DNS server blocked

I have a domain controller running Windows 2012 R2 in a VM. I installed SEP with full protection on the DC. Then I lost DNS in my network. I can run nslookup on the server and it finds stuff no problem. When I run nslookup on any computer on my network I get DNS request timed out. timeout was 2 seconds. Default Server: UnKnown Address: 192.168.1.90 (which is the correct address) and when I try to lookup any URL I get Server: UnKnown Address: 192.168.1.90 and four DNS request timed out message and finally Request to UnKnown timed-out. I assumed it was because SEP with full protection includes a firewall that was blocking the DNS requests. I uninstall SEP (which ended with a reboot of the VM). I checked the firewall in the control panel and it was turned off. I tried a ping -a 192.168.1.90 and it correctly reported the name of the server and it had ping responses and times of a couple of ms.
amscottnycAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Schuyler DorseyCommented:
SEP has a built in firewall. By default it disables the Windows Firewall once upon each boot and its firewall service takes over.

If you are using the SEP Manager, you will want to create a new firewall policy which allows DNS for your internal network. If you are not using the manager, you can configure these settings directly in SEP after you install it.
0
amscottnycAuthor Commented:
I was previously hit (on a different network) by the SEP firewall problem. That time I was able to uninstall SEP and resolve the problem. This time I did that and I still can not access DNS. The previous time it was on windows 2003. This time is on windows 2012. Since I am running ws 2012 in a VM I tried to revert to a snapshot from April. I still had the problem. I am fairly sure that I did indeed revert to the snapshot because it wanted to activate ws 2012. Btw the way the problem showed its ugly head was that my computers that only had the DC as the dns server  couldn't access the internet.
0
amscottnycAuthor Commented:
As a followup, at the moment SEP doesn't appear to be installed on the DC at all. I cannot figure out how its firewall is there at all, but I am still having a problem that looks seriously like a firewall problem
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

Schuyler DorseyCommented:
How many DCs do you have?
0
amscottnycAuthor Commented:
I have one DC. It is a small network.
0
Schuyler DorseyCommented:
Ok.. wanted to ask for a couple reasons..

1. If you have multiple DCs, you shouldn't just revert to a snapshot on DCs. (Especially need to take into consideration where the FSMO roles are)

2. You mentioned that computers could not get to the internet if the DC was their only DNS server. Since this is an Active Directory network.. you want to ensure that ALL domain-joined computers ONLY point to the DC. If they have a secondary DNS server that is not a DC, it can cause a lot of issues.

Outside of that, let us confirm and take a look at DNS.

So assuming SEP is removed and you rebooted the server:
Can the DC get to the internet?
If so, on a client workstation, verify whether or not you can ping the DC.
Do nslookup google.com and see what the results are.

If it returns server name unknown or something similar, check your DC and verify IPv6 is enabled.
0
amscottnycAuthor Commented:
I had added my router as a secondary DNS server after this problem started. That is the only way I am able to get on the Internet.
The DC gets on the Internet no problem and I can lookup URLs in nslookup no problem on the DC.
I can ping the DC by IP address on the workstations and on the DC.
On the workstations if I try to ping by computer name I get the response "Pinging AMSCOTT09" and the IPV6 address of the DC but then I get four "Destination host unreachable". If I ping amscott09 (which is the name of the DC) on the DC I get replys that show the IPv6 IP Address. There is a check mark in front of IPv6 in the Ethernet connector properties window but it is set to obtain address automatically. I tried disabling IPv6 and I can ping amscott09 by name from the workstations and it shows the IPv4 address of the DC, but I still get timeouts when I try using nslookup and I get server: UnKnown when I start nslookup.
nslookup works fine in the DC IPv6 enabled and with it disabled.
0
Schuyler DorseyCommented:
Well make sure to keep ipv6 enabled on the DC either way. It can break a lot of things internally if you do not. Same for any other server 2008 and above box.

On the DC itself, what are your DNS IP settings set to for the NIC? Are you doing nic-teaming?
0
amscottnycAuthor Commented:
Very interesting. I had the DNS address set to 127.0.0.1 and was able to do nslookups. As a test I changed it to 192.168.1.90, which is the IP address of the DC. With that DNS address nslookup failed just as it does on the other computers in the network. There is only on NIC on the DC.
0
Schuyler DorseyCommented:
For your DC DNS settings, making one of them 192.168.1.90 and the other one, 127.0.0.1. It should have both.

In addition, can you verify 192.168.1.90 is the IP assigned to it? Can you go to Network and Sharing center to verify that nic connection is set to Domain Network as oppose to Public network?

Can you ensure the DNS Server service is running on the DC? Have you already tried restarting the service?
0
amscottnycAuthor Commented:
I set the primary DNS to 192.168.1.90 and the secondary to 127.0.0.1. nslookup still works on the DC.
I checked the address of the computer and it is 192.168.1.90. If I do a ping -a 192.168.1.90 it reports the computer name as amscott09, which is right.
I restarted the DNS server service but it didn't make any difference, nslookup still doesn't work from a workstation. I have also rebooted the DC a couple of times.
0
amscottnycAuthor Commented:
Also, I checked that the nic connection is set to Domain Network in Network and Sharing Center.
0
Schuyler DorseyCommented:
Are your workstations on the same network? Ie. 192.168.1.x?
0
amscottnycAuthor Commented:
yes
0
amscottnycAuthor Commented:
Also, everything was working until yesterday when I installed SEP.
0
Schuyler DorseyCommented:
Just to confirm, SEP is uninstalled now, right?

On a local workstation, are you able to telnet to port 53 of the DC?
0
Schuyler DorseyCommented:
Alternatively, you could port scan it to verify port 53 is open. (specifically, udp 53)
0
amscottnycAuthor Commented:
I uninstalled the program through the programs and features applet in control panel. I just checked that it is not in the applet now and there is no symantec folder in the program files and program files (x86) folders.
I could not telnet to 192.168.1.90 53 from a workstation but I was able to from the DC itself.
I just checked the firewall settings in the firewall applet and it is turned off. I understand that that doesn't mean a thing if SEP were there, but I can't find anything related to it on the computer.
0
Schuyler DorseyCommented:
Is the Windows Firewall disabled for all network profiles? (you can disable it for Domain, Private and Publilc network profiles).

Either way, I would also manually add in a Windows Firewall rule which allows inbound udp 53 traffic. Then test again from a workstation.
0
amscottnycAuthor Commented:
The firewall was turned of in the domain, private and public profiles.
I turned it on in the domain profile. I don't see where to allow port 53 specifically, but the default setting had the dns service enabled in all three profiles. It didn't make any difference.
0
Schuyler DorseyCommented:
Please try manually adding a new rule which allows DNS.

On the left, there should be an item that says "Advanced settings". Click on that. Then click on Inbound Rules at top left. Then click New Rule. The wizard can walk you through ensuring port 53 UDP is allowed.
0
Schuyler DorseyCommented:
In case the above doesn't fix it, I would try running the Symantec Removal Tool. Just in case it left some stray pieces of the application/fw on it.
0
amscottnycAuthor Commented:
Hi Schuyler,
I figured out the problem. In my first post I pointed out that the DC is running in a VM. The firewall on the host was blocking DNS. I just put a hole in the SEP firewall on the host and nslookup is working great. Thank you for all the time and thought you put into this problem.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.