Solved

DNS no longer allowing us to get to external websites

Posted on 2015-02-10
13
203 Views
Last Modified: 2015-02-10
We came in this morning and noticed that there was a DNS problem where we could not get to external sites.
Internal DNS settings appear to be working, but we cannot get to any external websites without typing in the IP address.

I'm not aware of any updates that were installed or changes that were made.

We are in a windows environment and have split DNS setup so (under normal circumstances) we can resolve to internal and external ip's.

Where should I start troubleshooting?
0
Comment
Question by:MBisch
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 5

Expert Comment

by:R. Toby Richards
ID: 40601150
I'm curious what you mean by "split DNS setup". Each of your internal DNS servers should have a forwarder to "All other DNS domains" with at least one external DNS server. I have found that forwarding "All other DNS domains" to 8.8.8.8 (Google's public DNS server) and 4.4.4.1 (Level-3's public DNS server) (in that order) is faster than using my ISP's DNS servers.
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 40601193
If this only suddenly broke you obviously have it configured in a working condition to begin with so lets address things that may change. I assume you haven't changed any firewall rules, you have tried a simple restart, and this effect all clients and not just one or two. Since you mention split DNS setup I assume you have active directory configured and you use your DC to host DNS services to your internal clients through DNS forwarders.

1. ping a known working ip address. e.g. ping several 8.8.8.8, 8.8.4.4, 4.4.4.1 If this fails, you have a routing/internet problem and probably should call your ISP
2. one of your DNS forwarders may be unavailable. For example, most ISPs have dns servers that they hand out and may be temporarily offline. Check your forwarders from the DNS console on the domain controller and as the previous poster suggested, add 8.8.8.8 and 4.4.4.1 to the forwarders list.
3. Test DNS again, from your client machine try to ping google.com to make sure it can resolve to an ip address. It doesn't matter so much if it can successfully ping but it should receive reply. The important this here is that you see the ip address it is resolving for google.com
0
 

Author Comment

by:MBisch
ID: 40601226
Thanks for your input.
I had it setup to use other internal DNS Servers as forwarders then to use root hints if there are no forwarders.
I have gone in and removed the other internal DNS servers from the forwarders and have added 8.8.8.8 and 4.4.4.1.
I haven't changed any config and it worked yesterday.
It appears that something happened overnight for this to stop working.
0
Space-Age Communications Transitions to DevOps

ViaSat, a global provider of satellite and wireless communications, securely connects businesses, governments, and organizations to the Internet. Learn how ViaSat’s Network Solutions Engineer, drove the transition from a traditional network support to a DevOps-centric model.

 

Author Comment

by:MBisch
ID: 40601242
OriNetworks,
I can successfully ping 8.8.8.8 and 4.4.4.1, but can't get external domain names to resolve.
0
 
LVL 5

Accepted Solution

by:
R. Toby Richards earned 500 total points
ID: 40601247
What happens if you do "nslookup google.com"?
0
 

Author Comment

by:MBisch
ID: 40601301
When I do an nslookup for google.com it comes back with an IP address for a local DNS server

server: internalDNSserver.comr
address: IP address of internal DNS server

name: a.different.internalDNSserver.com
addresses: IP address of internal DNS server
     IP address of internal DNS server
Aliases: google.com.mydomain.com
0
 
LVL 5

Expert Comment

by:R. Toby Richards
ID: 40601322
So the first thing to investigate is why it's appending ".mydomain.com" to "google.com"
0
 
LVL 5

Assisted Solution

by:R. Toby Richards
R. Toby Richards earned 500 total points
ID: 40601326
It looks to me like maybe you have a wildcard DNS zone or record. In your DNS records on your internal DNS server look for *.mydomain.com.

Explanation of DNS Wildcards
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40601354
ensure that you are able to telnet ISP DNS servers on TCP port 53 from domain controller

test name resolution from all servers to identify which server fails:
nslookup
set debug
google.com
0
 

Author Comment

by:MBisch
ID: 40601370
there was a wildcard in the domain and I have since removed it. Now the nslookup times out on the primary DNS server after 2 seconds.

It appears that the DNS server service is running on the server.
0
 
LVL 5

Assisted Solution

by:R. Toby Richards
R. Toby Richards earned 500 total points
ID: 40601384
And the DNS server that nslookup reports using has forwarders to an ISP or Google or Level-3 DNS server?
0
 
LVL 5

Assisted Solution

by:R. Toby Richards
R. Toby Richards earned 500 total points
ID: 40601395
Oh, and on the Advanced tab for the DNS server properties, make sure that "Disable recursion" is NOT checked. Also make sure on the forwarders tab under "All other DNS domains" "Do not use recursion for this domain" is NOT checked.
0
 

Author Comment

by:MBisch
ID: 40601472
I originally had the forwarders of 8.8.8.8 and 4.4.4.1 and they was not resolving correctly.
I added 8.8.4.4 and it started resolving correctly.
AND THEN...
I received a call from our Internet Service Provider, Windstream.
It turns out that there was a network based firewall that was having memory issues that caused DNS resolution to fail.

So. the problem all along was caused by our firewall.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question