Solved

DNS no longer allowing us to get to external websites

Posted on 2015-02-10
13
191 Views
Last Modified: 2015-02-10
We came in this morning and noticed that there was a DNS problem where we could not get to external sites.
Internal DNS settings appear to be working, but we cannot get to any external websites without typing in the IP address.

I'm not aware of any updates that were installed or changes that were made.

We are in a windows environment and have split DNS setup so (under normal circumstances) we can resolve to internal and external ip's.

Where should I start troubleshooting?
0
Comment
Question by:MBisch
13 Comments
 
LVL 5

Expert Comment

by:R. Toby Richards
ID: 40601150
I'm curious what you mean by "split DNS setup". Each of your internal DNS servers should have a forwarder to "All other DNS domains" with at least one external DNS server. I have found that forwarding "All other DNS domains" to 8.8.8.8 (Google's public DNS server) and 4.4.4.1 (Level-3's public DNS server) (in that order) is faster than using my ISP's DNS servers.
0
 
LVL 17

Expert Comment

by:OriNetworks
ID: 40601193
If this only suddenly broke you obviously have it configured in a working condition to begin with so lets address things that may change. I assume you haven't changed any firewall rules, you have tried a simple restart, and this effect all clients and not just one or two. Since you mention split DNS setup I assume you have active directory configured and you use your DC to host DNS services to your internal clients through DNS forwarders.

1. ping a known working ip address. e.g. ping several 8.8.8.8, 8.8.4.4, 4.4.4.1 If this fails, you have a routing/internet problem and probably should call your ISP
2. one of your DNS forwarders may be unavailable. For example, most ISPs have dns servers that they hand out and may be temporarily offline. Check your forwarders from the DNS console on the domain controller and as the previous poster suggested, add 8.8.8.8 and 4.4.4.1 to the forwarders list.
3. Test DNS again, from your client machine try to ping google.com to make sure it can resolve to an ip address. It doesn't matter so much if it can successfully ping but it should receive reply. The important this here is that you see the ip address it is resolving for google.com
0
 

Author Comment

by:MBisch
ID: 40601226
Thanks for your input.
I had it setup to use other internal DNS Servers as forwarders then to use root hints if there are no forwarders.
I have gone in and removed the other internal DNS servers from the forwarders and have added 8.8.8.8 and 4.4.4.1.
I haven't changed any config and it worked yesterday.
It appears that something happened overnight for this to stop working.
0
 

Author Comment

by:MBisch
ID: 40601242
OriNetworks,
I can successfully ping 8.8.8.8 and 4.4.4.1, but can't get external domain names to resolve.
0
 
LVL 5

Accepted Solution

by:
R. Toby Richards earned 500 total points
ID: 40601247
What happens if you do "nslookup google.com"?
0
 

Author Comment

by:MBisch
ID: 40601301
When I do an nslookup for google.com it comes back with an IP address for a local DNS server

server: internalDNSserver.comr
address: IP address of internal DNS server

name: a.different.internalDNSserver.com
addresses: IP address of internal DNS server
     IP address of internal DNS server
Aliases: google.com.mydomain.com
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 5

Expert Comment

by:R. Toby Richards
ID: 40601322
So the first thing to investigate is why it's appending ".mydomain.com" to "google.com"
0
 
LVL 5

Assisted Solution

by:R. Toby Richards
R. Toby Richards earned 500 total points
ID: 40601326
It looks to me like maybe you have a wildcard DNS zone or record. In your DNS records on your internal DNS server look for *.mydomain.com.

Explanation of DNS Wildcards
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40601354
ensure that you are able to telnet ISP DNS servers on TCP port 53 from domain controller

test name resolution from all servers to identify which server fails:
nslookup
set debug
google.com
0
 

Author Comment

by:MBisch
ID: 40601370
there was a wildcard in the domain and I have since removed it. Now the nslookup times out on the primary DNS server after 2 seconds.

It appears that the DNS server service is running on the server.
0
 
LVL 5

Assisted Solution

by:R. Toby Richards
R. Toby Richards earned 500 total points
ID: 40601384
And the DNS server that nslookup reports using has forwarders to an ISP or Google or Level-3 DNS server?
0
 
LVL 5

Assisted Solution

by:R. Toby Richards
R. Toby Richards earned 500 total points
ID: 40601395
Oh, and on the Advanced tab for the DNS server properties, make sure that "Disable recursion" is NOT checked. Also make sure on the forwarders tab under "All other DNS domains" "Do not use recursion for this domain" is NOT checked.
0
 

Author Comment

by:MBisch
ID: 40601472
I originally had the forwarders of 8.8.8.8 and 4.4.4.1 and they was not resolving correctly.
I added 8.8.4.4 and it started resolving correctly.
AND THEN...
I received a call from our Internet Service Provider, Windstream.
It turns out that there was a network based firewall that was having memory issues that caused DNS resolution to fail.

So. the problem all along was caused by our firewall.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now