Solved

DNS no longer allowing us to get to external websites

Posted on 2015-02-10
13
204 Views
Last Modified: 2015-02-10
We came in this morning and noticed that there was a DNS problem where we could not get to external sites.
Internal DNS settings appear to be working, but we cannot get to any external websites without typing in the IP address.

I'm not aware of any updates that were installed or changes that were made.

We are in a windows environment and have split DNS setup so (under normal circumstances) we can resolve to internal and external ip's.

Where should I start troubleshooting?
0
Comment
Question by:MBisch
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 5

Expert Comment

by:R. Toby Richards
ID: 40601150
I'm curious what you mean by "split DNS setup". Each of your internal DNS servers should have a forwarder to "All other DNS domains" with at least one external DNS server. I have found that forwarding "All other DNS domains" to 8.8.8.8 (Google's public DNS server) and 4.4.4.1 (Level-3's public DNS server) (in that order) is faster than using my ISP's DNS servers.
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 40601193
If this only suddenly broke you obviously have it configured in a working condition to begin with so lets address things that may change. I assume you haven't changed any firewall rules, you have tried a simple restart, and this effect all clients and not just one or two. Since you mention split DNS setup I assume you have active directory configured and you use your DC to host DNS services to your internal clients through DNS forwarders.

1. ping a known working ip address. e.g. ping several 8.8.8.8, 8.8.4.4, 4.4.4.1 If this fails, you have a routing/internet problem and probably should call your ISP
2. one of your DNS forwarders may be unavailable. For example, most ISPs have dns servers that they hand out and may be temporarily offline. Check your forwarders from the DNS console on the domain controller and as the previous poster suggested, add 8.8.8.8 and 4.4.4.1 to the forwarders list.
3. Test DNS again, from your client machine try to ping google.com to make sure it can resolve to an ip address. It doesn't matter so much if it can successfully ping but it should receive reply. The important this here is that you see the ip address it is resolving for google.com
0
 

Author Comment

by:MBisch
ID: 40601226
Thanks for your input.
I had it setup to use other internal DNS Servers as forwarders then to use root hints if there are no forwarders.
I have gone in and removed the other internal DNS servers from the forwarders and have added 8.8.8.8 and 4.4.4.1.
I haven't changed any config and it worked yesterday.
It appears that something happened overnight for this to stop working.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 

Author Comment

by:MBisch
ID: 40601242
OriNetworks,
I can successfully ping 8.8.8.8 and 4.4.4.1, but can't get external domain names to resolve.
0
 
LVL 5

Accepted Solution

by:
R. Toby Richards earned 500 total points
ID: 40601247
What happens if you do "nslookup google.com"?
0
 

Author Comment

by:MBisch
ID: 40601301
When I do an nslookup for google.com it comes back with an IP address for a local DNS server

server: internalDNSserver.comr
address: IP address of internal DNS server

name: a.different.internalDNSserver.com
addresses: IP address of internal DNS server
     IP address of internal DNS server
Aliases: google.com.mydomain.com
0
 
LVL 5

Expert Comment

by:R. Toby Richards
ID: 40601322
So the first thing to investigate is why it's appending ".mydomain.com" to "google.com"
0
 
LVL 5

Assisted Solution

by:R. Toby Richards
R. Toby Richards earned 500 total points
ID: 40601326
It looks to me like maybe you have a wildcard DNS zone or record. In your DNS records on your internal DNS server look for *.mydomain.com.

Explanation of DNS Wildcards
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40601354
ensure that you are able to telnet ISP DNS servers on TCP port 53 from domain controller

test name resolution from all servers to identify which server fails:
nslookup
set debug
google.com
0
 

Author Comment

by:MBisch
ID: 40601370
there was a wildcard in the domain and I have since removed it. Now the nslookup times out on the primary DNS server after 2 seconds.

It appears that the DNS server service is running on the server.
0
 
LVL 5

Assisted Solution

by:R. Toby Richards
R. Toby Richards earned 500 total points
ID: 40601384
And the DNS server that nslookup reports using has forwarders to an ISP or Google or Level-3 DNS server?
0
 
LVL 5

Assisted Solution

by:R. Toby Richards
R. Toby Richards earned 500 total points
ID: 40601395
Oh, and on the Advanced tab for the DNS server properties, make sure that "Disable recursion" is NOT checked. Also make sure on the forwarders tab under "All other DNS domains" "Do not use recursion for this domain" is NOT checked.
0
 

Author Comment

by:MBisch
ID: 40601472
I originally had the forwarders of 8.8.8.8 and 4.4.4.1 and they was not resolving correctly.
I added 8.8.4.4 and it started resolving correctly.
AND THEN...
I received a call from our Internet Service Provider, Windstream.
It turns out that there was a network based firewall that was having memory issues that caused DNS resolution to fail.

So. the problem all along was caused by our firewall.
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question