DNS Server Not Responding (Win 2003 SBE)

[Bob Haroche]

I'm running Windows 2003 SBE in what's basically a test environment and
am trying to host a publicly accessible website (only for test/development
purposes). The name of the local domain is onpoint.local and the name of the
server box is server.onpoint.local. The box has one NIC card and its
internal LAN IP is 192.168.0.4. The server is a domain controller (I have
no choice with SBE), but it's not acting as a DHCP server and no other
machines are part of the onpoint.local domain. My router/firewall/gateway is
a
separate machine running IPCOP linux software, and its internal LAN IP is
192.168.0.1. That gateway has two public IPs, one of which is
208.201.246.19. The gateway machine is configured to forward port 53/80
requests coming in on the 208.246.201.19 IP over to the server.onpoint.local
box (192.168.0.4). I've confirmed that ports 53/80 are open on
208.201.246.19 through a port scan.

In the server.onpoint.local box's LAN connection properties, the IP is set
to 192.168.0.4, the gateway is set to 192.168.0.1, and the DNS is set to
127.0.0.1.

I've registered the domain rumination.net with Gandi.net registrar and weeks
ago told
Gandi that ns1.rumination.net is associated with 208.201.246.19. (The
second name server is hosted by Gandi). From both inside and outside my
network, I'm able to ping ns1.rumination.net, which resolves to
208.201.246.19, the Win 2003 box. However, I can't ping
rumination.net, getting only "unknown host" messages.

Now I'm not a complete newbie at DNS (I've successfully configured the
shareware SimpleDNS server on a separate Win2K workstation without problem)
but I am new to Windows 2003 SBE. For the life of me I can't get my Win
2003 DNS server to respond to requests.

I'm wondering if I'm missing something having to do with SBE, like an
obscure
requirement that the server has to also act as a DHCP server (?), some
permissions issue or perhaps some
other, "hidden" firewall I've missed, etc. I'm not running ISA. In the DNS
MMC, rumination.net is
a "sub-directory" below forward looking zones. It is on the same level as,
not below, the onpoint.local domain -- if this matters.

Below is my rumination.dns file (the zone is not AD-integrated). FWIW, in
the record below, I've tried replacing the 192.168.0.4 LAN IP with the
public 208.201.246.19 IP, but that hasn't helped. I've cleared cache and
reloaded after every tweak of the record.

I'm sure it's a simple thing I've missed. Any help or suggestions would be
appreciated. Thanks.

--- DNS Record -----

;
; Database file rumination.net.dns for rumination.net zone.
; Zone version: 5
;

@ IN SOA server.onpoint.local.
hostmaster.onpoint.local. (
5 ; serial number
900 ; refresh
600 ; retry
86400 ; expire
3600 ) ; default TTL

;
; Zone NS records
;

@ NS server.onpoint.local.

;
; Zone records
;

@ A 208.201.246.19
ns1 A 192.168.0.4
www CNAME rumination.net.

 

[Bob Haroche]

Well, after that long question above I took another look at my firewall and
saw that I had port forwarding open for port 53 under the TCP protocol, but
not the UDP protocol. When I opened up UDP, the DNS server is able to
respond to public requests. I even deleted the TCP port 53 forwarding, and
it still works.

So now my question is why is it UDP needs to be forwarded? I thought DNS
requests came in over TCP.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

I'm running Windows 2003 SBE in what's basically a test
environment and
am trying to host a publicly accessible website (only for
test/development purposes). The name of the local domain
is onpoint.local and the name of the server box is
server.onpoint.local. The box has one NIC card and its
internal LAN IP is 192.168.0.4. The server is a domain
controller (I have no choice with SBE), but it's not
acting as a DHCP server and no other machines are part of
the onpoint.local domain. My router/firewall/gateway is a
separate machine running IPCOP linux software, and its
internal LAN IP is 192.168.0.1. That gateway has two
public IPs, one of which is 208.201.246.19. The gateway
machine is configured to forward port 53/80 requests
coming in on the 208.246.201.19 IP over to the
server.onpoint.local box (192.168.0.4). I've confirmed
that ports 53/80 are open on 208.201.246.19 through a
port scan.

In the server.onpoint.local box's LAN connection
properties, the IP is set to 192.168.0.4, the gateway is
set to 192.168.0.1, and the DNS is set to 127.0.0.1.

I've registered the domain rumination.net with Gandi.net
registrar and weeks ago told
Gandi that ns1.rumination.net is associated with
208.201.246.19. (The second name server is hosted by
Gandi). From both inside and outside my network, I'm able
to ping ns1.rumination.net, which resolves to
208.201.246.19, the Win 2003 box. However, I can't ping
rumination.net, getting only "unknown host" messages.

Now I'm not a complete newbie at DNS (I've successfully
configured the shareware SimpleDNS server on a separate
Win2K workstation without problem) but I am new to
Windows 2003 SBE. For the life of me I can't get my Win
2003 DNS server to respond to requests.

I'm wondering if I'm missing something having to do with
SBE, like an obscure
requirement that the server has to also act as a DHCP
server (?), some permissions issue or perhaps some
other, "hidden" firewall I've missed, etc. I'm not
running ISA. In the DNS MMC, rumination.net is
a "sub-directory" below forward looking zones. It is on
the same level as, not below, the onpoint.local domain --
if this matters.

Below is my rumination.dns file (the zone is not
AD-integrated). FWIW, in the record below, I've tried
replacing the 192.168.0.4 LAN IP with the public
208.201.246.19 IP, but that hasn't helped. I've cleared
cache and reloaded after every tweak of the record.

I'm sure it's a simple thing I've missed. Any help or
suggestions would be appreciated. Thanks.

--- DNS Record -----

;
; Database file rumination.net.dns for rumination.net
zone. ; Zone version: 5
;

@ IN SOA server.onpoint.local.
hostmaster.onpoint.local. (
5 ; serial number
900 ; refresh
600 ; retry
86400 ; expire
3600 ) ; default TTL

;
; Zone NS records
;

@ NS server.onpoint.local.

;
; Zone records
;

@ A 208.201.246.19
ns1 A 192.168.0.4
www CNAME rumination.net.


-------------
Regards,
Bob Haroche
O n P o i n t S o l u t i o n s
www.OnPointSolutions.com

I can see what you are doing here and it is going to be a problem. You are
using this local server for the Primary DNS for the public domain. You can
set this up so it wil work from the public side, but then it won't work from
the private side. If you set it up to work from the private side it won't
work from the public side.
You need a DNS server locally that resolves private address for your local
network.

Here is your public side DNS:

rumination.net soa

opcode: Query, status: NOERROR, id: 23
flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

QUESTION SECTION:
rumination.net. IN SOA

ANSWER SECTION:
rumination.net. 3600 IN SOA server.onpoint.local.
hostmaster.onpoint.local.< fix this
5 900 600 86400 3600

AUTHORITY SECTION:
rumination.net. 172775 IN NS ns6.gandi.net.
rumination.net. 172775 IN NS ns1.rumination.net.

ADDITIONAL SECTION:
ns6.gandi.net. 258557 IN A 80.67.173.196

QUESTION SECTION:
ns1.rumination.net. IN A

ANSWER SECTION:
ns1.rumination.net. 3600 IN A 192.168.0.4<---fix this

AUTHORITY SECTION:
rumination.net. 172152 IN NS ns6.gandi.net.
rumination.net. 172152 IN NS ns1.rumination.net.

ADDITIONAL SECTION:
ns6.gandi.net. 257934 IN A 80.67.173.196

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Well, after that long question above I took another look
at my firewall and saw that I had port forwarding open
for port 53 under the TCP protocol, but not the UDP
protocol. When I opened up UDP, the DNS server is able to
respond to public requests. I even deleted the TCP port
53 forwarding, and it still works.

So now my question is why is it UDP needs to be
forwarded? I thought DNS requests came in over TCP.

You thought wrong, DNS uses UDP for queries, TCP for zone transfers.

 

[Bob Haroche]

Kevin,

You need a DNS server locally that resolves private address for your local
network.

Cannot a single instance of Windows DNS do this as well? I do have an
onpoint.local domain configured as well, which I thought would handle the
internal LAN dns. I was thinking the one machine could serve both internal
and external DNS. I was going to forward outside DNS requests onto my ISP.

Assuming one machine can handle both, if it's simply a matter of my improper

rumination.net. 3600 IN SOA server.onpoint.local.
hostmaster.onpoint.local.< fix this

Do you mean fix it to hostmaster.rumination.net?

ns1.rumination.net. 3600 IN A 192.168.0.4<---fix this

Fix it to 208.201.246.19?

Thanks.


--

 

[Ace Fekay [MVP]]

In

In

You thought wrong, DNS uses UDP for queries, TCP for zone transfers.

Just to point out, (which you already know) unless the response is larger
than 512 bytes than it goes to TCP (without EDNS0).




--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Kevin,


Cannot a single instance of Windows DNS do this as well?
I do have an onpoint.local domain configured as well,
which I thought would handle the internal LAN dns. I was
thinking the one machine could serve both internal and
external DNS. I was going to forward outside DNS requests
onto my ISP.

It can handle local requests for onpoint.local, but it is obvious to me you
expect rumination.net to work in both places or you wouldn't be having
private names and addresses in the zone.
MS DNS cannot do this, it can do one or the other, per zone.

Assuming one machine can handle both, if it's simply a


Do you mean fix it to hostmaster.rumination.net?

Fix the SOA record so the names can resolve to routable IP addresses.

Fix it to 208.201.246.19?

You cannot publish non-routable IP addresses in a public DNS server.

 

[Scott Hutchinson]

Ping and DNS are UDP utilities / protocols.

 

[Ace Fekay [MVP]]

In

Ping and DNS are UDP utilities / protocols.

More specifically, Ping uses ICMP, but its transport is UDP.


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Jonathan de Boyne Pollard]

SH> Ping and DNS are UDP utilities / protocols.

MF> More specifically, Ping uses ICMP, but its transport is UDP.

Just as specifically but more correctly: "ping" uses ICMP/IP. UDP/IP is not
involved. There is also a UDP/IP "echo" service, but it is unrelated to
"ping" and largely unused in practice.

 

[Jonathan de Boyne Pollard]

BH> I thought DNS requests came in over TCP.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-shaped-firewall-holes.html>