DNS Problems

[Guest]

We are in the process of moving our web site from being hosted externally into our offices to be managed internally and it appears that we are having some difficulty getting the server(s) set up. We are using Windows Server 2003. We have opened ports 25, 80, 53, and 110 on the router/firewall to allow email, dns and http traffic and our connection is via a cable modem. The ports have been tested from the outside and they are accessible. The IP is 66.224.132.5 (or something like that) and the webserver/email server(right now we are simply using the smtp and pop that ships with server 2003) have a static internal IP of 192.168.0.5. The initial problem we had was that sometimes we lost the internet connection for about 3 minutes. This usually happened when we tried to go to our web site from another client on the network, the site partially loads and then the connection terminates for a few minutes. We were able to fix this by setting up a dns server on the web server to handle the internal traffic. Does this sound like the correct way to fix the issue?

We now have a problem with trying to go out to external web sites. On the dns server we set up forwarders to the isp dns servers, but it does not appear that the requests are getting that far. This also appears to have affected our email. The email traffic is coming in and hitting the mail server, but the client pcs are not able to connect to the mail server to download the emails.

Any help would greatly be appreciated.
Thank you,

 

[Lanwench [MVP - Exchange]]

We are in the process of moving our web site from being hosted
externally into our offices to be managed internally and it appears
that we are having some difficulty getting the server(s) set up. We
are using Windows Server 2003. We have opened ports 25, 80, 53, and
110 on the router/firewall to allow email, dns and http traffic and
our connection is via a cable modem. The ports have been tested from
the outside and they are accessible. The IP is 66.224.132.5 (or
something like that) and the webserver/email server(right now we are
simply using the smtp and pop that ships with server 2003) have a
static internal IP of 192.168.0.5. The initial problem we had was
that sometimes we lost the internet connection for about 3 minutes.
This usually happened when we tried to go to our web site from
another client on the network, the site partially loads and then the
connection terminates for a few minutes. We were able to fix this by
setting up a dns server on the web server to handle the internal
traffic. Does this sound like the correct way to fix the issue?

Hmmm - well, I'm not sure what you mean by 'setting up a dns server'. Can
you be more specific?

We now have a problem with trying to go out to external web sites. On
the dns server we set up forwarders to the isp dns servers, but it
does not appear that the requests are getting that far. This also
appears to have affected our email. The email traffic is coming in
and hitting the mail server, but the client pcs are not able to
connect to the mail server to download the emails.

All servers and workstations should specify *only* the internal
AD-integrated DNS server's IP address in their network settings. The
AD-integrated DNS server should be set up with forwarders to your ISP's DNS
servers for external resolution. See
http://support.microsoft.com/default.aspx?scid=kb;en-us;300202 for more
info.

Any help would greatly be appreciated.

Also note - I don't recommend that you allow traffic on port 80 to come into
your LAN. If this is a standalone web server, I'd put it in a DMZ.

 

[Herb Martin]

We are in the process of moving our web site from being hosted externally

into our offices to be managed internally and it appears that we are having
some difficulty getting the server(s) set up. We are using Windows Server
2003. We have opened ports 25, 80, 53, and 110 on the router/firewall to
allow email, dns and http traffic and our connection is via a cable modem.

The ports have been tested from the outside and they are accessible.

Port filters such as these have a direction, with source and destination, so
it is quite different to get these backwards.

Example: In typical cases, for HTTP one needs, internal to external
DESTINATION 80, source ANY, PLUS external to internal source
80 plus destination ANY.

"Stateful firewalls" go a step further and "remember" those internal
"ANY" ports and only allow responses that match those (recent)
requests.

The IP is 66.224.132.5 (or something like that) and the webserver/email

server(right now we are simply using the smtp and pop that ships with server
2003) have a static internal IP of 192.168.0.5. The initial problem we had
was that sometimes we lost the internet connection for about 3 minutes. This
usually happened when we tried to go to our web site from another client on
the network, the site partially loads and then the connection terminates for
a few minutes. We were able to fix this by setting up a dns server on the
web server to handle the internal traffic. Does this sound like the correct
way to fix the issue?

We now have a problem with trying to go out to external web sites. On the

dns server we set up forwarders to the isp dns servers, but it does not
appear that the requests are getting that far. This also appears to have
affected our email. The email traffic is coming in and hitting the mail
server, but the client pcs are not able to connect to the mail server to
download the emails.

DNS settings:

Internal DNS should still be managed by you.
Internal DNS servers for your AD zone must be DYNAMIC.
ALL internal machines (DCs and DNS servers included) must
point SOLELY to the INTERNAL DNS on their NIC properties
(or DHCP supplied) settings
Internal DNS servers typically FORWARD to the external DNS
for internet resolution

If you use the same name internally as externally for you DNS zone
then the INTERNAL DNS servers need to have the zone MANUALLY
duplicated as if it is a separate zone ("shadow" or "split" DNS.)

 

[Lanwench [MVP - Exchange]]

Thank you for the support document and comments. The client pcs are
pointing to the internal dns ip (192.168.1.200). The dns server is
pointing to itself and we do have forwarders set up to use the isp
servers for external resolution. Do we need to stop/restart any
services or reboot machines when changes or modifications are made?
We still have the issue of not being able to go outside to any
external sites.

What was the other DNS server you mentioned?
Can clients ping the router? Can they ping the internal DNS server IP? Ping
a public IP address?

 

[Kevin D. Goodknecht Sr. [MVP]]

In

We are in the process of moving our web site from being hosted
externally into our offices to be managed internally and it appears
that we are having some difficulty getting the server(s) set up. We
are using Windows Server 2003. We have opened ports 25, 80, 53, and
110 on the router/firewall to allow email, dns and http traffic and
our connection is via a cable modem. The ports have been tested from
the outside and they are accessible. The IP is 66.224.132.5 (or
something like that) and the webserver/email server(right now we are
simply using the smtp and pop that ships with server 2003) have a
static internal IP of 192.168.0.5. The initial problem we had was
that sometimes we lost the internet connection for about 3 minutes.
This usually happened when we tried to go to our web site from
another client on the network, the site partially loads and then the
connection terminates for a few minutes. We were able to fix this by
setting up a dns server on the web server to handle the internal
traffic. Does this sound like the correct way to fix the issue?

We now have a problem with trying to go out to external web sites. On
the dns server we set up forwarders to the isp dns servers, but it
does not appear that the requests are getting that far. This also
appears to have affected our email. The email traffic is coming in
and hitting the mail server, but the client pcs are not able to
connect to the mail server to download the emails.

Any help would greatly be appreciated.
Thank you,

You will need your internal DNS server to give out the private IPs of these
servers to the internal clients.

 

[Guest]

It appears that we have worked out a few of the issues. We can now send/receive emails from the client pcs, although it does appear to take a little time for the email to reach its destination, longer than it did initially. We are also able to get to external web sites but not very regularly. When we do get a connection, it appears to take a little time for the site to load and it does not appear to be "normal" internet traffic that is causing the slowdown. Any ideas as to why the dns lookups for external sites may be taking so long? Is there any additional information I can provide that may help out?

Thanks

 

[Guest]

Thanks, I'll give that a try. Now it we can send/receive emails from the client pcs. We are also able to get to external web sites but not very regularly. When we do get a connection, it appears to take some time for the site to load. Any ideas as to why the dns lookups for external sites may be taking so long?

Thanks

 

[Kevin D. Goodknecht Sr. [MVP]]

In

It appears that we have worked out a few of the issues. We can now
send/receive emails from the client pcs, although it does appear to
take a little time for the email to reach its destination, longer
than it did initially. We are also able to get to external web sites
but not very regularly. When we do get a connection, it appears to
take a little time for the site to load and it does not appear to be
"normal" internet traffic that is causing the slowdown. Any ideas as
to why the dns lookups for external sites may be taking so long? Is
there any additional information I can provide that may help out?

Is your firewall a PIX?
828731 - An External DNS Query May Cause an Error Message in Windows Server
2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;828731

 

[Guest]

No, it is a Linksys Firewall/Router right now as we are a small office. There are also no error messages showing up in the logs.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

No, it is a Linksys Firewall/Router right now as we are a small
office. There are also no error messages showing up in the logs.

You are aware now that all internal clients must use the internal DNS server
only, correct?
This is always a requirement on Active Directory, but now you have servers
hosted locally that cannot be accessed by the public IP addresses. You are
going to have to set up a Split namespace DNS with the internal DNS
resolving for the local network. You will need to create zones for all sites
hosted locally with records that resolve to local IPs. In addition, you are
going to need to add the records for any server hosted on the outside world
in the domains you have in your DNS.

 

[Ace Fekay [MVP]]

In

Thanks, I'll give that a try. Now it we can send/receive emails from
the client pcs. We are also able to get to external web sites but not
very regularly. When we do get a connection, it appears to take some
time for the site to load. Any ideas as to why the dns lookups for
external sites may be taking so long?

Thanks

John, you didn't reply if your clients can ping by name successfully.
Curious what the reply times are in a ping. Ping www.yahoo.com or
www.macromedia.com and let us know what the response times are.

Also, what DNS are you using for a forwarder?

What kind of line do you have? ADSL, SDSL or T1?


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroup so all
can benefit.
This posting is provided "AS-IS" with no warranties and confers no
rights.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken; A lifetime commitment for a
pig. --
=================================