DNS Resolve issues

  • Thread starter Thread starter Krishna
  • Start date Start date
K

Krishna

Hello,

I have internal DNS server, ISP DNS IP's and client's DNS IP's.

My users's workstation I put internal DNS server IP. This resolves internal
and also resolves for external (internet). I even removed . forwarder but
still resolves. Don't know how?

My workstation has IP, DNS IP, Gateway RouterA IP.

Router A connects to Route B thru' Point to Point and Router A has ip routes
0.0.0.0 to Router I (which is connected to ISP). Since Router A and I are on
the same LAN segment, is that why workstation doesn't even query internal
dns server to resolve for external?

Now, most important how do I resolve names that are the part of my clients
network. Clients network is connected with point to point connection from
location B thru' Router C. What to add in my internal DNS server to point to
Client's DNS server, when workstation makes DNS queries for clients network?

I hope I'm clear in explaining the network connection.

Thanks,
Kris
 
Correction:
My workstation has IP, DNS IP, Gateway RouterA IP.
Click to expand...

User's workstation has IP, DNS IP, Client DNS IP(sec), Gateway RouterA IP.


What is the difference of providing DNS IP's on workstations and providing
forwarders (DNS IP) in DNS server?

Isn't it, workstation once unable to resolve a host then should try with
next DNS sever ip in the list?
 
Krishna said:
Hello,

I have internal DNS server, ISP DNS IP's and client's DNS IP's.

My users's workstation I put internal DNS server IP. This resolves
internal and also resolves for external (internet). I even removed .
forwarder but still resolves. Don't know how?
Click to expand...

Forwarders are not required in most cases, unless there is a firewall that
blocks DNS from using Root Hints.
My workstation has IP, DNS IP, Gateway RouterA IP.

Router A connects to Route B thru' Point to Point and Router A has ip
routes
0.0.0.0 to Router I (which is connected to ISP). Since Router A and I
are on the same LAN segment, is that why workstation doesn't even
query internal dns server to resolve for external?
Click to expand...

The DNS client will "stick" to the DNS server that answer first, until the
TCP/IP stack is reset, or by default, 15 minutes whichever comes first.
Now, most important how do I resolve names that are the part of my
clients network. Clients network is connected with point to point
connection from location B thru' Router C. What to add in my internal
DNS server to point to Client's DNS server, when workstation makes
DNS queries for clients network?

I hope I'm clear in explaining the network connection.
Click to expand...

All internal Clients should use only the internal DNS servers, (period).
Even if you have only one internal DNS server, use it. Using external DNS
servers on clients belonging to an internal domain should not be done,
because the external DNS server cannot possibly know how to resolve your
internal domain.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
 
Krishna said:
Correction:

User's workstation has IP, DNS IP, Client DNS IP(sec), Gateway
RouterA IP.


What is the difference of providing DNS IP's on workstations and
providing forwarders (DNS IP) in DNS server?
Click to expand...

External DNS server cannot and should not be able to resolve your internal
network.
Isn't it, workstation once unable to resolve a host then should try
with next DNS sever ip in the list?
Click to expand...

No, it does not work this way, the DNS client will only try the Alternate
DNS if the Preferred DNS fails to answer, it will not try the alternate if
the preferred answers "not found" (NXDOMAIN). The Preferred DNS get one
second to answer before the Alternate is tried, if the alternate answers the
DNS client will use it for the preferred DNS for 15 minutes, or until TCP/IP
is reset.

--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
Send IM: http://www.icq.com/people/webmsg.php?to=296095728
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
http://support.wftx.us/
http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
 
So Kevin,
Forwarders are not required in most cases, unless there is a firewall that
blocks DNS from using Root Hints.
Click to expand...

Understood.
But how does my internal server resolving external address? for ex:
www.yahoo.com. Internal DNS server doesn't have . (root) nor forwarder.

(above is case 1, site A)
All internal Clients should use only the internal DNS servers, (period).
Even if you have only one internal DNS server, use it. Using external DNS
servers on clients belonging to an internal domain should not be done,
because the external DNS server cannot possibly know how to resolve your
internal domain.
Click to expand...

