Solved

DNS server blocked

Posted on 2014-07-18
25
484 Views
Last Modified: 2014-10-21
I have a domain controller running Windows 2012 R2 in a VM. I installed SEP with full protection on the DC. Then I lost DNS in my network. I can run nslookup on the server and it finds stuff no problem. When I run nslookup on any computer on my network I get DNS request timed out. timeout was 2 seconds. Default Server: UnKnown Address: 192.168.1.90 (which is the correct address) and when I try to lookup any URL I get Server: UnKnown Address: 192.168.1.90 and four DNS request timed out message and finally Request to UnKnown timed-out. I assumed it was because SEP with full protection includes a firewall that was blocking the DNS requests. I uninstall SEP (which ended with a reboot of the VM). I checked the firewall in the control panel and it was turned off. I tried a ping -a 192.168.1.90 and it correctly reported the name of the server and it had ping responses and times of a couple of ms.
0
Comment
Question by:amscottnyc
  • 12
  • 11
25 Comments
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40205745
SEP has a built in firewall. By default it disables the Windows Firewall once upon each boot and its firewall service takes over.

If you are using the SEP Manager, you will want to create a new firewall policy which allows DNS for your internal network. If you are not using the manager, you can configure these settings directly in SEP after you install it.
0
 

Author Comment

by:amscottnyc
ID: 40205800
I was previously hit (on a different network) by the SEP firewall problem. That time I was able to uninstall SEP and resolve the problem. This time I did that and I still can not access DNS. The previous time it was on windows 2003. This time is on windows 2012. Since I am running ws 2012 in a VM I tried to revert to a snapshot from April. I still had the problem. I am fairly sure that I did indeed revert to the snapshot because it wanted to activate ws 2012. Btw the way the problem showed its ugly head was that my computers that only had the DC as the dns server  couldn't access the internet.
0
 

Author Comment

by:amscottnyc
ID: 40205807
As a followup, at the moment SEP doesn't appear to be installed on the DC at all. I cannot figure out how its firewall is there at all, but I am still having a problem that looks seriously like a firewall problem
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40205808
How many DCs do you have?
0
 

Author Comment

by:amscottnyc
ID: 40206258
I have one DC. It is a small network.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40206343
Ok.. wanted to ask for a couple reasons..

1. If you have multiple DCs, you shouldn't just revert to a snapshot on DCs. (Especially need to take into consideration where the FSMO roles are)

2. You mentioned that computers could not get to the internet if the DC was their only DNS server. Since this is an Active Directory network.. you want to ensure that ALL domain-joined computers ONLY point to the DC. If they have a secondary DNS server that is not a DC, it can cause a lot of issues.

Outside of that, let us confirm and take a look at DNS.

So assuming SEP is removed and you rebooted the server:
Can the DC get to the internet?
If so, on a client workstation, verify whether or not you can ping the DC.
Do nslookup google.com and see what the results are.

If it returns server name unknown or something similar, check your DC and verify IPv6 is enabled.
0
 

Author Comment

by:amscottnyc
ID: 40206438
I had added my router as a secondary DNS server after this problem started. That is the only way I am able to get on the Internet.
The DC gets on the Internet no problem and I can lookup URLs in nslookup no problem on the DC.
I can ping the DC by IP address on the workstations and on the DC.
On the workstations if I try to ping by computer name I get the response "Pinging AMSCOTT09" and the IPV6 address of the DC but then I get four "Destination host unreachable". If I ping amscott09 (which is the name of the DC) on the DC I get replys that show the IPv6 IP Address. There is a check mark in front of IPv6 in the Ethernet connector properties window but it is set to obtain address automatically. I tried disabling IPv6 and I can ping amscott09 by name from the workstations and it shows the IPv4 address of the DC, but I still get timeouts when I try using nslookup and I get server: UnKnown when I start nslookup.
nslookup works fine in the DC IPv6 enabled and with it disabled.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40206556
Well make sure to keep ipv6 enabled on the DC either way. It can break a lot of things internally if you do not. Same for any other server 2008 and above box.

