DNS for Idiots...

  • Thread starter Thread starter Mike
  • Start date Start date
M

Mike

I've inherited a network that hosts about 6 websites. Domain A's DNS is
hosted by the ISP, but we have a Primary & a Secondary DNS servers set up
for domain B through F. These are running Win2k & are not DCs. According to
DNSreports.com there are problems. mostly things like:
"Some of your nameservers listed at the parent nameservers did not respond"
or
"You have one or more missing (stealth) nameservers"
or
"One or more of the nameservers listed at the parent servers are not listed
as NS records at your nameservers. The problem NS records are:"
Occasionally, people can't get to some of the sites & I want to start over
from scratch & set them up correctly(?).

Is there a site or someone that can help me?
 
In
Mike said:
I've inherited a network that hosts about 6 websites.
Domain A's DNS is hosted by the ISP, but we have a
Primary & a Secondary DNS servers set up for domain B
through F. These are running Win2k & are not DCs.
According to DNSreports.com there are problems. mostly
things like: "Some of your nameservers listed at the
parent nameservers did not respond" or "You have one or
more missing (stealth) nameservers"
or
"One or more of the nameservers listed at the parent
servers are not listed as NS records at your nameservers.
The problem NS records are:" Occasionally, people can't
get to some of the sites & I want to start over from
scratch & set them up correctly(?).

Is there a site or someone that can help me?
Click to expand...

Select the properties of the problem zones, Name server tab, add or remove
the necessary NS records so they match the public record exactly. Then
select the SOA tab and set the primary name server to the correct name.
These NS record will also need address records with the public IP for glue.
 
in message : I've inherited a network that hosts about 6 websites. Domain A's DNS is
: hosted by the ISP, but we have a Primary & a Secondary DNS servers set up
: for domain B through F. These are running Win2k & are not DCs. According
to
: DNSreports.com there are problems. mostly things like:
: "Some of your nameservers listed at the parent nameservers did not
respond"
: or
: "You have one or more missing (stealth) nameservers"
: or
: "One or more of the nameservers listed at the parent servers are not
listed
: as NS records at your nameservers. The problem NS records are:"
: Occasionally, people can't get to some of the sites & I want to start over
: from scratch & set them up correctly(?).
:
: Is there a site or someone that can help me?

You're here.

It would be helpful if you mentioned the setup of the network, like where
the DNS servers reside and what type of addressing they have,
private/public. Occasionally people can't get to some of the sites is not
clear. Which people? Internet users? LAN users? What DNS do they point
to? What is the exact error message?

Are your DNS servers behind a NAT/firewall?
Even thought the DNS servers are not DCs, is there a DC present? Is it
running AD? Does it have DNS running on it?

The DNS group on the news server is probably the best NG of all. There are
some guys here that are extremely DNS savvy. I know DNS pretty well but I
wouldn't put myself in their category. If you can't get an answer here, it
may not be possible to get it anywhere.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
FAQ W2K/2K3 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;291382
 
See my answers inline...
It would be helpful if you mentioned the setup of the network, like where
the DNS servers reside and what type of addressing they have,
private/public.
Click to expand...
Servers are in our office. They have public, as well, as NAT addresses, but
are mainly for public use. We have an AD domain & it's own dns server, so
I'm not sure why we'd have NAT addrtesses on these. It was that way when I
got here.

Occasionally people can't get to some of the sites is not
clear. Which people? Internet users? LAN users? What DNS do they point
to? What is the exact error message?
Click to expand...

Internet users, as all of these sites have entries in our AD dns server with
the appropriate NAT addresses. Office users have no problems.
Are your DNS servers behind a NAT/firewall?
Yes

Even thought the DNS servers are not DCs, is there a DC present?
Click to expand...

Yes

Is it running AD? Does it have DNS running on it?

Yes
 
In
Mike said:
NAT addresses, but are mainly for public use. We have an
AD domain & it's own dns server, so I'm not sure why we'd
have NAT addrtesses on these. It was that way when I got
here.
Click to expand...

Mike did my post not make it to your news server?
You need to correct the NS records on the Name server tab of the problem
zones.
 
in message : See my answers inline...
: >
: > It would be helpful if you mentioned the setup of the network, like
where
: > the DNS servers reside and what type of addressing they have,
: > private/public.
: Servers are in our office. They have public, as well, as NAT addresses,
but
: are mainly for public use. We have an AD domain & it's own dns server, so
: I'm not sure why we'd have NAT addrtesses on these. It was that way when I
: got here.

If your servers are behind a firewall and AD is present, then all servers,
workstations, etc. should be pointing their DNS to the master DC. Also, you
only need private IP addressing on the server. The whole point of NAT,
which you probably know, is to let the router translate a single/multiple IP
public addresses to the private addresses.

: Occasionally people can't get to some of the sites is not
: > clear. Which people? Internet users? LAN users? What DNS do they
point
: > to? What is the exact error message?
:
: Internet users, as all of these sites have entries in our AD dns server
with
: the appropriate NAT addresses. Office users have no problems.

When you refer to NAT addresses are you referring to 192.168.x.x or similar?
If so, that is correct. Public name, private IP address on the internal
DNS.

Have you made the changes on the public DNS that Kevin has mentioned?

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
FAQ W2K/2K3 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;291382
 
Ironically dnsreports.com cannot be reached by now so you're not alone.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
FAQ W2K/2K3 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;291382
 
: In : Roland Hall <nobody@nowhere> commented
: Then Kevin replied below:
: > Ironically dnsreports.com cannot be reached by now so
: > you're not alone.
:
: BTW, it is dnsreport.com. It works fine.

That might make a difference. Thanks.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Technet Script Center - http://www.microsoft.com/technet/scriptcenter/
WSH 5.6 Documentation - http://msdn.microsoft.com/downloads/list/webdev.asp
MSDN Library - http://msdn.microsoft.com/library/default.asp
 
Kevin D. Goodknecht Sr. said:
In

Mike did my post not make it to your news server?
You need to correct the NS records on the Name server tab of the problem
zones.
Click to expand...

Ok, maybe this will shed a little light on the situation, or make it all the
more confusing, you decide.
Our main main domain is abc.com & we have about 6 other domains & websites
that we host.
Our phone/data provider hosts our dns for abc.com.
Our AD domain controller for abc.com has forwarders set to our ISPs name
servers, since they also handle our email, & has entries for the NAT
addresses (192.168.6.x) of all our other websites. All internal computers
have this computer's IP address set as their dns server. We have dns running
on 2 other computers with public & private addresses bound to their NICs.
We picked one of our other domains, lets say def.com, to handle dns for the
rest of our domains. So, under abc.com we have 2 A records, well 4 actually,
for finster.abc.com & toejam.abc.com, which have both private & public IP
addresses. Somewhere I need to add something (an A record?) that maps
finster.abc.com to ns1.def.com & toejam.abc.com to ns2.def.com, am I right?
All other domains have SOA of finster.abc.com, NS records for
finster.abc.com & toejam.abc.com, & an A record for the www address, which
is the public IP address. Again, if any of this seems kind of whacked out, I
inherited it & am trying to clean it up!
I am open to suggestions!
Thanks-
 
in message : : > In : > Mike <[email protected]> commented
: > Then Kevin replied below:
: >> NAT addresses, but are mainly for public use. We have an
: >> AD domain & it's own dns server, so I'm not sure why we'd
: >> have NAT addrtesses on these. It was that way when I got
: >> here.
: >
: > Mike did my post not make it to your news server?
: > You need to correct the NS records on the Name server tab of the problem
: > zones.
: >
:
: Ok, maybe this will shed a little light on the situation, or make it all
the
: more confusing, you decide.
: Our main main domain is abc.com & we have about 6 other domains & websites
: that we host.
: Our phone/data provider hosts our dns for abc.com.
: Our AD domain controller for abc.com has forwarders set to our ISPs name
: servers, since they also handle our email, & has entries for the NAT
: addresses (192.168.6.x) of all our other websites.

If you're saying your ISP have entries for your private network, in your
forward lookup zone on their public DNS server, then that is not a good
thing to do. The Internet doesn't need to know anything about your private
network, nor does your ISP, even if they host your mail.

: All internal computers
: have this computer's IP address set as their dns server.

Assuming this is a 192.168.6.x address.

: We have dns running
: on 2 other computers with public & private addresses bound to their NICs.

Do not mix public and private addressing on the same DNS server. With a
split horizon you would have to have an entry for the web/mail server to
tell internal clients where they are but everything else should be private.

Split horizon = public domain and private domain match Ex. domain.com for
both instead of domain.com (public) and domain.local (private)

: We picked one of our other domains, lets say def.com, to handle dns for
the
: rest of our domains. So, under abc.com we have 2 A records, well 4
actually,
: for finster.abc.com & toejam.abc.com, which have both private & public IP
: addresses.

[shaking finger]

: Somewhere I need to add something (an A record?) that maps
: finster.abc.com to ns1.def.com & toejam.abc.com to ns2.def.com, am I
right?
: All other domains have SOA of finster.abc.com, NS records for
: finster.abc.com & toejam.abc.com, & an A record for the www address, which
: is the public IP address. Again, if any of this seems kind of whacked out,
I
: inherited it & am trying to clean it up!
: I am open to suggestions!
 
See my answers inline...

Roland Hall said:
in message : : > In : > Mike <[email protected]> commented
: > Then Kevin replied below:
: >> NAT addresses, but are mainly for public use. We have an
: >> AD domain & it's own dns server, so I'm not sure why we'd
: >> have NAT addrtesses on these. It was that way when I got
: >> here.
: >
: > Mike did my post not make it to your news server?
: > You need to correct the NS records on the Name server tab of the
problem
: > zones.
: >
:
: Ok, maybe this will shed a little light on the situation, or make it all
the
: more confusing, you decide.
: Our main main domain is abc.com & we have about 6 other domains &
websites
: that we host.
: Our phone/data provider hosts our dns for abc.com.
: Our AD domain controller for abc.com has forwarders set to our ISPs name
: servers, since they also handle our email, & has entries for the NAT
: addresses (192.168.6.x) of all our other websites.

If you're saying your ISP have entries for your private network, in your
forward lookup zone on their public DNS server, then that is not a good
thing to do. The Internet doesn't need to know anything about your
private
network, nor does your ISP, even if they host your mail.
Click to expand...

No, they do not have anything on our private network.
: All internal computers
: have this computer's IP address set as their dns server.

Assuming this is a 192.168.6.x address.
Click to expand...

Yes, you are correct.
Actually, the only place I have any private addresses are under the abc.com
domain, where there are A records for the private ip addresses of my primary
& secondary name servers. Again, that was like that when I inherited the
network & I am here looking to make it right. I was also told my my
predecessor that because the mail was handled by the ISP that things needed
to be this way. Should I take abc.com out of the dns records on these
servers all together?
: We have dns running
: on 2 other computers with public & private addresses bound to their
NICs.

Do not mix public and private addressing on the same DNS server. With a
split horizon you would have to have an entry for the web/mail server to
tell internal clients where they are but everything else should be
private.

Split horizon = public domain and private domain match Ex. domain.com for
both instead of domain.com (public) and domain.local (private)

: We picked one of our other domains, lets say def.com, to handle dns for
the
: rest of our domains. So, under abc.com we have 2 A records, well 4
actually,
: for finster.abc.com & toejam.abc.com, which have both private & public
IP
: addresses.

[shaking finger]

: Somewhere I need to add something (an A record?) that maps
: finster.abc.com to ns1.def.com & toejam.abc.com to ns2.def.com, am I
right?
: All other domains have SOA of finster.abc.com, NS records for
: finster.abc.com & toejam.abc.com, & an A record for the www address,
which
: is the public IP address. Again, if any of this seems kind of whacked
out,
I
: inherited it & am trying to clean it up!
: I am open to suggestions!
Click to expand...
 
Starting fresh. Here is my understanding of what you have and what you
need. You can correct the former and I'm sure if I get the latter wrong
someone else will point that out.

Public (Internet):
domain: abc.com
DNS: Primary DNS is at ISP - we'll call it ns1.isp.com
DNS zones for abc.com should only list public IP addresses for abc.com

Private (LAN):
domain: def.com
DNS: Primary DNS is pointing to a DNS server on your LAN? Why is it not
using ns1.isp.com as the primary DNS server?

Router can accept multiple public IPs, if required. It should then NAT
those to private IPs running on servers on the LAN, web servers, not DNS
servers.

Private DNS servers should host only private addressing. A reason to
include a public address for either a web site or a mail server is if they
are hosted outside the LAN and sharing the same domain name (ex. abc.com)
You never said or I missed it if abc.com is used publicly and as the AD
domain. It requires additional configuration if this is the case.

Your forwarder should point to the router, if possible. Let the router
forward this to the ISP. Your router has to support this. If not, then
pointing the forwarder to the ISPs DNS is correct. No systems, servers or
workstations on the LAN should point to any public DNS server. The
forwarder is only to allow cleints on the LAN resolve public addressing. In
fact, it's not required but speeds things up a bit.

I'll give a brief scenario. I have almost 50 domains but we'll look at two
of them.
domain: kiddanger.com
Internet Host: Primary and secondary is at the host. Mail server is at the
host.

domain: netfraud.us
Hosted on my LAN behind a NAT/firewall.
Public DNS is at DynDNS.org.
Private DNS is on my DC running AD.
My web server, on my LAN, is running multiple domains using host headers.
My mail server is on my LAN. My MX record is on the DNS at DynDNS.org.
There is no MX record configured on my LAN. MX records are for servers, not
clients.

All of my clients and my servers on my LAN only use my DCs DNS. My DC has a
forwarder that points to my router. My router gets its DNS from my ISP. My
AD domain has a unique domain name that is not used on the Internet or a
legal public DNS name. My clients and my servers only use private IP
addressing. That is the whole point of NAT, translate the public IP address
to a private one. It's usually a one to many scenario but there is also
multi-NAT, which should be self-evident.

The only issue I have currently is Exchange where I think I screwed the
pooch testing certificates and one domain cannot receive mail. Everything
else works at it should.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
FAQ W2K/2K3 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;291382
 
Before I go any further, yes, abc.com is used publicly and is the AD domain.
I guess I've opened a whole new can of worms, huh?
 
: Before I go any further, yes, abc.com is used publicly and is the AD
domain.
: I guess I've opened a whole new can of worms, huh?

Well, it's not the way I would have done it but it just requires more steps.
The problem is this:

www.abc.com is outside your LAN.
Since AD requires DNS, your users see abc.com as private, not public so they
can never get to www.abc.com.
You must then put an A or CNAME record in your local DNS pointing to the
public address of www.abc.com.
The downside is your LAN users can never get to the web site with
http://abc.com/
You'd have to do the same thing for mail if it is hosted externally for
abc.com.

So, any external entities have to be set explicitly in the local DNS for LAN
users to reach them.
It's extra steps but not impossible.

Had you been in on this network in the beginning, it would have been better
to use abc.local or something equivalent. AD just requires a . <-(dot) in
the name.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201
FAQ W2K/2K3 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;291382
 
We are in the process of replacing our 3 servers with Windows 2003 servers,
so if there's anytime to change this, I'd guess it would be now.
 
Back
Top