DNS Client has
- Internal DNS IP
- Client DNS IP
- External DNS IP (ISP)

Now, with the search order my internal DNS server should fail resolving our
client's server name, then with client dns ip should resolve it right?
Assuming it does, then when a request for www.yahoo.com both internal and
client dns server should fail and should go to external dns server right?
somehow its failing.

(above case 2, site B)
 
Krishna said:
So Kevin,


Understood.
But how does my internal server resolving external address? for ex:
www.yahoo.com. Internal DNS server doesn't have . (root) nor forwarder.
Click to expand...

It uses root hints to contact a root server.

(above is case 1, site A)


DNS Client has
Click to expand...

By DNS client I assume you mean a host (workstation or server on your
network.

- Internal DNS IP
Click to expand...

That's all it should have.
- Client DNS IP
???

- External DNS IP (ISP)
Click to expand...

Should not have this in a Windows domain.
Now, with the search order my internal DNS server should fail resolving our
client's server name, then with client dns ip should resolve it right?
Assuming it does, then when a request for www.yahoo.com both internal and
client dns server should fail and should go to external dns server right?
somehow its failing.
Click to expand...

No. The client will try the first DNS server listed (preferred). If it
gets ANY answer at all (including not found) that is the answer it will
accept. It will NOT then ask the next DNS server in the list. The ONLY
time it will try another server is if the first does not reply at all.
Your DNS clients should ONLY list the internal AD DNS server as their
resolver.

Your remote sites are no different. If your routing is set up properly,
you should be able to configure your clients to use the DNS server at
the other end of your WAN link. General connectivity issues need to be
resolved first (ping the DNS server, nslookup an Internet address on the
DNS server, Ping the Internet address. If all that works, you should be
in business.

....kurt
 
It uses root hints to contact a root server.

In root hints tab, i see lot of root hints servers. should I remove them and
have my ISP DNS server address in it?
That's all it should have.
OK?
Click to expand...
This dns entry in the workstation for resolving our client network hosts.
Should not have this in a Windows domain.
Click to expand...

Where or how do I get my internal DNS jump to resolve external
(www.yahoo.com) or to resolve client network hosts?
No. The client will try the first DNS server listed (preferred). If it
gets ANY answer at all (including not found) that is the answer it will
accept. It will NOT then ask the next DNS server in the list.
Click to expand...

How to trace it? event log?
 
Krishna said:
In root hints tab, i see lot of root hints servers. should I remove them
and have my ISP DNS server address in it?
Click to expand...

No. In generally that is NOT necessary.

Put your ISP in the Forwarder tab, and (optionally) CHECK the box for
"Do not user recursion" to (effectively) disable using root hints. No need
to alter it in case you need it in the future.
OK?
Click to expand...

Internal DNS Server (set) shold be the only entry on the DNS CLIENTS,
NIC->IP properties->DNS server.
This dns entry in the workstation for resolving our client network hosts.
Click to expand...

True for INTERNAL SERVERS (including DCs) too. Internal servers
are internal "DNS Clients".
Correct.

Where or how do I get my internal DNS jump to resolve external
(www.yahoo.com) or to resolve client network hosts?
Click to expand...

Internal DNS server FORWARDING tab sets this.

DNS Clients to to Internal DNS server which Forwards to External
DNS server (e.g., firewall/gateway or ISP.)
How to trace it? event log?
Click to expand...

Probably tracing it the wrong method but there is "Debug Logging" on the
Win2003 DNS servers

Instead, use NSlookup -- or just do it right as described above. It is
easier
to do right than to test.

And testing won't necessarily give you the PROBLEMS it will cause since
if you mix "internal & external DNS" on the DNS Client NIC they will
resolve correctly SOME of the time, and incorrectly SOME of the time --
it provides unreliable results.
 
Put your ISP in the Forwarder tab, and (optionally) CHECK the box for
"Do not user recursion" to (effectively) disable using root hints. No
need
to alter it in case you need it in the future.
Click to expand...

DONE.
Are you saying leave all the root hints servers, a.root-servers.net etc.?

Alright.


True for INTERNAL SERVERS (including DCs) too. Internal servers
are internal "DNS Clients".
Click to expand...

My word "CLIENT" here misunderstood with workstations. CLIENT here I meant
is the our customer. We have a POINT TO POINT connection with them. How to
resolve there host names? Put there DNS IP into Forwarders too? If yes,
before ISP or after ISP?

