Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 529
  • Last Modified:

Unable to resolve internet site from inside 2008 AD domain

Hello, I'm having a problem within our Windows 2008 domain that we cannot resolve a website on the internet, it does indeed exist, and using different internet servers with nslookup resolve it. However we cannot get to it from inside on any of our DNS servers. We do not have a forward hookup zone associated with the domain that we cannot get to. So its not a matter of missing a www host record. Any ideas how to troubleshoot?

0
ron_harris
Asked:
ron_harris
  • 13
  • 6
  • 3
  • +1
3 Solutions
 
giltjrCommented:
Is the host name you are trying to resolve within your IP domain name space?

If yes, then you need to code the A record within your DNS server pointing to the correct IP address.

If no, then can you reslove any host names (like www.experts-exchange.com) from within your network.
0
 
oleg-gilevCommented:
For resolving external domains over your DNS server you need to setup DNS forwarder.
Add your ISP's NS servers to DNS Forwarding tab in Properties of your DNS Server.
0
 
ron_harrisAuthor Commented:
No its not looking like that its a part of our IP domain name space.

We can resolve other sites without an issue.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
ron_harrisAuthor Commented:
to oleg-gilev: We have our internal DNS servers pointing to ISP DNS servers.
0
 
ron_harrisAuthor Commented:
whats even more interesting is a ping -a (address to hostname) to the address I found on a public dns server resolves the addresses for us internally to the right host. But still does not work when trying to resolve the host name to an address.
0
 
giltjrCommented:
So:

host name is not within your domain
you have your DNS setup with forwarders
you can reslove other host names without issues

You say you can reslove the name from your destop using nslooup, but when you point your browser to it you can't get to it?

Could the remote site be blocking traffic so that only specific IP addresses can access their server?
0
 
giltjrCommented:
Oops, should have been nslookup.

However, now I'm confused you seem to be saying that from your computer:

nslookup hostname works
ping hostname does not work

Is that right?
0
 
ron_harrisAuthor Commented:
Correct,
not within our domain,
forwarders are setup,
resolving other sites without a problem.

I can resolve it from my desktop when I use NSlookup with one of our internet forwarders as the server.

I don't think thats the case, tried from my cell phone to get to it, and I did.
0
 
ron_harrisAuthor Commented:
No re read the comment above, what I said was weird is if you ping with a reverse lookup (PING -A) it resolves the IP that I found through our ISP DNS. If I ping the hostname flat out with (PING) it does not resolve.
0
 
giltjrCommented:
ping -a x.x.x.x does a reverse lookup.  If this works, that just means there is a PTR record for the address.

ping hostname does a forward lookup.  If that works, then there is a A or CNAME.  If it does not work that means one of the following:

1) There is no A or CNAME (which you have proven there is one, so its not this).
2) A dns query timed out
3) A DNS resolver in the path may be corrupted and thinks there is no host with that name
4) A DNS server that is authoritive for that domain does not have  the most recent zone or is corrupted and does not know about that host.

I would suggest installing a packet capture utilitly (I use wireshark) and capture the dns lookup on your desktop from the ping command and see if you are timing out or if your DNS server is saying "no such host.".

If your DNS server is saying "no such host", then you need to run a capture on it to see if it is properly forwarding the request and what answer it gets back.
0
 
ron_harrisAuthor Commented:
Well pinging with a forward does not work so apparently there is A record or CNAME record.  But I don't understand why I would need one for an internet site within our domains DNS records. The site is 132.X.X.X so it is a public routable IP network that does not exist on our network.
0
 
Darius GhassemCommented:
Are you using DNS Forwarders?

http://technet.microsoft.com/en-us/library/cc773370(WS.10).aspx

Make sure they are up to date.
0
 
ron_harrisAuthor Commented:
Yes with a very large service provider.
0
 
Darius GhassemCommented:
Really points to a internet DNS issue. Seems like the record hasn't fully replicated to the internet DNS servers yet which could be the problem. Try using 4.2.2.2 DNS server on a client to see if this pulls up the correct website.

Make sure you clear DNS server cache and run ipconfig /flushdns on client to see if client\server cache is holding on to old record
0
 
ron_harrisAuthor Commented:
I'm going to try this and contacting the ISP
0
 
Darius GhassemCommented:
Sounds good
0
 
giltjrCommented:
Um, I'm not sure contacting your ISP is going to do you any good.  Unless I miss-understood one of your posts.

I thought you said running nslookup aginst your ISP's dns server worked.  Which means your ISP has the correct information.

I would say that you still may want to run a packet capture on your DNS server to see what it is getting, what request it forwarding and what answer it is getting back.
0
 
ron_harrisAuthor Commented:
I ran the packet capture, it all looks to be going to the correct source based on IP's replying and being sent to. Is it possible our internet DNS servers aren't replying back fast enough and thus timing out?
0
 
giltjrCommented:
That is a possibility.  How quickly are they replying?  The timeout should be at least 5 seconds, I think Windows actually default 30 seconds.

So your AD DNS server is getting back the correct answer, but not forwarding it to the desktop?
0
 
ron_harrisAuthor Commented:
I'm just speculating at this point, let me re post when we switch Primary and Secondary internet DNS servers.
0
 
ron_harrisAuthor Commented:
No luck when we have swapped forwarders, and I'm out of ideas on this one.
0
 
oleg-gilevCommented:
Try resolving your host by nslookup sequentially via the following list of NS servers:
1: 4.2.2.2.
2: Your ISP's DNS
3: Your local DNS

Then you find out where resolve fails.

Temporary you can fix your problem by setting up conditional DNS forwarding:
In Win2008 server's DNS console navigate to Conditional Forwarders folder, add new conditional forwarder, in DNS Domain field type your unresolving domain, in NS servers lint add 4.2.2.2. IP address.
After that all your DNS requests will be handled as usual, but requests to unresolvingdomain.com will be handled by global DNS resolver.
0
 
ron_harrisAuthor Commented:
We've finally found the issue.

Our Cisco ASA was dropping the EDNS packets being returned, the issue is that by default, the asa will drop DNS packets greater than 512 bytes.

2 ways to fix

Disable EDNS on DC's with command:
dnscmd /config /enableednsprobes 0
http://support.microsoft.com/kb/832223

-or-

Change the ASA to recieve more than 512 bytes

Here's a few links that describe this
https://supportforums.cisco.com/message/3056134
http://www.networkstraining.com/cisco-asa-and-dnssec-probable-issue-with-packet-size/

0
 
ron_harrisAuthor Commented:
This solution is the only way we could get this working.
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 13
  • 6
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now