Can not Lookup on New Zone

[fmarano]

So we are setting up our first Internal DNS server in a non-AD/non-DC
enviorment. The server works perfectly when the root zone "." is
setup, I can do a NSLOOKUP on a name and get back the correct IP but as
I'm sure everyone is aware of you can not use fowarders with the root
zone so as per the instructions on microsoft's site I deleted "." and
created a new zone "dns.mycompany.org" and setup the fowarders, now we
can get out to the internet but the lookup doesn't seem to be working -
I now receive "Unknow can't find" when I run a NSLOOKUP. What am I
missing???

 

[Kevin D. Goodknecht Sr. [MVP]]

So we are setting up our first Internal DNS server in a non-AD/non-DC
enviorment. The server works perfectly when the root zone "." is
setup, I can do a NSLOOKUP on a name and get back the correct IP but
as I'm sure everyone is aware of you can not use fowarders with the
root zone so as per the instructions on microsoft's site I deleted
"." and created a new zone "dns.mycompany.org" and setup the
fowarders,

If you have a root zone, unless it is a delegated root zone, DNS will not be
able to resolve external names.

now we can get out to the internet but the lookup doesn't
seem to be working - I now receive "Unknow can't find" when I run a
NSLOOKUP. What am I missing???

If when you start nslookup, you recieve "can't find server name for address
<ipddress>"
This is an nslookup thing, nslookup performs reverse lookup on the IP
address of the DNS server it is using, configure a reverse lookup zone and
PTR record for the IP address will stop this message.

 

[fmarano]

Ok I think I figured out what was going on, I created a zone called
dns.mycompany.org and created a host entry for server, I was doing a
nslookup server instead of nslookup server.dns.mycompany.org - when I
had the root zone enabled nslookup server worked. Now I added
dns.mycompany.org to the DNS suffixes and now nslookup server works but
if I try and go to that same server via http (http://server) or a UNC
path (\\server) it doesn't work - it only works as
http://server.dns.mycompany.org or \\server.dns.mycompany.org so now
I'm wondering if there is anyway allow a single-label name for http and
unc? really what I think I need is a root zone that forwards.

 

[Elesus]

Ok I think I figured out what was going on, I created a zone called
dns.mycompany.org and created a host entry for server, I was doing a
nslookup server instead of nslookup server.dns.mycompany.org - when I
had the root zone enabled nslookup server worked. Now I added
dns.mycompany.org to the DNS suffixes and now nslookup server works but
if I try and go to that same server via http (http://server) or a UNC
path (\\server) it doesn't work - it only works as
http://server.dns.mycompany.org or \\server.dns.mycompany.org so now
I'm wondering if there is anyway allow a single-label name for http and
unc?

sure there is: add dns.mycompany.org suffix to the "Append these DNS
suffixes" in the TCP/IP configuration of the client computer(s)

really what I think I need is a root zone that forwards.

you definitely do not need this...

Elesus

 

[fmarano]

I did add them but never rebooted, it seems that after the reboot UNC
and Http are working.

 

[fmarano]

Now I just need to figure out if there is a way to prevent fowarding on
certain IP's (I do not want certain workstations going out to the
internet), is there any way to do this?

 

[Kevin D. Goodknecht Sr. [MVP]]

Now I just need to figure out if there is a way to prevent fowarding
on certain IP's (I do not want certain workstations going out to the
internet), is there any way to do this?

If all workstations are on the same subnet, probably the easiest way to do
that is to not assign those workstations a gateway, or to go into internet
options (connections tab) and define a bogus proxy server address. The
gateway is the most sure way because some applications like OE don't use the
proxy settings.

 

[fmarano]

We use the gateway for routing between networks so I'm not sure that
will work, I will give the bogus proxy a try though