?
Solved

DNS no longer allowing us to get to external websites

Posted on 2015-02-10
13
Medium Priority
?
208 Views
Last Modified: 2015-02-10
We came in this morning and noticed that there was a DNS problem where we could not get to external sites.
Internal DNS settings appear to be working, but we cannot get to any external websites without typing in the IP address.

I'm not aware of any updates that were installed or changes that were made.

We are in a windows environment and have split DNS setup so (under normal circumstances) we can resolve to internal and external ip's.

Where should I start troubleshooting?
0
Comment
Question by:MBisch
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 5

Expert Comment

by:R. Toby Richards
ID: 40601150
I'm curious what you mean by "split DNS setup". Each of your internal DNS servers should have a forwarder to "All other DNS domains" with at least one external DNS server. I have found that forwarding "All other DNS domains" to 8.8.8.8 (Google's public DNS server) and 4.4.4.1 (Level-3's public DNS server) (in that order) is faster than using my ISP's DNS servers.
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 40601193
If this only suddenly broke you obviously have it configured in a working condition to begin with so lets address things that may change. I assume you haven't changed any firewall rules, you have tried a simple restart, and this effect all clients and not just one or two. Since you mention split DNS setup I assume you have active directory configured and you use your DC to host DNS services to your internal clients through DNS forwarders.

1. ping a known working ip address. e.g. ping several 8.8.8.8, 8.8.4.4, 4.4.4.1 If this fails, you have a routing/internet problem and probably should call your ISP
2. one of your DNS forwarders may be unavailable. For example, most ISPs have dns servers that they hand out and may be temporarily offline. Check your forwarders from the DNS console on the domain controller and as the previous poster suggested, add 8.8.8.8 and 4.4.4.1 to the forwarders list.
3. Test DNS again, from your client machine try to ping google.com to make sure it can resolve to an ip address. It doesn't matter so much if it can successfully ping but it should receive reply. The important this here is that you see the ip address it is resolving for google.com
0
 

Author Comment

by:MBisch
ID: 40601226
Thanks for your input.
I had it setup to use other internal DNS Servers as forwarders then to use root hints if there are no forwarders.
I have gone in and removed the other internal DNS servers from the forwarders and have added 8.8.8.8 and 4.4.4.1.
I haven't changed any config and it worked yesterday.
It appears that something happened overnight for this to stop working.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:MBisch
ID: 40601242
OriNetworks,
I can successfully ping 8.8.8.8 and 4.4.4.1, but can't get external domain names to resolve.
0
 
LVL 5

Accepted Solution

by:
R. Toby Richards earned 2000 total points
ID: 40601247
What happens if you do "nslookup google.com"?
0
 

Author Comment

by:MBisch
ID: 40601301
When I do an nslookup for google.com it comes back with an IP address for a local DNS server

server: internalDNSserver.comr
address: IP address of internal DNS server

name: a.different.internalDNSserver.com
addresses: IP address of internal DNS server
     IP address of internal DNS server
Aliases: google.com.mydomain.com
0
 
LVL 5

Expert Comment

by:R. Toby Richards
ID: 40601322
So the first thing to investigate is why it's appending ".mydomain.com" to "google.com"
0
 
LVL 5

Assisted Solution

by:R. Toby Richards
R. Toby Richards earned 2000 total points
ID: 40601326
It looks to me like maybe you have a wildcard DNS zone or record. In your DNS records on your internal DNS server look for *.mydomain.com.

Explanation of DNS Wildcards
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 40601354
ensure that you are able to telnet ISP DNS servers on TCP port 53 from domain controller

test name resolution from all servers to identify which server fails:
nslookup
set debug
google.com
0
 

Author Comment

by:MBisch
ID: 40601370
there was a wildcard in the domain and I have since removed it. Now the nslookup times out on the primary DNS server after 2 seconds.

It appears that the DNS server service is running on the server.
0
 
LVL 5

Assisted Solution

by:R. Toby Richards
R. Toby Richards earned 2000 total points
ID: 40601384
And the DNS server that nslookup reports using has forwarders to an ISP or Google or Level-3 DNS server?
0
 
LVL 5

Assisted Solution

by:R. Toby Richards
R. Toby Richards earned 2000 total points
ID: 40601395
Oh, and on the Advanced tab for the DNS server properties, make sure that "Disable recursion" is NOT checked. Also make sure on the forwarders tab under "All other DNS domains" "Do not use recursion for this domain" is NOT checked.
0
 

Author Comment

by:MBisch
ID: 40601472
I originally had the forwarders of 8.8.8.8 and 4.4.4.1 and they was not resolving correctly.
I added 8.8.4.4 and it started resolving correctly.
AND THEN...
I received a call from our Internet Service Provider, Windstream.
It turns out that there was a network based firewall that was having memory issues that caused DNS resolution to fail.

So. the problem all along was caused by our firewall.
0

Featured Post

Get proactive database performance tuning online

At Percona’s web store you can order full Percona Database Performance Audit in minutes. Find out the health of your database, and how to improve it. Pay online with a credit card. Improve your database performance now!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
I had an issue with InstallShield not being able to use Computer Browser service on Windows Server 2012. Here is the solution I found.
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question