Solved

DNS quastion

Posted on 2016-09-22
17
84 Views
Last Modified: 2016-09-27
Hi All

we have in our environment  two windows DNS servers and both of them work aslo as DCs

plus we have  two Bind server on Linux   and these Binds servers  work as salves to our windows DNS server and we have configured the all zones on these Bind servers

so when we use nslookup  on windows DNS and BINS servers which has the all zones configure to query any AAA record we get answer

now we installed brand new BIND server  without copying the all zones  and we asked this server to query record but we got no answer

it is look like when this new bind server ask one of our windows dns server  he got no answer . but when we ask windows dns server directly we get answer

so there is forwarding issue   any advice


# more /etc/resolv.conf
# Generated by NetworkManager
search ie.sword.com sword.com
nameserver 192.168.44.1
nameserver 192.168.55.1
# nslookup titi.sword.com
;; Got SERVFAIL reply from 192.168.44.1, trying next server
;; Got SERVFAIL reply from 192.168.44.1, trying next server
Server:         192.168.55.1
Address:        192.168.55.1#53

** server can't find titi.sword.com.sword.com: SERVFAIL
0
Comment
Question by:sword12
  • 6
  • 5
  • 3
  • +1
17 Comments
 
LVL 43

Expert Comment

by:Steve Knight
ID: 41811936
seeing this on phone so not looked lots but seems you have it trying to resolve  can't find titi.sword.com.sword.com as you haven't added a dot on end of name to say name is fully qualified so then it is adding your completion domains?

Steve
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 41811989
now we installed brand new BIND server  without copying the all zones  and we asked this server to query record but we got no answer

 it is look like when this new bind server ask one of our windows dns server  he got no answer . but when we ask windows dns server directly we get answer


Sorry but I don't get this?

If you are not adding windows server zones as secondary / slave on bind server OR if you are not setting any forwarder on bind server pointing to windows server, it won't resolve queries

Mahesh.
0
 

Author Comment

by:sword12
ID: 41812002
Hi Mahesh

we configured the new redhat BIND server  as forwarding DNS server to ask our windows domain controller DNS server

but he got no answer

when we change the forwarding configure to another BIND sever which work as a slave with transferred zones from windows server  he got answer

so we ask ourselves why when Linux or Solaris  Bind server forward request to linux BIND they get answer but when they forward request to windows we get no answer

we set the forwarding in      named.conf

i don't know if this related to windows security issue or Unicode stuff or anything i am really confused please advice  


Forwarding DNS Server

The second configuration that we will be demonstrating is a forwarding DNS server. A forwarding DNS server will look almost identical to a caching server from a client's perspective, but the mechanisms and work load are quite different.

A forwarding DNS server offers the same advantage of maintaining a cache to improve DNS resolution times for clients. However, it actually does none of the recursive querying itself. Instead, it forwards all requests to an outside resolving server and then caches the results to use for later queries.

This lets the forwarding server respond from its cache, while not requiring it to do all of the work of recursive queries. This allows the server to only make single requests (the forwarded client request) instead of having to go through the entire recursion routine. This may be an advantage in environments where external bandwidth transfer is costly, where your caching servers might need to be changed often, or when you wish to forward local queries to one server and external queries to another server.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 41812079
Are you doing zone transfers from the Windows boxes or are you simply forwarding requests to them from the BIND servers?
0
 

Author Comment

by:sword12
ID: 41812081
Hi Craig

i am simply forwarding requests to them from Bin servers


simply we forward the request to windows DNS server  and we get no answer

but when we forward the request to another BIN server which configured as slave to windows server with all zones transferd  we get answer

why windows DNS dose not answer the request from our linux BIND server even
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 41812234
Are you sure the BIND server is forwarding the request?  If it is, the Windows server would answer.  You already know that as you can resolve if you query it directly.

Have you got all the steps correct when configuring the server as a forwarder?
0
 

Accepted Solution

by:
sword12 earned 0 total points
ID: 41812358
Hi Craig

i fixed the problem when i changed

/named.conf

from

 dnssec-enable yes;
 dnssec-validation yes;

to


dnssec-enable no;
 dnssec-validation no;


now it work
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 45

Expert Comment

by:Craig Beck
ID: 41812529
Cool
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 41812658
Did my comment not prompt you to correct your config?

Have you got all the steps correct when configuring the server as a forwarder?
0
 

Author Comment

by:sword12
ID: 41813046
What I did it is work around it is not a solution
Because I just disabled the security
Usually Bin should work without changing this configurations
So till now no real solution for this
Yes you told me there is a configuration problem and I know this for this I post a question but I got no technical answer
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 41813217
It's not a workaround. You're obviously not using DNSSEC on your other servers.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 41813439
@Craig Beck:

You could have pointed out DNSSEC configuration point....

Your comment says "Have you got all the steps correct when configuring the server as a forwarder?"

This is very generic statement and not nail down the exact issue, the statement simply telling that there is some issue with config, but obvious something wrong with config only..because windows DNS server is already functional and working correctly so problem exists with BIND config only.
Further more, while configuring bind server, if it can check if target windows dns server is using dnssec or not and accordingly it ask to set config, then its different story..

I don't think you should claim points, author may wish to grant you.


Mahesh.
1
 

Author Comment

by:sword12
ID: 41813472
Hi mahesh
You are right
I just give the points because he ask for this but as you said he just answer that somethings wrong
I know somethings wrong in the configuration for this i posted question
Anyway I want to close this question and read about dnssec myself because I don't get any real help here
Thanks
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 41813617
if you are using 2012 / 2012 R2 DNS servers, it by default support DNSSEC option

you can go to dns manager console, right click server properties and on advanced tab you can see "Enable DNSSEC validation for remote responses" , that option is enabled bydefault and then it should support remote server requests with DNSSEC enabled

I think you are having 2008 / 2008 R2 servers where this functionality is not available by default and hence you faced issues

Mahesh.
1
 
LVL 45

Expert Comment

by:Craig Beck
ID: 41814160
Mahesh, it prompted the OP to recheck the config. It's worth an assist at least. I could've asked to see the config and that may have prompted the OP to recheck, but he followed a guide and obviously got it wrong, hence asking if the config was right.

DNSSEC obviously wasn't supported.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now