Solved

DNS no longer allowing us to get to external websites

Posted on 2015-02-10
13
201 Views
Last Modified: 2015-02-10
We came in this morning and noticed that there was a DNS problem where we could not get to external sites.
Internal DNS settings appear to be working, but we cannot get to any external websites without typing in the IP address.

I'm not aware of any updates that were installed or changes that were made.

We are in a windows environment and have split DNS setup so (under normal circumstances) we can resolve to internal and external ip's.

Where should I start troubleshooting?
0
Comment
Question by:MBisch
13 Comments
 
LVL 5

Expert Comment

by:R. Toby Richards
ID: 40601150
I'm curious what you mean by "split DNS setup". Each of your internal DNS servers should have a forwarder to "All other DNS domains" with at least one external DNS server. I have found that forwarding "All other DNS domains" to 8.8.8.8 (Google's public DNS server) and 4.4.4.1 (Level-3's public DNS server) (in that order) is faster than using my ISP's DNS servers.
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 40601193
If this only suddenly broke you obviously have it configured in a working condition to begin with so lets address things that may change. I assume you haven't changed any firewall rules, you have tried a simple restart, and this effect all clients and not just one or two. Since you mention split DNS setup I assume you have active directory configured and you use your DC to host DNS services to your internal clients through DNS forwarders.

1. ping a known working ip address. e.g. ping several 8.8.8.8, 8.8.4.4, 4.4.4.1 If this fails, you have a routing/internet problem and probably should call your ISP
2. one of your DNS forwarders may be unavailable. For example, most ISPs have dns servers that they hand out and may be temporarily offline. Check your forwarders from the DNS console on the domain controller and as the previous poster suggested, add 8.8.8.8 and 4.4.4.1 to the forwarders list.
3. Test DNS again, from your client machine try to ping google.com to make sure it can resolve to an ip address. It doesn't matter so much if it can successfully ping but it should receive reply. The important this here is that you see the ip address it is resolving for google.com
0
 

Author Comment

by:MBisch
ID: 40601226
Thanks for your input.
I had it setup to use other internal DNS Servers as forwarders then to use root hints if there are no forwarders.
I have gone in and removed the other internal DNS servers from the forwarders and have added 8.8.8.8 and 4.4.4.1.
I haven't changed any config and it worked yesterday.
It appears that something happened overnight for this to stop working.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 

Author Comment

by:MBisch
ID: 40601242
OriNetworks,
I can successfully ping 8.8.8.8 and 4.4.4.1, but can't get external domain names to resolve.
0
 
LVL 5

Accepted Solution

by:
R. Toby Richards earned 500 total points
ID: 40601247
What happens if you do "nslookup google.com"?
0
 

Author Comment

by:MBisch
ID: 40601301
When I do an nslookup for google.com it comes back with an IP address for a local DNS server

server: internalDNSserver.comr
address: IP address of internal DNS server

name: a.different.internalDNSserver.com
addresses: IP address of internal DNS server
     IP address of internal DNS server
Aliases: google.com.mydomain.com
0
 
LVL 5

Expert Comment

by:R. Toby Richards
ID: 40601322
So the first thing to investigate is why it's appending ".mydomain.com" to "google.com"
0
 
LVL 5

Assisted Solution

by:R. Toby Richards
R. Toby Richards earned 500 total points
ID: 40601326
It looks to me like maybe you have a wildcard DNS zone or record. In your DNS records on your internal DNS server look for *.mydomain.com.

Explanation of DNS Wildcards
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 40601354
ensure that you are able to telnet ISP DNS servers on TCP port 53 from domain controller

test name resolution from all servers to identify which server fails:
nslookup
set debug
google.com
0
 

Author Comment

by:MBisch
ID: 40601370
there was a wildcard in the domain and I have since removed it. Now the nslookup times out on the primary DNS server after 2 seconds.

It appears that the DNS server service is running on the server.
0
 
LVL 5

Assisted Solution

by:R. Toby Richards
R. Toby Richards earned 500 total points
ID: 40601384
And the DNS server that nslookup reports using has forwarders to an ISP or Google or Level-3 DNS server?
0
 
LVL 5

Assisted Solution

by:R. Toby Richards
R. Toby Richards earned 500 total points
ID: 40601395
Oh, and on the Advanced tab for the DNS server properties, make sure that "Disable recursion" is NOT checked. Also make sure on the forwarders tab under "All other DNS domains" "Do not use recursion for this domain" is NOT checked.
0
 

Author Comment

by:MBisch
ID: 40601472
I originally had the forwarders of 8.8.8.8 and 4.4.4.1 and they was not resolving correctly.
I added 8.8.4.4 and it started resolving correctly.
AND THEN...
I received a call from our Internet Service Provider, Windstream.
It turns out that there was a network based firewall that was having memory issues that caused DNS resolution to fail.

So. the problem all along was caused by our firewall.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question