Solved

DNS question

Posted on 2014-02-25
12
246 Views
Last Modified: 2014-03-15
Default Server:   mydnsserver
Address:  10.10.10.5

> 10.10.10.45
Server:   mydnsserver
Address:  10.10.10.5

*** mydnsserver can't find 10.10.10.45: Query refused
> server12
Server:  mydnsserver
Address:  10.10.10.5

*** mydnsserver can't find client: Non-existent domain



I spoke to the person who manage the DNS server,  he said "You have the incorrect DNS servers listed here, this is in the prod domain not dev domain


What I don't understand is I am able to resolve another server which is in the same domain as where server12 is sitting.


He made some some changes in DNS server and it worked. I need to know what exactly the problem and trying to understand the issue. He doesn't want to explain and putting me the problem on my side.

please help.

doesn't this mean the issue on the DNS server side?
*** mydnsserver can't find 10.10.10.45: Query refused
0
Comment
Question by:ittechlab
  • 5
  • 5
  • 2
12 Comments
 
LVL 11

Expert Comment

by:BillBondo
ID: 39886463
Sounds like to separate networks? Did he include both DNS servers in the ip config? Change default gateways? Need more information.
0
 
LVL 4

Expert Comment

by:amclaughlin01
ID: 39886478
If that happens again, you can try pinging the address itself to make sure it can see the address.  If it can, then it would be a DNS issue.

To resolve the issue, he could have reloaded/refreshed the DNS records.  It might be possible that the IP address had once been assigned to another name and he had to clear it out of cache for it to resolve correctly.

It could be possible that he entered it incorrectly, and didn't want to admit it...

Hope that helps
0
 

Author Comment

by:ittechlab
ID: 39886488
Here is the scenario

I have four servers and when I did nslookup in dev environment.

from my windows 7 pc when I tried to do nslookup I see three servers working fine. for one server I am getting the following message. What does it mean?

*** mydnsserver can't find 10.10.10.45: Query refused (by IP address)
*** mydnsserver can't find client: Non-existent domain (by Name)
0
 

Author Comment

by:ittechlab
ID: 39886499
""It could be possible that he entered it incorrectly, and didn't want to admit it..."

Can I able to see the log and see what change he made on the DNS server.
0
 
LVL 4

Accepted Solution

by:
amclaughlin01 earned 500 total points
ID: 39886528
You might be able to use the below method to track changes, however it would need to be enabled prior to tracking.


1. Enable Directory Service Access auditing in your default Domain Policy:
a) Edit the Domain Security Policy
b) Navigate to Local Policies -> Audit Policy
c) Define 'Audit directory service access' for success and failure
d) Refresh the policy on all Domain Controllers
2. Enable auditing on the DNS zone:
a) Open ADSIEdit (Start, Run, adsiedit.msc)
b) Right-click ADSI Edit, and connect to the DC=DomainDnsZones,DC=<domain>,DC=<top level domain> container
c) Expand MicrosoftDNS, and navigate to the location of the DNS zone
d) Right-click the zone and choose Properties
e) On the Security tab, click the Advanced button
f) Select the Auditing tab, and click Add
g) Under User or Group, type in Everyone
h) On the Object tab, select Success and Failure for access types Write All Properties, Read All Properties, Delete, and Delete Subtree
3. When a record is changed from DNS, Event ID such as 566 will be logged in the Security Event Log on the related DC.
0
 

Author Comment

by:ittechlab
ID: 39886705
here is the setup on my company. I have two DNS servers such as dnsA and dnsB.

Both domains are not trusted.

If I create a record on dnsA and anybody pointing to dnsB should be able to resolve the name. what should be done?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 4

Expert Comment

by:amclaughlin01
ID: 39886739
You are going to need to add either a forwarder on dnsB pointing to a DNS server on dnsA network for that domain, or add a zone onto dnsB.  Although, if they are not trusted, I don't know if adding a zone will work for sure.

Right now, are you able to ping IP addresses on dnsA from dnsB?
0
 
LVL 4

Expert Comment

by:amclaughlin01
ID: 39886752
If you can ping a DNS server on dnsA network, a test you can try is to add a secondary DNS server address to a pc of dnsA DNS server, and than see if you can resolve names.

The question will be does dnsB network know how to get to or route to dnsA network.  If not, you would need to add a route to your router.
0
 

Author Comment

by:ittechlab
ID: 39887006
based on my existing setup on my windows 7, I was able to resolve 3 servernames on the dev network but not the last one.  Where could be the problem. DNS admin keep pointing the finger at me.
0
 

Author Comment

by:ittechlab
ID: 39887028
I logged into both dns servers and I noticed dev.local zone. How do i know how is replicated. Both says secondary running. I am confused.
0
 
LVL 11

Expert Comment

by:BillBondo
ID: 39889069
What are you trying to accomplish? Perhaps you have wrong server name and or ip? Firewall on the server? Can you log on that server? If you cant ping by ip than its not a dns issue.
0
 
LVL 4

Expert Comment

by:amclaughlin01
ID: 39889164
Ok, a couple possible scenarios to your setup could be as follows:

The below would be the DNS settings for the respective server (this is assuming that DNS services are running on dnsA and dnsB)

dnsA server:

- Should have an active directory integrated zone for the internal domain network
- Could have a secondary zone for the dnsB server network domain with the name server of dnsB server

dnsB server:

- Should have an active directory integrated zone for the internal domain network
- Could have a secondary zone for the dnsA server network domain with the name server of dnsA server.

In this scenario, both network would need to be on separate IP addressing schemes so as not to confuse routing.  If they are on the same IP address scheme, it would be hard to know which traffic would be from the remote network

If they are on separate IP addressing networks, there would need to be a routing statement telling the server how to reach the remote network and what would be "interesting" traffic that would be destined for that network


As another possibility:

dnsA Server

- Should have an active directory integrated zone for the internal domain network
- Have a forwarder address pointing the dnsB server

dnsB Server

- Should have an active directory integrated zone for the internal domain network
- Have a forwarder address pointing the dnsA server

The problem with this configuration is that all your Internet bound resolution will be going through the other networks DNS server.  It will check it's own network for resolution, if not found would then go to the other networks DNS server, again if not found would then go to the Internet for resolution.  This causes much additional unneeded traffic.


It can be a bit confusing.  I usually look at it as if I were a packet or address.  What would be my path to resolving the name to IP and then what path would I take to get there.  

Ask these questions:

- Does the server I am asking know the IP address?
- If not, what is the next server I am going to be sent to and ask the question again
- Once I find the IP address, is it a local address or a remote address?
- If it's a remote address, does my network know how to reach it or where to send it to next?
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now