Solved

Internet domains not resolving when using internal DNS servers

Posted on 2013-02-04
10
785 Views
Last Modified: 2013-02-06
Hello. We have a Windows 2003 R2 domain. We have 2 servers for Active Directory. One server is a DHCP server, both are running Windows DNS services. The DHCP lease pool points to both servers for DNS resolution; 192.168.1.6 as preferred and 192.168.1.5 as alternate. Recently, some internet domains will not resolve. If I remember correctly, I read where you shouldn't use your ISP's domain servers with AD. I could be wrong. If I change the DHCP lease pool option to point to Cox's domain servers, internet domains resolve properly. Can anyone tell me why they won't when using internal DNS servers? They've worked for years without issue. Nothing has changed on the servers.  I thought once a dns query was made to the internal DNS, if it couldn't find a host, it referred to the ISP's domain automatically. I don't understand why typing in the DNS works.  We only have one provider, Cox. I appreciate your help.
0
Comment
Question by:CMWinters
10 Comments
 
LVL 4

Expert Comment

by:tycoot
ID: 38852999
I thought once a dns query was made to the internal DNS, if it couldn't find a host, it referred to the ISP's domain automatically.

That is only true if you have a secondary DNS that is your ISPs
0
 
LVL 5

Expert Comment

by:tjc123
ID: 38853004
You need to make sure you have a Router setting inside your DHCP server to point to your actual gateway.  Your gateway should be your physical router and your router should hold your ISPs DNS servers.  DHCP will then hand out the appropriate internal name servers and gateway addresses to clients in order to resolve host names.
0
 
LVL 6

Assisted Solution

by:mmahaek
mmahaek earned 167 total points
ID: 38853028
Setup your DHCP to hand out your internal DNS servers to your clients.  On each of your DNS servers, set forwarding settings to make sure root hints are used if no forwarders are available.  You can optionally add your ISP as a forwarder, which will have your DNS server go out to your ISP to pull public DNS queries on behalf of your clients.
0
 
LVL 16

Accepted Solution

by:
PaciB earned 333 total points
ID: 38854624
Hi,

What mmahaek said is the solution. It must be done like mmahaek says.

What I read before mmaheak's post MUST NOT BE DONE !!!
When you are in a AD domain you MUST NEVER mix internal DNS servers and external DNS severs in your IP settings on any machine. Clients and serves MUST ONLY interrogate internal DNS servers, and internal DNS servers must be configured with DNS forwarders to be able to resolve external names.

Also, don't confuse IP routing and DNS resolution... Of course IP routing must work, but your router is not and must not became your DNS server.

Mmahaek should have the points, but if you want an explanation of why you must never mix internal and external DNS servers you may read my article I wrote about that : http://www.experts-exchange.com/Networking/Protocols/DNS/A_11136-Some-important-DNS-concepts-for-good-diagnosis-and-good-configuration.html


Have a good day.
0
 
LVL 5

Expert Comment

by:tjc123
ID: 38854793
PaciB,

Your router facing the internet has to be your gateway, otherwise, how is your internal traffic going to be able to resolve external host names?  All you do is have your internal DNS servers point to themselves and hand out their address to internal clients via DHCP, with a router entry in the DHCP settings that points to the internal IP of the external gateway. That's all that I said and it is absolutely 100% correct.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 16

Expert Comment

by:PaciB
ID: 38854894
tjc123,


What you say in your last post is correct and I agree 150% with that.

But in your previous post you said that:
and your router should hold your ISPs DNS servers

What a router has to do with DNS servers ???? Or May be I have not understood what this phrase means ?



By the way, the author said that:
If I change the DHCP lease pool option to point to Cox's domain servers, internet domains resolve properly
For my understanding it means that routing is correct... DHCP settings about router is correct...

Only DNS is involved in this issue and that's why I warned about any confusion.


Have a good day.
0
 
LVL 5

Expert Comment

by:tjc123
ID: 38855013
The router I referenced is your internet facing router (gateway) responsible for resolving external host names allowing you access to the internet.  Sorry if that was confusing.
0
 
LVL 11

Expert Comment

by:hecgomrec
ID: 38855811
In other words, your machines should be using your DNS (internal) server.  This will speed internal traffic between machines, printers, etc.  Your Internet Gateway (router, modem, etc) where your ISP connection is plug should be using those provided by your ISP.
0
 
LVL 16

Assisted Solution

by:PaciB
PaciB earned 333 total points
ID: 38856101
NOOOOO !
Why everybody want to mix routing equipment and DNS service !!???


The Internet Gateway is a router ! ONLY a router and must be considered like that. A router does not resolve DNS names !

Oh yes ! Your DSL router at home is also a DHCP server and a DNS server, but this is at home !!! NOT HERE !!!

So please, this box (whatever you call it, router, modem, or anything else) is a simple ROUTER. We don't care if it also is able to be DHCP or DNS server... We don't use these features here.
Here, the Domain controllers are the DNS servers, and are the DHCP server.

Here is what MUST BE DONE:

1) on the DNS console on the domain controllers, right-click on the server and choose "properties". There's a tab called "forwarders". Add a forwarder that point to IP address of each ISP DNS server. Doing like that, your DNS server is now able to forward request for external names to external DNS servers at the ISP network.

2) configure ALL machines (servers, DCs, workstation) to ONLY interrogate internal DNS servers


And again, NEVER use external DNS servers in IP settings on any machine that is member of a domain. If you want a precise explanation of this rule you should read my article : http://www.experts-exchange.com/Networking/Protocols/DNS/A_11136-Some-important-DNS-concepts-for-good-diagnosis-and-good-configuration.html
0
 

Author Closing Comment

by:CMWinters
ID: 38861843
Thanks to all of you for your time.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

I will assume you are running a non-server version of some sort of Windows throughout this article. There are many flavors of Windows since Windows Server 2000 - 2008, XP Home & Pro, Vista Home & Pro, and Windows 7 Starter, Home, Pro, Ultimate, etc.…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now