dkraut
asked on
DNS cannot resolve a few external domains?
I'm having a somewhat perplexing DNS issue with a only a "few" external domains. Name resolution to external domains works fine with the exception of a few domains (that coincidentally belong to a partner company) that will not resolve from within our internal Network. We're using AD integrated DNS with a Forwarder setup which points to our external DNS server. There are no internal zones created for these problem domains. All other external domains resolve fine. When I perform an nslookup against these domains from inside our network, they time out, but they resolve just fine outside of our network. Shouldn't a name query try the Forwarder and then if it fails, use root hints? I've been able to temporarily resolve the issue by using conditional forwarders, but I'd like to find the root cause. Not sure what else I can do to troubleshoot why only three external domains are not resolving from within our internal network?
You can use an external DNS as Secondary DNS in TCP / IP Settings
Hi,
I just react to atifnaeemmalik answer because his advice is not good.
If you have internal DNS servers YOU MUST NOT (NEVER !!!) interrogate external DNS servers directly. External servers will always obtain authoritative answers for any domain name. If your internal domain name is not publicly known (example a domain name ending by .local) external DNS servers will give the authoritative answer "this domain does not exist" and your DNS client will stop searching for a positive answer because the negative answer is authoritative !! You'll be in a situation where your internal DNS client won't be able to locate you internal domain because of the external DNS server negative answer.
This mistake is commonly made by some people installing proxy servers. They usually think that the DNs client will interrogate ALL the DNS servers it knows, but that's not true !
The DNS client service will at first interrogate the last DNS server it used before. If this DNS server gives an authoritative answer the the client trusts this answer and don't search anymore. If the last used DNS server never respond then the DNS client will ask other DNS server it knows one by one, with an interval of 1 second.
About "burners" answer, I agree in the fact that if your want to use root hints then you should avoid forwarders, but if you want to use forwarders you should avoid using root hints.
You use forwarders when you want your DNS server to transmit requests to some specific DNS server, as an example the DNS server of your Internet Provider.
About the partner company DNS domain names, is there a common part with your internal DNS domain name ? If yes does your DNS server host this common DNS zone ?
Have a good day.
I just react to atifnaeemmalik answer because his advice is not good.
If you have internal DNS servers YOU MUST NOT (NEVER !!!) interrogate external DNS servers directly. External servers will always obtain authoritative answers for any domain name. If your internal domain name is not publicly known (example a domain name ending by .local) external DNS servers will give the authoritative answer "this domain does not exist" and your DNS client will stop searching for a positive answer because the negative answer is authoritative !! You'll be in a situation where your internal DNS client won't be able to locate you internal domain because of the external DNS server negative answer.
This mistake is commonly made by some people installing proxy servers. They usually think that the DNs client will interrogate ALL the DNS servers it knows, but that's not true !
The DNS client service will at first interrogate the last DNS server it used before. If this DNS server gives an authoritative answer the the client trusts this answer and don't search anymore. If the last used DNS server never respond then the DNS client will ask other DNS server it knows one by one, with an interval of 1 second.
About "burners" answer, I agree in the fact that if your want to use root hints then you should avoid forwarders, but if you want to use forwarders you should avoid using root hints.
You use forwarders when you want your DNS server to transmit requests to some specific DNS server, as an example the DNS server of your Internet Provider.
About the partner company DNS domain names, is there a common part with your internal DNS domain name ? If yes does your DNS server host this common DNS zone ?
Have a good day.
ASKER
Good info... we're using the forwarder as a security measure. DNS is only allowed through the firewall to his specific server. The domain names we're having trouble with are completely different from our name space. My guess is that the server we're forwarding to has some issue resolving the names, but it's a BSD server that someone else setup so I'm not sure how to test it directly.
Hi,
From your internal DNS server, open a CMD prompt and type NSLOOKUP
At the nslookup prompt, type: server xxx.xxx.xxx.xxx
(where xxx.xxx.xxx.xxx is the IP address of the DNS server your forward requests to)
Then type a public FDQN name finishing by a dot (as an example www.microsoft.com.)
