DNS issue

Hello I have a DNS server on a network that is not Nat'd to the internet and it does some condition forwarding for one of our clients so that we can use a veiw client connection to their servers. It is working great with one NIC and i can ping the addresses and everything is happy. But when i bring in a Second NIC that has access to the internet and our internal Lan's everything breaks. Any thoughts?
LVL 2
Bradley BishopAssociate Product DeveloperAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

kevinhsiehCommented:
Do you have default gateway on both interfaces? That will lead to very unpredictable results. Only one NIC should have a default gateway. Unless you have a good understanding of routing and how to add static routes to a server I suggest having only 1 NIC.
David Johnson, CD, MVPOwnerCommented:
don't use a gateway on the 2nd nic
Bradley BishopAssociate Product DeveloperAuthor Commented:
The reason i want to bring in the 2nd nic is so that i can get updates and access the internet from the server, When i have no gateway on the second nic it is almost the same as not having one at all.
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

arnoldCommented:
Once you bring up the second NIC up which is connected to the internet, this system now is the gateway into your environment if it is compromised.

Could you provide detail on what it is you are trying to accomplish with this setup?
As long as the system is on a LAN and as long as it is configured with a default gateway/router destination.
Bradley BishopAssociate Product DeveloperAuthor Commented:
I have a network that is completely isolated from all other networks.it has very specific dns and gateways as well as no access to the internet to work with one of our clients. The Client requested that i bring up a DNS server to do some conditional forwarding for them. I have done this and was successful.

However i can not update the system this way. So to update the system i have needed to basically "break" the server by bringing in a second nic that is on our server lan that has full access to the internet and our other servers so that i can perform updates. When i do this none of my dns for my clients work and i cannot ping any of the addresses from the server.

I have a need now to add them to AD and bring them under control of our forest. So i need to bring in a second nic that is on our server lan for this to work.
Daniel McAllisterPresident, IT4SOHO, LLCCommented:
I am sorry to disagree with others, but you can certainly do what you want to do.

1) Set the network settings for the LAN interface -- NO GATEWAY SETTING (these are all LAN connected, so no gateway is desired or necessary)
2) Set the network settings for the WAN interface WITH the gateway setting (so you can connect to the Internet)
3) DO NOT BRIDGE or otherwise connect these interfaces, and DO NOT enable ROUTING on the server.

By default, Windows will want to be a/the NAT server for the LAN, but that doesn't mean you can't turn it off.
If Windows enables it by default, turn it OFF in "Routing and Remote Access"

Now, your server can access the Internet, but it will NOT serve as a gateway for your connected LAN devices.

I hope this helps.

Dan
IT4SOHO
Bradley BishopAssociate Product DeveloperAuthor Commented:
I did what you said by taking out the default gateway in the nic1 (not at'd internet access) and putting it back in on nic2 (nat'd internet access) and i can access the internet but can no longer ping the neccessary addresses for the conditional forwarders to work.

I do not have routing and remote access installed on the server and am unfamiliar with it. I saw the service is disabled. Do i need to enable it or do something else to configure it? Sorry if that is a dumb question.
kevinhsiehCommented:
You either need to

1 have a router that can route traffic to both the Internet and the isolated networks and use that as the gateway for the server. The router should be able to filter/firewall traffic to prevent the isolated network from talking to the Internet

2 use the Internet connected NIC as the one with the default gateway,  and then put static routes on the server so that it knows how to communicate back to the isolated networks.

Option 1 is generally preferable because in general you should configure traffic flows using network equipment and not be dependent on individual host settings. Configuring routing at the host level is unusual, error prone, and not scalable. If you need to go option 2, the command is "route add". If you provide a network diagram I can give you the specific syntax. I would need.to the the IP address of the old gateway, as well as the IP networks of everything on the other side of that gateway that you need to communicate with.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Aaron TomoskyDirector of Solutions ConsultingCommented:
additionally make sure to only bind the dns service to the correct interface. by defualt it will bind to all interfaces.
arnoldCommented:
In which direction is the forwarding?

Isolated, means there has to be a route/path from the system to the segments that will be either querying it or responding to their query.

You can create a path from the LAN to the DNS server's to have remote administration option without granting that system access to the NET.
What is the source of data on the DNS server? Is it getting done only when there is an established VPN to or from the client?
                                                        Internet
                                                                 ^
                                                                ||
DNS server <=> Path into your network/router [ROUTER] <=> path into the LAN
192.168.254.0/24                                                                                           10.0.0.0/16
This allows some queries from the LAN to hit the DNS server to get responses

You need to layout your network topology and what it is you want to achieve.
You can either setup a rule on the router to allow specific outgoing traffic from the DNS server through all the way out to the internet/client system.
Bradley BishopAssociate Product DeveloperAuthor Commented:
The flow of the current network goes as follows:

LAN Computers => Local DNS => Client DNS (to which i have no control of)
10.10.0.0/24             10.10.0.5           List of IP's on client network

The LAN computers resolve a load balanced URL into a vmware view client. They hit my DNS where i have several conditional forwarders set up with multiple addresses in each.