Probably tracing it the wrong method but there is "Debug Logging" on the
Win2003 DNS servers
Click to expand...

FYI: using a win2k server.
 
Krishna said:
DONE.
Are you saying leave all the root hints servers, a.root-servers.net etc.?
Click to expand...

They have no effect if you check the Do Not Use Recursion box in
the FORWARDERS tab (and do no harm). Changing them to the
forwarder would do no good.

So yes, just leave them. You may need them later and there is no
advantage to messing with those entries.
 
What about others questions?

True for INTERNAL SERVERS (including DCs) too. Internal servers
are internal "DNS Clients".
Click to expand...

My word "CLIENT" here misunderstood with workstations. CLIENT here I meant
is the our customer. We have a POINT TO POINT connection with them. How to
resolve there host names? Put there DNS IP into Forwarders too? If yes,
before ISP or after ISP?

Probably tracing it the wrong method but there is "Debug Logging" on the
Win2003 DNS servers
Click to expand...

FYI: using a win2k server.
 
Krishna said:
What about others questions?



My word "CLIENT" here misunderstood with workstations. CLIENT here I meant
is the our customer. We have a POINT TO POINT connection with them. How to
resolve there host names? Put there DNS IP into Forwarders too? If yes,
before ISP or after ISP?
Click to expand...

Assuming that they are NOT resolvable through the Internet root by
recursion down from the top (just forwarders would work if there were)
then you have a couple of choices depending on OS on your DNS servers:

For Win2000 there is only one (real) choice:

1) Hold a SECONDARY zone for their DNS zone(s) on your DNS server

For Win2003 there are two additional choices:

2) A Stub of their zone(s) on your DNS server

3) Conditional Forwarding to their DNS zone(s)
FYI: using a win2k server.
Click to expand...

Your choices are limited. Add a secondary DNS server for their DNS zone(s);
the will be required to ALLOW your DNS server to do this.
 
Assuming that they are NOT resolvable through the Internet root by
recursion down from the top (just forwarders would work if there were)
then you have a couple of choices depending on OS on your DNS servers:
Click to expand...

Are you suggesting, under forwarders add my customers DNS IP before ISP's
DNS IPs and uncheck "Do not use recursion" for those ip's that are not
internet routable? 52.99.0.0?

For Win2000 there is only one (real) choice:

1) Hold a SECONDARY zone for their DNS zone(s) on your DNS server
Click to expand...

Under forward lookup zone, create a customer.com? but customer.com also
available on internet. How to resolve in such cases?
 
Krishna said:
Are you suggesting, under forwarders add my customers DNS IP before ISP's
DNS IPs and uncheck "Do not use recursion" for those ip's that are not
internet routable? 52.99.0.0?
Click to expand...

NO, not at all. You need to use a "cross secondary" since you are running
Win2000.

For Win2003 you could use CONDITIONAL FORWARDING (the dialog
for forwarders changes quite a bit for Win2003 to support CONDITIONAL
forwarding.)
Under forward lookup zone, create a customer.com? but customer.com also
available on internet. How to resolve in such cases?
Click to expand...

Not an issue if Customer.Com is on the Internet with all the names you need;
it will JUST WORK if you regular Internet resolution works.

The implication you offered with the "point to point" connection to your
customer
is that you needed access to their INTERNAL DNS zone to resolve more than
just their public servers OR to resolve the PRIVATE addresses not available
on the Internet.

If you hold a Secondary for them (they must allow it) then you will have the
same view of their DNS as their own DNS client computers see.

If you use the regular Internet resolution of their public zone, you will
see what
everyone on the Internet sees -- these two can be quite different.
 
The implication you offered with the "point to point" connection to your
customer
is that you needed access to their INTERNAL DNS zone to resolve more than
just their public servers OR to resolve the PRIVATE addresses not
available
on the Internet.
Click to expand...

Yes, their INTERNAL DNS zone. I'm not sure whether they will allow us to
see them. What it the best way to resolve hostnames since they have provided
DNS IP? If I put their DNS IP in workstation it resolves.

Second Question:
From Site A to Site B we have point-point connection. Site B has internet
connection. Both sites have their internal dns server and have created
zones. Primary and Secondary for their respective DNS servers. Now, how do I
go about getting Site A access internet?