You should obtain the answer from the DNS server xxx.xxx.xxx.xxx
Try now with the FQDN of a partner server in the partner DNS domain finishing with dot (example server.mypartner.net.). Of course you must ask for a name that you're sure it exists (the best way should be to try from an external).
If the requested DNS server (xxx.xxx.xxx.xxx) is able to resolve the requested name you'll obtain the answer.
Have a good day.
From your internal DNS server, open a CMD prompt and type NSLOOKUP
At the nslookup prompt, type: server xxx.xxx.xxx.xxx
(where xxx.xxx.xxx.xxx is the IP address of the DNS server your forward requests to)
Then type a public FDQN name finishing by a dot (as an example www.microsoft.com.)
You should obtain the answer from the DNS server xxx.xxx.xxx.xxx
Try now with the FQDN of a partner server in the partner DNS domain finishing with dot (example server.mypartner.net.). Of course you must ask for a name that you're sure it exists (the best way should be to try from an external).
If the requested DNS server (xxx.xxx.xxx.xxx) is able to resolve the requested name you'll obtain the answer.
Have a good day.
You can test it by setting your workstation to use the BSD server as its DNS and leave the secondary blank/
ASKER
So when I do an nslookup using our external DNS server IP address, it replies with the domain name queried followed by Served By: and then lists the authoritative DNS servers for that domain or in the case of google.com, microsft.com, etc., it lists Root hints such as g.gtld-servers.net?
Hi,
Try to type a host name instead of domain name (example: www.microsoft.com instead of microsoft.com).
Do you have a positive answer with the good IP ?
Have a good day.
Try to type a host name instead of domain name (example: www.microsoft.com instead of microsoft.com).
Do you have a positive answer with the good IP ?
Have a good day.
ASKER
yes, I was using www. This is what I'm getting. >
C:\>nslookup www.microsoft.com 139.x.x.x
Server: ns1.******.com
Address: 138.x.x.x
Name: www.microsoft.com
Served by:
- ns3.msft.net
213.199.161.77
microsoft.com
- ns4.msft.net
207.46.75.254
microsoft.com
- ns5.msft.net
65.55.226.140
microsoft.com
- ns1.msft.net
65.55.37.62
microsoft.com
- ns2.msft.net
64.4.59.173
microsoft.com
C:\>nslookup www.cisco.com 139.x.x.x
Server: ns1.*****.com
Address: 138.x.x.x
Name: www.cisco.com
Served by:
- ns2.cisco.com
64.102.255.44
cisco.com
- ns1.cisco.com
128.107.241.185
cisco.com
C:\>nslookup www.microsoft.com 139.x.x.x
Server: ns1.******.com
Address: 138.x.x.x
Name: www.microsoft.com
Served by:
- ns3.msft.net
213.199.161.77
microsoft.com
- ns4.msft.net
207.46.75.254
microsoft.com
- ns5.msft.net
65.55.226.140
microsoft.com
- ns1.msft.net
65.55.37.62
microsoft.com
- ns2.msft.net
64.4.59.173
microsoft.com
C:\>nslookup www.cisco.com 139.x.x.x
Server: ns1.*****.com
Address: 138.x.x.x
Name: www.cisco.com
Served by:
- ns2.cisco.com
64.102.255.44
cisco.com
- ns1.cisco.com
128.107.241.185
cisco.com
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
PaciB, that was an excellent summation and what I was thinking too. Also, your English is fine. :)
I just checked and recursion to the forwarder is allowed on both of our internal DNS servers so the FreeBSD server must have recursion disabled for some reason. I'll do a little digging on the FreeBSD serer to see what I can learn. I'll let you know what I find.
Thanks!
I just checked and recursion to the forwarder is allowed on both of our internal DNS servers so the FreeBSD server must have recursion disabled for some reason. I'll do a little digging on the FreeBSD serer to see what I can learn. I'll let you know what I find.
Thanks!
did you try public dns
You should NOT have forwarders in place.
Make sure ALL of your root hints are in place.
Ping the domains, whats the IP if any then try a traceroute and see where it fails.
If they are hosted internally then you DO need to put some items in place in the firewall, google can help you with this or let me know which model firewall you have.