DNS Name Servers Tab.

ROBERTO PAREJA
ROBERTO PAREJA used Ask the Experts™
on
I have a primary DNS with Windows 2008 R2 Standard named DNS01.MYDOMAIN.COM and adding now 2 new DNS servers with Windows 2016.
None of these 3 server have active directory because they will be used exclusively for resolving public names pointing to our servers (such as our mail, some webservices, some webpages, etc.).


These 2 new DNS servers with Windows 2016 with the DNS roles will be used as the "backup" or "failover" servers (these new 2 servers will be physically in another location) and they are (for now) named NEW-DNS02.MYDOMAIN.COM and NEW-DNS03.MYDOMAIN.COM.
NOTE: None of these 3 servers belong to any Domain Controller. They are all standalone servers with the sole purpose of resolving names on my network.


When I am adding in the Name Servers tab of the primary DNS (DNS01.MYDOMAIN.COM), I am typing the name NEW-DNS02.MYDOMAIN.COM as the FQDN and click RESOLVE. While resolving it does bring the correct public IP and shows VALIDATING. But after a minute it brings “A timeout occurred during validation.”. Even with this error, it seems it added the record.
-      Should I ignore this error at the end?


While trying to figure out the error, I typed the internal IP of the NEW-DNS02.MYDOMAIN.COM just below the space where I type the FQDN, the validation shows OK and turns green, but the OK button is not enabled.
So with these last discovery, I created a new A record with the name TEST-DNS02.MYDOMAIN.COM with the Internal IP and tried again using TEST-DNS02.MYDOMAIN.COM as the FQDN (but remember this A record has the internal IP of the server). This time the validation went OK and it added the record as a Name Server.
-      Is there any problem if the FQDN points to an Internal IP?
-      Is there any other reason that when the FQDN points to an external IP the validation fails?
-      What I did above is considered to be good and leave it like that?

Thanks!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2014

Commented:
Are these DNS servers accessible from the internet?  Do you not use a service to host your public DNS records?

It's a fairly good measure that if you have to ask about how to host your own public records, you shouldn't be doing so, as it's best to leave this to professionals who are familiar making sure the services are secure, highly available, etc.

If these servers aren't publicly accessible, I'm wondering what the benefit is you see of having them separate from your other internal DNS servers.  You can easily create new zones or records on existing zones to resolve as you need them.

I'm just trying to see if there's some unnecessary complexity that can be avoided here.
MaheshArchitect
Distinguished Expert 2018

Commented:
On those dns servers on public interface you need to allow tcp and udp 53 inbound so that there status should show green when added as name servers
David FavorFractional CTO
Distinguished Expert 2018

Commented:
1) Should I ignore this error at the end?

No. This error means this DNS server will never answer requests.

2) Is there any problem if the FQDN points to an Internal IP?

Yes. If you mean LAN addresses on non-routeable network address ranges.

You must use a public IP. If you can't ping/dig your IP from outside your network, likely you'll have subtle DNS breakage all the time.

3) Is there any other reason that when the FQDN points to an external IP the validation fails?

Post your domain for testing.

No way to guess. Easy to test/know.

3) What I did above is considered to be good and leave it like that?

No. What you have is badly broken DNS.
JavaScript Best Practices

Save hours in development time and avoid common mistakes by learning the best practices to use for JavaScript.

David FavorFractional CTO
Distinguished Expert 2018

Commented:
As footech suggested, DNS is essential for systems to work correctly + minor mistakes can cause subtle instabilities which are nearly impossible to debug.

I've run my own DNS servers since 1994ish + I can say, setting up DNS + ensuring it works daily is no small task.

Usually there's no good reason to do this.

Better to use your Registrar's DNS system, as your Registrar's DNS will generally be better maintained than yours, as they have people working full time keeping their DNS working.
ROBERTO PAREJAIT Manager

Author

Commented:
I'll give you guys a bit more information to see if you can help me (the public IP's are not the real ones).

DNS01.MYDOMAIN.COM Internal IP: 192.168.0.10 - Public IP: 201.204.122.88 (On the same circuit as DNS02).
DNS02.MYDOMAIN.COM Internal IP: 192.168.0.11 - Public IP: 201.204.122.94 (On the same circuit as DNS01).
DNS03.MYDOMAIN.COM Internal IP: 192.168.100.10 (in another physical location) - Public IP: 12.223.44.125 (In a different circuit in another location).

- I go into the NAME SERVERS TAB of server DNS01.MYDOMAIN.COM and add DNS02.MYDOMAIN.COM and click "Resolve".
- It brings back the address 201.204.122.94 (which is the correct public IP)  and it stays on "Validating" for a few seconds and then shows " A timeout ocurred during validation".
- Same thing happens when I try to add DNS03.MYDOMAIN.COM and click "Resolve".
- If I go to server DNS02.MYDOMAIN or DNS03.MYDOMAIN.COM, and try any of the other servers it gives the same error result.
- I tried adding DNS01.MYDOMAIN.COM as itself on the same server DNS01.MYDOMAIN.COM, same error result.

- I ran a telnet command to all 3 servers on port 53 from inside my network using the public IP and they all failed.
- I ran a telnet command to all 3 servers on port 53 from my house and they all connected fine.
- On all the firewalls inside our network, the port 53 is open for incoming & outgoing for all 3 servers and also enabled for both TCP and UDP.
- I ran netstat -an on all 3 servers and port 53 in TCP & UDP is listening.

- The really weird thing is that the telnet command from all 3 servers connect fine to 8.8.8.8 (google) and 75.75.75.75 (comcast) using port 53, but fail to any of our internal servers (including DNS03.MYDOMAIN.COM which is on a different physical location).
MaheshArchitect
Distinguished Expert 2018

Commented:
tcp and udp 53 port inbound is blocked on dns server network card public interface, open those on firewall and then check
ROBERTO PAREJAIT Manager

Author

Commented:
Thanks Mahesh, but from my house I am able to connect, so it would be safe to assume that port 53 inbound is open.
Architect
Distinguished Expert 2018
Commented:
inbound port is open from internet on DNS server public interface but from your corporate network outbound 53 is blocked towards public IP of DNS servers, you need to open it.

The question is, from within corporate network why you are adding with their public IPs?
Can't you add those with their private IPs, those servers are not in your network?

The one need to resolve your public names from internet, should reach to those servers on public interface via regular DNS query
For your internal network you can add their internal IP under forwarders tab of dns server properties if they are routable, but this will route all internet queries to those servers
Better on domain controller DNS, you can put conditional forwarder to these specific dns servers internal IP for the dns zones they host. If DNS servers are not in your network make sure you can reach to their public IP on TCP and UDP 53 from domain controllers and add public IPs under forwarders tab

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial