DNS Forwarders not working?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hi
We have a Windows 2000 server (actually SBS with ISA disabled) at head
office location and a branch office connected by VPN using Netscreen
firewalls. VPN is working fine. Branch office clients authenticate on the
2000 server via the VPN. We only just changed firewalls to the NetScreens.
The old firewalls acted as a proxy servers and client PCs' Internet Explorer
connection settings were set to use the old firewalls as their proxy server
and we had no problems. The new Netscreens are not proxies so I have removed
the all LAN connection settings in IE and the clients NICs are set to use the
Netscreen as the gateway and the 2000 server as DNS. I have set up DNS
forwarders to our ISP's DNS but I cannot browse the internet from the 2000
server or our terminal server (the branch office users access the TS via the
VPN) unless I put the ISP's DNS on the NIC's TCP/IP settings, and even then I
cannot get to all sites or links within sites. I am at the limits of my
knowledge and would really appreciate any suggestions please!
 
Hello Geoff,

I really am not quite sure about your situation. But if you find you even
cannot browse internet on your server, and you think the DNS forwarder
doesn't work, then make sure your DC points to itself and nowhere else. Make
sure you can ping your DNS forwarder IP. You better do a nslookup with the
IP and see if it can resolve domain names.

Make sure you can browse on the server first. If you cannot browse, try to
ping your target and see where is the problem. Or if you can ping, see if
you can browse with the IP only. These are all I can think of at the moment.
You need to provide more detail and clear info.

br,
Denis
 
Hi Denis

DC is pointing to itself in the DNS on the NIC, it is the only DNS entry.
I can successfully ping both ISP DNS IP's and other public IP's.
I can ping all IP's on the internal network.
Nslookup fails on all external and internal IP's except the server
(192.168.0.6), message on external fail is:
*** <server>.<domain>.com can't find www.microsoft.com: server failed
message on internal nslookup fail on the terminal server is:
*** <server>.<domain>.com can't find 192.168.0.9: Non-existent domain

I've tried browsing by IP on the server with strange results, sometimes a
partial page appears but hyperlinks do not work, mostly "Page cannot be
dispalyed".

Hope these details give some more clues

Geoff
 
In
Geoff Hewitt said:
Hi Denis

DC is pointing to itself in the DNS on the NIC, it is the only DNS
entry. I can successfully ping both ISP DNS IP's and other public
IP's.

Ping is not the tool to test connectivity to a DNS server since ping uses
ICMP. Use nslookup and change server to the external DNS you are using as
your forwarder.
If you are not using a forwarder verify that you can query the root servers
with this:
nslookup
set type=ns
server 198.41.0.4
..
(yes. that's a dot) If you get an answer back like this then you should
also be able to navigate the firewall to all external DNS servers.
(root) nameserver = A.ROOT-SERVERS.NET
(root) nameserver = H.ROOT-SERVERS.NET
(root) nameserver = C.ROOT-SERVERS.NET
(root) nameserver = G.ROOT-SERVERS.NET
(root) nameserver = F.ROOT-SERVERS.NET
(root) nameserver = B.ROOT-SERVERS.NET
(root) nameserver = J.ROOT-SERVERS.NET
(root) nameserver = K.ROOT-SERVERS.NET
(root) nameserver = L.ROOT-SERVERS.NET
(root) nameserver = M.ROOT-SERVERS.NET
(root) nameserver = I.ROOT-SERVERS.NET
(root) nameserver = E.ROOT-SERVERS.NET
(root) nameserver = D.ROOT-SERVERS.NET
A.ROOT-SERVERS.NET internet address = 198.41.0.4
H.ROOT-SERVERS.NET internet address = 128.63.2.53
C.ROOT-SERVERS.NET internet address = 192.33.4.12
G.ROOT-SERVERS.NET internet address = 192.112.36.4
F.ROOT-SERVERS.NET internet address = 192.5.5.241
B.ROOT-SERVERS.NET internet address = 192.228.79.201
J.ROOT-SERVERS.NET internet address = 192.58.128.30
K.ROOT-SERVERS.NET internet address = 193.0.14.129
L.ROOT-SERVERS.NET internet address = 198.32.64.12
M.ROOT-SERVERS.NET internet address = 202.12.27.33
I.ROOT-SERVERS.NET internet address = 192.36.148.17
E.ROOT-SERVERS.NET internet address = 192.203.230.10
D.ROOT-SERVERS.NET internet address = 128.8.10.90
I can ping all IP's on the internal network.
Nslookup fails on all external and internal IP's except the server
(192.168.0.6), message on external fail is:
*** <server>.<domain>.com can't find www.microsoft.com: server failed
message on internal nslookup fail on the terminal server is:
*** <server>.<domain>.com can't find 192.168.0.9: Non-existent domain

You obviously don't have a PTR record registered for this IP address.
If you get a message from nslookup saying
I've tried browsing by IP on the server with strange results,
sometimes a partial page appears but hyperlinks do not work, mostly
"Page cannot be dispalyed".

