Internet domains not resolving when using internal DNS servers

Posted on 2013-02-04
Last Modified: 2013-02-06
Hello. We have a Windows 2003 R2 domain. We have 2 servers for Active Directory. One server is a DHCP server, both are running Windows DNS services. The DHCP lease pool points to both servers for DNS resolution; as preferred and as alternate. Recently, some internet domains will not resolve. If I remember correctly, I read where you shouldn't use your ISP's domain servers with AD. I could be wrong. If I change the DHCP lease pool option to point to Cox's domain servers, internet domains resolve properly. Can anyone tell me why they won't when using internal DNS servers? They've worked for years without issue. Nothing has changed on the servers.  I thought once a dns query was made to the internal DNS, if it couldn't find a host, it referred to the ISP's domain automatically. I don't understand why typing in the DNS works.  We only have one provider, Cox. I appreciate your help.
Question by:CMWinters
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 38852999
I thought once a dns query was made to the internal DNS, if it couldn't find a host, it referred to the ISP's domain automatically.

That is only true if you have a secondary DNS that is your ISPs

Expert Comment

ID: 38853004
You need to make sure you have a Router setting inside your DHCP server to point to your actual gateway.  Your gateway should be your physical router and your router should hold your ISPs DNS servers.  DHCP will then hand out the appropriate internal name servers and gateway addresses to clients in order to resolve host names.

Assisted Solution

mmahaek earned 167 total points
ID: 38853028
Setup your DHCP to hand out your internal DNS servers to your clients.  On each of your DNS servers, set forwarding settings to make sure root hints are used if no forwarders are available.  You can optionally add your ISP as a forwarder, which will have your DNS server go out to your ISP to pull public DNS queries on behalf of your clients.
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

LVL 16

Accepted Solution

Bruno PACI earned 333 total points
ID: 38854624

What mmahaek said is the solution. It must be done like mmahaek says.

What I read before mmaheak's post MUST NOT BE DONE !!!
When you are in a AD domain you MUST NEVER mix internal DNS servers and external DNS severs in your IP settings on any machine. Clients and serves MUST ONLY interrogate internal DNS servers, and internal DNS servers must be configured with DNS forwarders to be able to resolve external names.

Also, don't confuse IP routing and DNS resolution... Of course IP routing must work, but your router is not and must not became your DNS server.

Mmahaek should have the points, but if you want an explanation of why you must never mix internal and external DNS servers you may read my article I wrote about that :

Have a good day.

Expert Comment

ID: 38854793

Your router facing the internet has to be your gateway, otherwise, how is your internal traffic going to be able to resolve external host names?  All you do is have your internal DNS servers point to themselves and hand out their address to internal clients via DHCP, with a router entry in the DHCP settings that points to the internal IP of the external gateway. That's all that I said and it is absolutely 100% correct.
LVL 16

Expert Comment

by:Bruno PACI
ID: 38854894

What you say in your last post is correct and I agree 150% with that.

But in your previous post you said that:
and your router should hold your ISPs DNS servers

What a router has to do with DNS servers ???? Or May be I have not understood what this phrase means ?

By the way, the author said that:
If I change the DHCP lease pool option to point to Cox's domain servers, internet domains resolve properly
For my understanding it means that routing is correct... DHCP settings about router is correct...

Only DNS is involved in this issue and that's why I warned about any confusion.

Have a good day.

Expert Comment

ID: 38855013
The router I referenced is your internet facing router (gateway) responsible for resolving external host names allowing you access to the internet.  Sorry if that was confusing.
LVL 11

Expert Comment

ID: 38855811
In other words, your machines should be using your DNS (internal) server.  This will speed internal traffic between machines, printers, etc.  Your Internet Gateway (router, modem, etc) where your ISP connection is plug should be using those provided by your ISP.
LVL 16

Assisted Solution

by:Bruno PACI
Bruno PACI earned 333 total points
ID: 38856101
Why everybody want to mix routing equipment and DNS service !!???

The Internet Gateway is a router ! ONLY a router and must be considered like that. A router does not resolve DNS names !

Oh yes ! Your DSL router at home is also a DHCP server and a DNS server, but this is at home !!! NOT HERE !!!

So please, this box (whatever you call it, router, modem, or anything else) is a simple ROUTER. We don't care if it also is able to be DHCP or DNS server... We don't use these features here.
Here, the Domain controllers are the DNS servers, and are the DHCP server.

Here is what MUST BE DONE:

1) on the DNS console on the domain controllers, right-click on the server and choose "properties". There's a tab called "forwarders". Add a forwarder that point to IP address of each ISP DNS server. Doing like that, your DNS server is now able to forward request for external names to external DNS servers at the ISP network.

2) configure ALL machines (servers, DCs, workstation) to ONLY interrogate internal DNS servers

And again, NEVER use external DNS servers in IP settings on any machine that is member of a domain. If you want a precise explanation of this rule you should read my article :

Author Closing Comment

ID: 38861843
Thanks to all of you for your time.

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question