NIC as the DNS. Is this correct?
Cheers
ASKER
Also to add, www.firebirdsql.org was the only site we had issues with.
Further to all this, I noticed yesterday that if the external NIC did not have our ISP in the DNS config we would not send or receive external email (we are using a POP3 connector).
Further to all this, I noticed yesterday that if the external NIC did not have our ISP in the DNS config we would not send or receive external email (we are using a POP3 connector).
ASKER
Another update.
This morning we were having real issues with internet and as such could not even browse the microsoft site.
As you suggested I tried the Verizon DNS first on my laptop. Was able to browse all sites with no issue. Then I removed the forwarders for Telstra and put in the Verizon DNS on the serveer. Changed my LAN setting to obtain auto and flushed the DNS cache. Again I had no issue browsing all sites.
So what concerns me is why can I not use our ISP as a forwarder?
Cheers
This morning we were having real issues with internet and as such could not even browse the microsoft site.
As you suggested I tried the Verizon DNS first on my laptop. Was able to browse all sites with no issue. Then I removed the forwarders for Telstra and put in the Verizon DNS on the serveer. Changed my LAN setting to obtain auto and flushed the DNS cache. Again I had no issue browsing all sites.
So what concerns me is why can I not use our ISP as a forwarder?
Cheers
So, your network topology looks like this?
WWW>>Router/Firewall natted to>>WAN side of server-RRAS- to LAN side of server>>LAN
If so, you may consider putting your Forwarders as your inner Router IP. The reason I say that is because, let's say your ISP changes a DNS server or brings it off line. The dynamic change will have to be done manually in Forwarders, but it is passed down to the router. So, using the router will not require you to change forwarders in the event your ISP changes a few things.
WWW>>Router/Firewall natted to>>WAN side of server-RRAS- to LAN side of server>>LAN
If so, you may consider putting your Forwarders as your inner Router IP. The reason I say that is because, let's say your ISP changes a DNS server or brings it off line. The dynamic change will have to be done manually in Forwarders, but it is passed down to the router. So, using the router will not require you to change forwarders in the event your ISP changes a few things.
ASKER
Yes our topology is basically as you listed:
modem ==> router/FW (192.168.1.1) ==> External NIC (192.168.1.5) ==> RRAS ==> Internal NIC (192.168.16.2) ==> Nodes (192.168.16.x)
I just tried adding the router as a forwarder and was unable to browse any websites. I have put it back to Verizon. As I mentioned I found it odd that our own ISPs DNS were not working correctly. Should this be something I take up with them?
Cheers
modem ==> router/FW (192.168.1.1) ==> External NIC (192.168.1.5) ==> RRAS ==> Internal NIC (192.168.16.2) ==> Nodes (192.168.16.x)
I just tried adding the router as a forwarder and was unable to browse any websites. I have put it back to Verizon. As I mentioned I found it odd that our own ISPs DNS were not working correctly. Should this be something I take up with them?
Cheers
Your on the same subnet as your internal LAN. I thought you were double natting.
@Chris:
He mentioned that the reason for RRAS was to segregate the clients from the WWW. The router/firewall will do that for him, yah?
It would be much easier to break the RRAS connection and use one NIC. Otherwis I think he will have to change the subnet between the inner router and outer server. Then, go into DNS and make sure both SRV records are not on the server.
What say you, Chris?
@Chris:
He mentioned that the reason for RRAS was to segregate the clients from the WWW. The router/firewall will do that for him, yah?
It would be much easier to break the RRAS connection and use one NIC. Otherwis I think he will have to change the subnet between the inner router and outer server. Then, go into DNS and make sure both SRV records are not on the server.
What say you, Chris?
ASKER
Update:
Chief and Chris, have been running Verizon's DNS for about a week now and don't seem to have had any issues. Is this solution then sustainable? Or should we be looking at a different config as per what you are illuding to in the above post?
Cheers
Chief and Chris, have been running Verizon's DNS for about a week now and don't seem to have had any issues. Is this solution then sustainable? Or should we be looking at a different config as per what you are illuding to in the above post?
Cheers
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Chief, many thanks for your help with this. We haven't seem to have had any issues for about 2 weeks now. I understand what you have mentioned above and it is something I will probably look into in the new year when we have some downtime here.
Cheers
Cheers
Hey,
Is your DNS server running with Forwarders configured? You'll find that if you open the DNS Console, the properties for the server and the Forwarders tab.
The most common cause of a problem like this is Forwarders failing to respond in a timely fashion (even if those Forwarders appear to answer requests when used in TCP/IP configuration). So, to test this, if you have any configured try removing them.
Without Forwarders the server will use Root Hints to resolve public name requests. If we find the forwarders to be at fault we can either continue with Root Hints or attempt to find new servers to forward to.
Chris