This is likely beiong caused by a firewall rule not allowing your DNS server
recurse domain names, for recursion to work, your DNS server must be able to
contact EVERY DNS server on the internet.
If you want your DNS server to contact only its forwarder, make sure the
firewall has a rule allowing connections to the forwarder's IP on UDP & TCP
port 53. Then, on the forwarders tab check the box "Do not use recursion".
If you do this make sure the forwarder is capable of handling all external
DNS queries, if it fails, the external query will fail, because the root
hints won't be used. A couple of very good forwarders to use are 4.2.2.1 &
4.2.2.2
 
Hi Kevin

Thanks for suggestions, here's my results:
Ping is not the tool to test connectivity to a DNS server since ping uses
ICMP. Use nslookup and change server to the external DNS you are using as
your forwarder.
If you are not using a forwarder verify that you can query the root servers
with this:
nslookup
set type=ns
server 198.41.0.4
..
(yes. that's a dot) If you get an answer back like this then you should
also be able to navigate the firewall to all external DNS servers.
(root) nameserver = A.ROOT-SERVERS.NET
(root) nameserver = H.ROOT-SERVERS.NET
(root) nameserver = C.ROOT-SERVERS.NET
(root) nameserver = G.ROOT-SERVERS.NET
(root) nameserver = F.ROOT-SERVERS.NET
(root) nameserver = B.ROOT-SERVERS.NET
(root) nameserver = J.ROOT-SERVERS.NET
(root) nameserver = K.ROOT-SERVERS.NET
(root) nameserver = L.ROOT-SERVERS.NET
(root) nameserver = M.ROOT-SERVERS.NET
(root) nameserver = I.ROOT-SERVERS.NET
(root) nameserver = E.ROOT-SERVERS.NET
(root) nameserver = D.ROOT-SERVERS.NET
A.ROOT-SERVERS.NET internet address = 198.41.0.4
H.ROOT-SERVERS.NET internet address = 128.63.2.53
C.ROOT-SERVERS.NET internet address = 192.33.4.12
G.ROOT-SERVERS.NET internet address = 192.112.36.4
F.ROOT-SERVERS.NET internet address = 192.5.5.241
B.ROOT-SERVERS.NET internet address = 192.228.79.201
J.ROOT-SERVERS.NET internet address = 192.58.128.30
K.ROOT-SERVERS.NET internet address = 193.0.14.129
L.ROOT-SERVERS.NET internet address = 198.32.64.12
M.ROOT-SERVERS.NET internet address = 202.12.27.33
I.ROOT-SERVERS.NET internet address = 192.36.148.17
E.ROOT-SERVERS.NET internet address = 192.203.230.10
D.ROOT-SERVERS.NET internet address = 128.8.10.90

I got an answer back exactly as above for server 198.41.0.4 and my ISP's DNS
which is the forwarder.
You obviously don't have a PTR record registered for this IP address.
If you get a message from nslookup saying
"Can't find server name for address <ipaddressofDNSserver>..."
That is nslookup performing a reverse lookup on the DNS server's address.

I've manually added some host & PTR records for clients on the network to
solve this although I believe this should dynamically update.
This is likely beiong caused by a firewall rule not allowing your DNS server
recurse domain names, for recursion to work, your DNS server must be able to
contact EVERY DNS server on the internet.
If you want your DNS server to contact only its forwarder, make sure the
firewall has a rule allowing connections to the forwarder's IP on UDP & TCP
port 53. Then, on the forwarders tab check the box "Do not use recursion".
If you do this make sure the forwarder is capable of handling all external
DNS queries, if it fails, the external query will fail, because the root
hints won't be used. A couple of very good forwarders to use are 4.2.2.1 &
4.2.2.2

Port 53 on the firewall is open as above

Thank you for your help but I still can't browse from the server. Any more
ideas please?

Regards, Geoff
 
In
Geoff Hewitt said:
Thank you for your help but I still can't browse from the server. Any
more ideas please?

Does your DNS server have a "." (Root) zone?
If it does delete it.
 
Kevin D. Goodknecht Sr. said:
Does your DNS server have a "." (Root) zone?
If it does delete it.
No there's no "." zone

I've discovered that the old firewall box that is still connected (just
because it allows us to capture all the incoming and outgoing email and
forward it off to an archive independent of Exchange) is also a DNS server
pointing to the ISP's DNS and if I point the server and clients at that IP
they can all browse without a problem.

So I tried putting that IP as a forwarder in the server DNS and re-pointing
everything back to the server for DNS but it still wouldn't work. I have a
workaround for now with the old firewall but it seems that DNS is screwed up
somewhere, I just can't locate where.

Thanks for all your help.

Geoff
 
In
Geoff Hewitt said:
No there's no "." zone

I've discovered that the old firewall box that is still connected
(just because it allows us to capture all the incoming and outgoing
email and forward it off to an archive independent of Exchange) is
also a DNS server pointing to the ISP's DNS and if I point the server
and clients at that IP they can all browse without a problem.

So I tried putting that IP as a forwarder in the server DNS and
re-pointing everything back to the server for DNS but it still
wouldn't work. I have a workaround for now with the old firewall but
it seems that DNS is screwed up somewhere, I just can't locate where.

Can you show me some local and external queries ran against your DNS server
using nslookup -d2 ?
 
Back
Top