bkdavis
asked on
DNS Server Issues
Hello,
Needing some assistance, please. Long story short I setup a small domain/network for a friend of mine just over 2 years ago for a dentist office. Everything has been working great until a couple weeks ago when he send me a screenshot of a DNS issue on one of his client machines. Upon further investigation I discovered that the domain/dns server was unable to access the internet all of the sudden. The only way we can get internet access back is to hardcode the ISP's DNS servers. If I leave the server pointed to itself (the actual IP, not the loopback) I cannot access the internet.
DNS is a bit of a grey area for me and I'm kind of at a loss, and not sure what has changed that would have impacted something that had been working fine for the past couple years.
I'm using a Westell 7500 modem provided by our ISP/CenturyLink that is setup in bridge mode to the PPPoE connection to our SonicWall TZ100 firewall. Any ideas what I need to do to get my server seeing the internet again without having to hardcode the ISP's DNS? This is affected clients that are setup to grab the IP via DHCP as it's set to point the server IP, so on each client I've had to also hardcode the DNS information to the ISP's DNS servers.
Any ideas would be greatly appreciated. Again I'm not real familiar with DNS servers so I'm not sure if I can just recreate a zone or how I can verify/narrow down where the issue is.
Hoping someone might be able to steer me to the path of having a working DNS server again.
Thanks for your time!
Needing some assistance, please. Long story short I setup a small domain/network for a friend of mine just over 2 years ago for a dentist office. Everything has been working great until a couple weeks ago when he send me a screenshot of a DNS issue on one of his client machines. Upon further investigation I discovered that the domain/dns server was unable to access the internet all of the sudden. The only way we can get internet access back is to hardcode the ISP's DNS servers. If I leave the server pointed to itself (the actual IP, not the loopback) I cannot access the internet.
DNS is a bit of a grey area for me and I'm kind of at a loss, and not sure what has changed that would have impacted something that had been working fine for the past couple years.
I'm using a Westell 7500 modem provided by our ISP/CenturyLink that is setup in bridge mode to the PPPoE connection to our SonicWall TZ100 firewall. Any ideas what I need to do to get my server seeing the internet again without having to hardcode the ISP's DNS? This is affected clients that are setup to grab the IP via DHCP as it's set to point the server IP, so on each client I've had to also hardcode the DNS information to the ISP's DNS servers.
Any ideas would be greatly appreciated. Again I'm not real familiar with DNS servers so I'm not sure if I can just recreate a zone or how I can verify/narrow down where the issue is.
Hoping someone might be able to steer me to the path of having a working DNS server again.
Thanks for your time!
Mohammed Khawaja
Check DNS server setting and check the forwarder tab. It might be forwarding request to a DNS server which may not exist or does not allow access. What you could do is change the forwarder to the ISP DNS or you could use Root Hints.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
dns can either act as a proxy (when you set up forwarders) or as an actual dns server (when you use root hints)
if you use forwarders, check that they are available using "nslookup google.com FORWARDER_IP" on the dns server (most likely the DC in your case). if they are unavailable you have various possibilities : a firewall rule will not let the dns resolve dns queries, the forwarders are not up any more (try 8.8.8.8 or 4.2.2.2), or possibly your ISP blocked dns queries to all servers but it's own.
if you are using root hints, same as above (except for the unavailable server)
since you have a PPoE connection, your firewall should receive working dns servers from the provider. it seems safe to either set the clients machine to use the firewall, or even you dc to use it as a dns server
normally, you should not set anything up in the clients since they will receive dns settings through dhcp. you may bypass the DC by setting up working dns servers in the dhcp server's configuration but it is better to keep the default since some domain operation will not work properly otherwise.
--
then if you want to understand a little bit of dns operation
when you query A.B.C.com, using a regular A query, a recursive resolver will do the following
-> query root servers to get the dns server handling .com ( .com IN NS )
-> query that server to get the dns server handling .C.com
-> query that server to get the dns server handling .B.C.com
-> query that server to get the IP of A.B.C.com ( A.B.C.com in A )
forwarders only act as proxy and will just send the same query they receive to the upstream server.
most other DNS queries are handled in a very similar way : only the type of the last query differs (TXT, NS, ...)
PTRS are handled in the same way using a hack :
if you query ( 1.2.3.4 in PTR )
the server resolves 4.3.2.1.in-addr-arpa
in-addr-arpa is a stub zone for PTR operation, and PTRs (reverse queries) can hence be handled using the same algorithm as A (forward) queries
if you use forwarders, check that they are available using "nslookup google.com FORWARDER_IP" on the dns server (most likely the DC in your case). if they are unavailable you have various possibilities : a firewall rule will not let the dns resolve dns queries, the forwarders are not up any more (try 8.8.8.8 or 4.2.2.2), or possibly your ISP blocked dns queries to all servers but it's own.
if you are using root hints, same as above (except for the unavailable server)
since you have a PPoE connection, your firewall should receive working dns servers from the provider. it seems safe to either set the clients machine to use the firewall, or even you dc to use it as a dns server
normally, you should not set anything up in the clients since they will receive dns settings through dhcp. you may bypass the DC by setting up working dns servers in the dhcp server's configuration but it is better to keep the default since some domain operation will not work properly otherwise.
--
then if you want to understand a little bit of dns operation
when you query A.B.C.com, using a regular A query, a recursive resolver will do the following
-> query root servers to get the dns server handling .com ( .com IN NS )
-> query that server to get the dns server handling .C.com
-> query that server to get the dns server handling .B.C.com
-> query that server to get the IP of A.B.C.com ( A.B.C.com in A )
forwarders only act as proxy and will just send the same query they receive to the upstream server.
most other DNS queries are handled in a very similar way : only the type of the last query differs (TXT, NS, ...)
PTRS are handled in the same way using a hack :
if you query ( 1.2.3.4 in PTR )
the server resolves 4.3.2.1.in-addr-arpa
in-addr-arpa is a stub zone for PTR operation, and PTRs (reverse queries) can hence be handled using the same algorithm as A (forward) queries
ASKER
Thank you so much for your suggestions and prompt reply. This seemed to work and we are back in business!!