Multihomed DNS server install problems

[Ace Fekay [MVP]]

In

One last note and question.


I think I follow, if the server is for external use only then the
private IP basically should not show up in DNS. Only if the DNS
server needs to direct some internal client should there be a record?

NEVER put an internal private IP record on a server hosting public data.

When I attempt to add a Nameserver to for a zone shouldn't I be able
to enter in a FQDN of an external DNS and have my DNS resolve it?
When I try to add a NS I get an error that the IP can't be found,
shouldn't the forwarders kick in and resolve the FQDN of the external
DNS?

You would have to ping it first, then go back and hit the resolve button.
I've experienced this issue in the past as well. Or as you said, try what
Herb said about using the period at the end, which I've never tried.


Honestly Adam, in the long run, it's alot easier if you get your ISP to host
your public records and just use your stuff for your own AD domain. You
still have the need to register your nameservers with the registrar, and
yes, that's plural since they require two of them for any nameservers for a
zone. You can possibly fudge it with two IPs but you only have the one. Then
you have reverse zone delegation to worry about, which the public IPs belong
to the ISP or whomever is supporting/leasing them to the ISP.

You can read numerous threads by searching back where this has been
attempted before, and as I said, in the long run, let them do it. It's way
easier!



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Adam Marx]

Pinging the IP worked great and adding the period (to make it technically a
FQDN) didn't work, thanks for the hint Ace. Is that because it is only
looking in the cache for the IP and that it really doesn't try to resolve
the FQDN when adding a NS?

One thing I noticed is that when I disable/enable the Internal NIC and try
to test the DNS by going to the Monitoring tab and running the
"simple"/"recursive" query against this server that when enabled the test
fails on both accounts and when disabled the test passes on both accounts.
Why is this? am I still missing something in the DNS?


"> Honestly Adam, in the long run, it's a lot easier if you get ..."

My concern really isn't about the ease, I want to learn how and why things
work or in this case don't work. I'll never learn if I let someone else do
it and DNS is an important part of the internet. If I want to host my own
sites I have to learn DNS.

Thanks for all your help Ace.



"Ace Fekay [MVP]"

 

[Adam Marx]

Herb, thanks for the post and the information I will remember it. I am
learning and that is a good thing!

"> Now, putting internal addresses -- especially from the privately
administered..."

From a logical stand point that is my thought, why bother to enter an IP of
something that will have no impact on how to resolve external requests. I
was just unsure if it was needed for the servers sake.

"> I will bet you aren't putting a "." at the end of an FQDN..."

You were correct.

 

[Ace Fekay [MVP]]

In

Pinging the IP worked great and adding the period (to make it
technically a FQDN) didn't work, thanks for the hint Ace. Is that
because it is only looking in the cache for the IP and that it really
doesn't try to resolve the FQDN when adding a NS?

Not entirely sure. I never pursued why it doesn't work, but your statement
is a great assumption that I'll go along with.

One thing I noticed is that when I disable/enable the Internal NIC
and try to test the DNS by going to the Monitoring tab and running the
"simple"/"recursive" query against this server that when enabled the
test fails on both accounts and when disabled the test passes on both
accounts. Why is this? am I still missing something in the DNS?

I beleive if it's set to listen on that interface, it will fail.

"> Honestly Adam, in the long run, it's a lot easier if you get ..."

My concern really isn't about the ease, I want to learn how and why
things work or in this case don't work. I'll never learn if I let
someone else do it and DNS is an important part of the internet. If I
want to host my own sites I have to learn DNS.

True, but you also need extra hardware, extra IPs, etc, to follow the rules
of the Internet and hosting your own nameservers. The registrar REQUIRES 2
nameservers minimum per domain. Maybe you can get your ISP to host a
secondary to your zone and that would give you the 2 they need when you
register them.

Thanks for all your help Ace.

No prob...
Cheers!


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Adam Marx]

"> I beleive if it's set to listen on that interface, it will fail."

So, do you think the reason for the errors is associated with the NIC
settings or with the DNS records that have some reference to the internal IP
and only when it is activated does the problem occor? Can I see the DNS
records used by DNS in some form of a text file?