The way that i would like it to work

LAN Computers => Local DNS => Client DNS (to which i have no control of)
10.10.0.0/24             10.10.0.5           List of IP's on client network
                                   10.10.10.5 => Only the server has access to the internet.
arnoldCommented:
Do you have a direct connection or a VPN to the client side?

Where is the default gateway of the single NIC on this server terminate, that is where you can grant the system access to the outside.


10.10.0.0/24 can not directly communicate with 10.10.10.0/24 something else is in the middle routing the traffic.  Depending what this device is, it might be configurable to allow 10.10.10.5 originating traffic to get out (NATED) while all other 10.10.10.x systems will be denied.

I would though caution against unless allowing internet access into the 10.10.10.5 system. The segment is isolated for a reason.  Access to the 10.10.10.5 system should, be limited to a single/specific system on the 10.10.0.0/24 segment.
Bradley BishopAssociate Product DeveloperAuthor Commented:
we have a VPN set up for the 10.10.0.0/24 and the gateway is 10.10.0.1 which is our router but we are a small company that is still growing our IT and we do not control the gateway for that. It is subbed out to a different company that we pay support plans for. The feedback that i am getting is that they do not wish to use a ticket for this, since it is not mission critical.

And the 10.10.10.0/24 subnet already has internet. I am not interested in giving the 10.10.0.0/24 subnet internet at all. I am just looking for a way to utilize that subnet on my server and just for my server.

Also all the LAN devices are connected to the 10.10.0.0/24 subnet and have my DNS server as their Primary DNS.
SteveCommented:
apologies for coming in late on this one. sorry to all if I repeat something already said....


To confirm my understanding you have a server and clients on a network (10.10.0.0/24)
there is no internet access but you have working DNS, albeit internal only.
do any of the devices(or server) on the 10.10.0.0/24 subnet have a gateway set? if yes, what is it & why? is there a router on the subnet at all?

you want to add another NIC to the server and connect it to the 10.10.10.0/24 subnet that already exists and allow the server to have internet access to resolve/forward some DNS requests. you don't want any other device on the 10.10.0.0/24 subnet to see or know about this link?

is that right or have I misread a bit?

if I'm right it shouldn't pose any problem at all... please confirm if I'm off base here so we can get this sorted out.
Bradley BishopAssociate Product DeveloperAuthor Commented:
No you are complete right and on track.

the gateway 10.10.0.0/24 is 10.10.0.1 and only serve to forward the vpn to the client network. There is no dedicated router on the subnet.

The nic on 10.10.10.0/24 does not need to serve any DNS requests from any devices only allow internet to the server.
SteveCommented:
should work fine then.
whats the full IP specs for the nic the server has on the 10.10.10.0 network? IP, dns, gateway mask?
Bradley BishopAssociate Product DeveloperAuthor Commented:
10.10.10.21 255.255.255.0 10.10.10.1 and 10.10.10.12
has full access to the internet and other servers
SteveCommented:
looks fine so far.
make sure you amend the DNS bindings on the server so it DOESNT serve DNS on the 10.10.10.21 NIC and doesn't have a DNS entry for itself on that IP either.

could you do a bit of pinging/nslookup/testing to see what isn't working on your LAN when this additional Nic is added?
Bradley BishopAssociate Product DeveloperAuthor Commented:
When the additional nic is added and no other configurations except for the dns not binded to that ip nothing works.
arnoldCommented:
without knowing what your system configuration is, it is hard to explain why the addition/activation of the second nic renders the system useless.
something else is in play.
ipconfig /all
netstat -rn

something is either superseding or reseting access.
SteveCommented:
nothing works
could you be more specific please?

eg during the issue, can you ping the server's IP? can you ping other PCs IPS? can the server ping itself? can the server ping a PC? etc etc
kevinhsiehCommented:
do "route print" from your DNS server. Once with only the original NIC connected, and then again with both NICs. Post the results here.
David Johnson, CD, MVPOwnerCommented:
10.10.0.0/24             10.10.0.5           List of IP's on client network
                                   10.10.10.5 => Only the server has access to the internet.

NIC 1 10.10.0.5 should not have a gateway
NIC 2 10.10.10.5 should have a gateway
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.