Third Question:
Do I need to provide Site A IP address into Site B DNS setting (TCP/IP) and
vice-versa? Should DNS point to itself?
 
Krishna said:
Yes, their INTERNAL DNS zone. I'm not sure whether they will allow us to
see them.
Click to expand...

If not...

Then you have no business doing this -- it is their informatoin and their
choice about who sees it.

If you only have a FEW names, then they can provide you with JUST
those names/addresses and you can setup a manual zone for each one.
What it the best way to resolve hostnames since they have provided DNS IP?
If I put their DNS IP in workstation it resolves.
Click to expand...

Of course, but you can only use one SET of DNS servers on YOUR
clients -- you can't mix them in with your correct INTERNAL servers.

You also cannot use but ONE set of DNS servers in your Forwarders.

Upgrade to your DNS servers to 2003 and you can do CONDITIONAL
forwarding to them. (It's the right thing to do anyway I will bet.)
Second Question:
From Site A to Site B we have point-point connection. Site B has internet
connection. Both sites have their internal dns server and have created
zones. Primary and Secondary for their respective DNS servers. Now, how do
I go about getting Site A access internet?
Click to expand...

Either forward to the DNS servers in Site-B which resolve the internet or
directly to the Site-B firewall/gateway or ISP that they use. (The way you
would send the actual packets for HTTP or FTP.)
Third Question:
Do I need to provide Site A IP address into Site B DNS setting (TCP/IP)
and vice-versa? Should DNS point to itself?
Click to expand...

NEVER set two (sets of) DNS servers to forward to each other -- they will
get in an infinite loop (A-B-A-B-A etc ) and crash the DNS service.

A->B -> Internet WILL work.

A->Internet (direct) should work too.
 
Of course, but you can only use one SET of DNS servers on YOUR
clients -- you can't mix them in with your correct INTERNAL servers.

You also cannot use but ONE set of DNS servers in your Forwarders.
Click to expand...

CONFUSED. Please explain.

Either forward to the DNS servers in Site-B which resolve the internet or
directly to the Site-B firewall/gateway or ISP that they use. (The way
you
would send the actual packets for HTTP or FTP.)
Click to expand...

Not working. I have set up in Site A DNS Server's forwarder tab to my ISP.
when nslookup is run i get
"can't find www.yahoo.com: server failed"
NEVER set two (sets of) DNS servers to forward to each other -- they will
get in an infinite loop (A-B-A-B-A etc ) and crash the DNS service.
Click to expand...

OK Point taken. DONE.
A->B -> Internet WILL work.

A->Internet (direct) should work too.
Click to expand...

Not working...

Can I call you?
 
Krishna said:
CONFUSED. Please explain.
Click to expand...

The same rule as for DNS Clients applied to a DNS servers Forward tab.

You must use STRICTLY a single set (your own internal DNS servers)
on these settings. You cannot mix in another set of DNS Server such as
the ISP, or a customers who cannot resolve ALL of your own internal
systems.

The limitation is mitigated in Win2003 by adding "Conditional Forwarders"
where you can add specific DNS servers to resolve "other zones/domains"
on your DNS servers forwarding tab.
Not working. I have set up in Site A DNS Server's forwarder tab to my ISP.
when nslookup is run i get "can't find www.yahoo.com: server failed"
Click to expand...

Where did you perform this from? You DNS server? Your DNS client?

I would need to see the UNEDITED TEXT output of "ipconfig /all"
of both the DNS server AND the non-working DNS client to try to figure
that out.

Also, the full text of the following (types of) NSLookup commands from
both the clients and the actual DNS server command line.

nslookup www.yahoo.com Your.DNS.Server.IP
nslookup www.yahoo.com Your.ISP.DNS.IP

Full text, not something your retype.
OK Point taken. DONE.


Not working...
Can I call you?
Click to expand...

Yes, after you get those outputs above. Use the 512 area code number on the
web site please.
 
Krishna said:
Thanks a MILLION.

Disable Recursion should be UNCHECKED under Advanced Tab.
Click to expand...

Yes, as we discussed, Disable Recursion also (silently) disables Forwarding.

The dialog was changed in Win2003 to say (also disabled forwarding).
 
Back
Top