XP machines cannot resolve the names to IP

[Muhammad Essa]

HI;
Since i have setup my network i see that XP machines cannot resolve the name
to IP i.e google.com if internet access is blocked over the server win 2003
via PIX firewall.DNS works correctly and within the LAN it resolves the names
to IP but this issue is only for internet, those users who are allowed to
access the internet will not be able to access unless the server is not
allowed for internet also.Is this normal and there is solution to this
issue.Thanks

 

[Meinolf Weber]

Hello Muhammad,

You have to configure a forwarder to your ISP's DNS server on the DNS management
console from your DNS server. Go to forwarders Tab and fill in the ip address
from your ISP's DNS server.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

 

[Kevin D. Goodknecht Sr. [MVP]]

Read inline please.

In

HI;
Since i have setup my network i see that XP machines cannot resolve
the name to IP i.e google.com if internet access is blocked over the
server win 2003 via PIX firewall.DNS works correctly and within the
LAN it resolves the names to IP but this issue is only for internet,
those users who are allowed to access the internet will not be able
to access unless the server is not allowed for internet also.Is this
normal and there is solution to this issue.Thanks

Your post is kind of confusing, but if your firewall is setup to block DNS
queries from the server to any IP address on the internet, your DNS
resolution for internet names could fail unless you set a forwarder and open
TCP/UDP on port 53 to the ISP DNS from the server. With this setting you
will also need to set "Do not use recursion for this domain" on the
forwarder. This forces DNS to use the forwarder only for all external
queries.
Also, if the Forwarder supports EDNS, you will need to allow UDP packets up
to the MTU size.

323380 - HOW TO: Configure DNS for Internet Access in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;323380&sd=RMVP

828263 - DNS query responses do not travel through a firewall in Windows
Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;en-us;828263&sd=RMVP


--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Ace Fekay [MVP]]

In

Your post is kind of confusing, but if your firewall is setup to
block DNS queries from the server to any IP address on the internet,
your DNS resolution for internet names could fail unless you set a
forwarder and open TCP/UDP on port 53 to the ISP DNS from the server.
With this setting you will also need to set "Do not use recursion for
this domain" on the forwarder. This forces DNS to use the forwarder
only for all external queries.
Also, if the Forwarder supports EDNS, you will need to allow UDP
packets up to the MTU size.

323380 - HOW TO: Configure DNS for Internet Access in Windows Server
2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;323380&sd=RMVP

828263 - DNS query responses do not travel through a firewall in
Windows Server 2003:
http://support.microsoft.com/default.aspx?scid=kb;en-us;828263&sd=RMVP

For Muhammad,

To add about how to allow EDNS0 in the PIX, go into the PDM, Configuration
button, System Properties, Advanced, Fixup, DNS, check the checkbox "Enable
FIXUP DNS" and type in 1280 for the Maximum length.

Or

If familiar with the PIX command line, add this line:
fixup protocol dns maximum-length 1280

But as Kevin said, you still have to allow DNS traffic.


--
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

Infinite Diversities in Infinite Combinations

 

[Muhammad Essa]

Hi All;
Thanks for the replies.
I have configured the ISP DNS address in forwarder list.But when internet is
blocked over the win 2003 server all the clients who are allowed to access
net from their PCs and specifically allowed in pix firewall will not be able
to resolve name to IP. Also the required ports are allowed over the
firewall.Any idea

Kind Regards

 

[Ace Fekay [MVP]]

In

Hi All;
Thanks for the replies.
I have configured the ISP DNS address in forwarder list.But when
internet is blocked over the win 2003 server all the clients who are
allowed to access net from their PCs and specifically allowed in pix
firewall will not be able to resolve name to IP. Also the required
ports are allowed over the firewall.Any idea

Kind Regards

If your new problem is they cannot access by computer name, then you will
need to install WINS and specify in DHCP properties Option 46 = 0x8 and
option 44 = WINS server IP address. This will allow resolution by name.

Ace

 

[Muhammad Essa]

HI;
The problem is not with name resolution within the LAN at all. Users can
work and access resources over different subnets , initiate the remote
terminal connection. Only i want to know if the server is not allowed to
access the internet and the workstation is allowed to access the net behind
the pix firewall the name to IP problem happens.following are some more
details.

DNS server is working perfectly and can resolve name to IP locally.
PIX firewall the configured to allow the required traffic.
DNS server is blocked to access the internet.
Specific workstations are allowed to access the net.

Thanks

 

[Ace Fekay [MVP]]

In

HI;
The problem is not with name resolution within the LAN at all. Users
can work and access resources over different subnets , initiate the
remote terminal connection. Only i want to know if the server is not
allowed to access the internet and the workstation is allowed to
access the net behind the pix firewall the name to IP problem
happens.following are some more details.

DNS server is working perfectly and can resolve name to IP locally.
PIX firewall the configured to allow the required traffic.
DNS server is blocked to access the internet.
Specific workstations are allowed to access the net.

Thanks

I'm not sure what users are using as names to access resources over the VPN.
Are they accessing by FQDN? If so, it should work. If by single name, then
no, because we need to resolve the NetBIOS names. When you run an ipconfig
/all on a connected VPN client, what DNS addresses are being given? Do you
also have split tunneling defined in the access lists for the VPN group?