On the DC itself, what are your DNS IP settings set to for the NIC? Are you doing nic-teaming?
0
 

Author Comment

by:amscottnyc
ID: 40206587
Very interesting. I had the DNS address set to 127.0.0.1 and was able to do nslookups. As a test I changed it to 192.168.1.90, which is the IP address of the DC. With that DNS address nslookup failed just as it does on the other computers in the network. There is only on NIC on the DC.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40206596
For your DC DNS settings, making one of them 192.168.1.90 and the other one, 127.0.0.1. It should have both.

In addition, can you verify 192.168.1.90 is the IP assigned to it? Can you go to Network and Sharing center to verify that nic connection is set to Domain Network as oppose to Public network?

Can you ensure the DNS Server service is running on the DC? Have you already tried restarting the service?
0
 

Author Comment

by:amscottnyc
ID: 40206616
I set the primary DNS to 192.168.1.90 and the secondary to 127.0.0.1. nslookup still works on the DC.
I checked the address of the computer and it is 192.168.1.90. If I do a ping -a 192.168.1.90 it reports the computer name as amscott09, which is right.
I restarted the DNS server service but it didn't make any difference, nslookup still doesn't work from a workstation. I have also rebooted the DC a couple of times.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 

Author Comment

by:amscottnyc
ID: 40206620
Also, I checked that the nic connection is set to Domain Network in Network and Sharing Center.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40206637
Are your workstations on the same network? Ie. 192.168.1.x?
0
 

Author Comment

by:amscottnyc
ID: 40206655
yes
0
 

Author Comment

by:amscottnyc
ID: 40206659
Also, everything was working until yesterday when I installed SEP.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40206662
Just to confirm, SEP is uninstalled now, right?

On a local workstation, are you able to telnet to port 53 of the DC?
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40206670
Alternatively, you could port scan it to verify port 53 is open. (specifically, udp 53)
0
 

Author Comment

by:amscottnyc
ID: 40206679
I uninstalled the program through the programs and features applet in control panel. I just checked that it is not in the applet now and there is no symantec folder in the program files and program files (x86) folders.
I could not telnet to 192.168.1.90 53 from a workstation but I was able to from the DC itself.
I just checked the firewall settings in the firewall applet and it is turned off. I understand that that doesn't mean a thing if SEP were there, but I can't find anything related to it on the computer.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40206681
Is the Windows Firewall disabled for all network profiles? (you can disable it for Domain, Private and Publilc network profiles).

Either way, I would also manually add in a Windows Firewall rule which allows inbound udp 53 traffic. Then test again from a workstation.
0
 

Author Comment

by:amscottnyc
ID: 40206684
The firewall was turned of in the domain, private and public profiles.
I turned it on in the domain profile. I don't see where to allow port 53 specifically, but the default setting had the dns service enabled in all three profiles. It didn't make any difference.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40206688
Please try manually adding a new rule which allows DNS.

On the left, there should be an item that says "Advanced settings". Click on that. Then click on Inbound Rules at top left. Then click New Rule. The wizard can walk you through ensuring port 53 UDP is allowed.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40206750
In case the above doesn't fix it, I would try running the Symantec Removal Tool. Just in case it left some stray pieces of the application/fw on it.
0
 

Accepted Solution

by:
amscottnyc earned 0 total points
ID: 40209827
Hi Schuyler,
I figured out the problem. In my first post I pointed out that the DC is running in a VM. The firewall on the host was blocking DNS. I just put a hole in the SEP firewall on the host and nslookup is working great. Thank you for all the time and thought you put into this problem.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Every now and then, Microsoft does something that totally impresses me. It doesn't happen often, but in this case I must say I am thoroughly impressed with Windows Server Backup. One of the long time issues with Windows Backup has been the ability t…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now