Accessing resources across a router by NetBIOS names is blocked by default,
firewall or not. Therefore I'm assuming that users are accessing resources
between your current internal subnets by FQDN and not single name if not
using WINS. Network neighborhood (based on the Browser service) will only
broadcaset and work on the local subnet and they will not be able to find
things in that manner in other subnets. Same goes with printer browsing.

I bet that if you are not using WINS, and you have Exchange in place, and
they are using meeting requests, that calendar Free/Busy info is not working
for everyone other than the folks on the same subnet as the Exchange server.

In any scenario where there are multiple subnets, or even one subnet and we
install a PIX or any other VPN appliance, we immediately install WINS to
allow single name resolution across the subnet. This is standard proc
especially if we want to allow resource access by using NetBIOS names.

Ace

 

[Muhammad Essa]

HI;
Thanks for the reply. Actually WINS is not setup that is correct. But the
only thing is that makes me worried is that when internet access is not
allowed at server i mean server cannot access any web page but the specific
clients are allowed in this case the internet access must be fine but it is
not. Once the access to internet is provided to server itself then the
clients are able to browse the WebPages. Can it be because the workstation is
sending request to server which has DNS installed and then via the internet
provided to server the DNS send request to forwarder and get reply for the
website i.e www.google.com??

Thanks

Essa

 

[Kevin D. Goodknecht Sr. [MVP]]

Read inline please.

In

HI;
Thanks for the reply. Actually WINS is not setup that is correct. But
the only thing is that makes me worried is that when internet access
is not allowed at server i mean server cannot access any web page but
the specific clients are allowed in this case the internet access
must be fine but it is not. Once the access to internet is provided
to server itself then the clients are able to browse the WebPages.
Can it be because the workstation is sending request to server which
has DNS installed and then via the internet provided to server the
DNS send request to forwarder and get reply for the website i.e
www.google.com??

You must allow the server to have access to the internet so its DNS server
can resolve names for the clients, which must use the server only for DNS.



--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Ace Fekay [MVP]]

In

HI;
Thanks for the reply. Actually WINS is not setup that is correct. But
the only thing is that makes me worried is that when internet access
is not allowed at server i mean server cannot access any web page but
the specific clients are allowed in this case the internet access
must be fine but it is not. Once the access to internet is provided
to server itself then the clients are able to browse the WebPages.
Can it be because the workstation is sending request to server which
has DNS installed and then via the internet provided to server the
DNS send request to forwarder and get reply for the website i.e
www.google.com??

Thanks

Essa

In DNS, under Forward Lookup Zones, does a "." zone exist (looks like a
period)?

Ace

 

[Muhammad Essa]

Hi All;
Thanks for the reply. As ace fekay asked, under forwarder ALL OTHER DNS
DOMAINS and in the bottom the ISP DNS address are mentioned. As Kavin
mentioned that DNS server must have access to internet i tried to block
internet over one of my DNS servers which is in another site and clients are
behind ISA firewall are able to access the internet but those who are in
separate site cannot. Over all i have 7 sites and every site has DNS server
which is AD_I.

Thanks

 

[Ace Fekay [MVP]]

In

Hi All;
Thanks for the reply. As ace fekay asked, under forwarder ALL OTHER
DNS DOMAINS and in the bottom the ISP DNS address are mentioned. As
Kavin mentioned that DNS server must have access to internet i tried
to block internet over one of my DNS servers which is in another site
and clients are behind ISA firewall are able to access the internet
but those who are in separate site cannot. Over all i have 7 sites
and every site has DNS server which is AD_I.

Thanks

If you are using a forwarder, and you do not allow DNS traffic to the
internet from the DNS server(s), then how is it going to resolve external
names?

Ace

 

[Muhammad Essa]

Hi Ace Fekay;
You are right if the Internet is blocked then it is not possible to to send
the forwarders request to ISP. But the same i have tested in my environment
which is in another site there i have blocked the internet over the server
but the users were able to browse the internet. That site also have ISA
server.

Thanks

 

[Kevin D. Goodknecht Sr. [MVP]]

Read inline please.

In

Hi Ace Fekay;
You are right if the Internet is blocked then it is not possible to
to send the forwarders request to ISP. But the same i have tested in
my environment which is in another site there i have blocked the
internet over the server but the users were able to browse the
internet. That site also have ISA server.

When you have a Proxy server, the web browser gets its DNS resolution from
the Proxy Server, not from the DNS Client service. You will have to allow
the DNS server acess to the Forwarder's IP on port 53 UDP and TCP.



--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps

===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Muhammad Essa]

Hi Kevin;
You are right,ISA server will help the clients for DNS queries.
i will perform some more testings and will see if the result is fine.For the
time being i will close the issue. The posts were really helpful

Thanks to you and Ace Fekay for all the help.
Essa

 

[Ace Fekay [MVP]]

In

Hi Kevin;
You are right,ISA server will help the clients for DNS queries.
i will perform some more testings and will see if the result is
fine.For the time being i will close the issue. The posts were really
helpful

Thanks to you and Ace Fekay for all the help.
Essa

You are welcome.

Ace