AJM,


"Ace Fekay [MVP]"

 

[Herb Martin]

"> I will bet you aren't putting a "." at the end of an FQDN..."

You were correct.

A lot of people misuse the term FQDN to mean a "DNS name
with dots". We know (generally) what they mean, but it technically
isn't "fully" qualified until you "anchor" it with a dot.

The reason is that in DNS zone files (and sometimes other tools)
and unterminated name has the current ZONE NAME appended.

That terminating "." dot is a lot like the first slash in a DOS path name,
it means "at the root." (Other dots, like other slashes mean "separator".)

 

[Ace Fekay [MVP]]

In

So, do you think the reason for the errors is associated with the NIC
settings or with the DNS records that have some reference to the
internal IP and only when it is activated does the problem occor? Can
I see the DNS records used by DNS in some form of a text file?

AJM,

No, actually not the DNS records or the NIC settings. I mean in DNS,
rt-click properties, Interface tab, set to listen to that interface. If you
disable the NIC and it's supposedly listening on that interface, then it
will fail.



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Adam Marx]

I have the DNS set to "only" listen on the public IP the private IP isn't
even listed. Could it be getting the reference from somewhere else?

Per our conversations the private IP isn't even referenced in DNS.

But to no avail if I disable the NIC and run the test it passes if I enable
it then it fails?



"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

I have the DNS set to "only" listen on the public IP the private IP isn't
even listed. Could it be getting the reference from somewhere else?

Per our conversations the private IP isn't even referenced in DNS.

But to no avail if I disable the NIC and run the test it passes if I enable
it then it fails?

As I mentioned, it's probably passing because it's not set to listen. No
problem.

Remember, I also previously mentioned that if you forward from the internal
server to this server, you have to set it to listen.

So I guess you're going to wind up hosting your external zone? Do you have
two external DNS servers and separate IPs to fulfill the requirements?

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Herb Martin]

Per our conversations the private IP isn't even referenced in DNS.

But to no avail if I disable the NIC and run the test it passes if I enable
it then it fails?

Maybe I got this one -- the DNS server is RUNNING on the internal address.
It's caused by binding order.

SO it refuses it's OWN request from the internal address, maybe?

If you really test it from outside, I bet it works.

If you try nslookup with both internal and then external addresses,
I bet it fails on the first and works on the second.

--
Herb Martin

I have the DNS set to "only" listen on the public IP the private IP isn't
even listed. Could it be getting the reference from somewhere else?

Per our conversations the private IP isn't even referenced in DNS.

But to no avail if I disable the NIC and run the test it passes if I enable
it then it fails?



"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

Maybe I got this one -- the DNS server is RUNNING on the internal
address. It's caused by binding order.

So it refuses it's OWN request from the internal address, maybe?

If you really test it from outside, I bet it works.

If you try nslookup with both internal and then external addresses,
I bet it fails on the first and works on the second.

I assumed by this time that hopefully Adam got the Binding order correct
from our previous posts. So you got a point there. EIther way, the listener
would be effecting that in conjunction with the Binding order.




--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Adam Marx]

"So I guess you're going to wind up hosting your external zone? Do you have
two external DNS servers and separate IPs to fulfill the requirements?"

I do currently have 2 DNS servers at my disposal, so keeping with the
registrar requirements isn't a problem.

"Remember, I also previously mentioned that if you forward from the internal
server to this server, you have to set it to listen."

Currently the internal server is doing nothing more than acting as a
secondary, no forwarding or anything else that I can think of. Aside from
the secondary being listed as a NameServer the is no reference to it.

"Maybe I got this one -- the DNS server is RUNNING on the internal address
caused by binding order."

"I assumed by this time that hopefully Adam got the Binding order correct
...."

If the only place to bind the private IP to the DNS server is located in the
DNS snapin then it's not referenced at all. I have the DNS set to "Listen
on: Only the following IP addresses" and that is my external IP.

"If you really test it from outside, I bet it works."

Exactly what should I test it? I ran NS test on my domain on DNSreport.com
and it does have the correct information listed for the name servers. I
would post the info but I hate to post with actual IP info. publicly, no
need in adding to the traffic and announicing that I might be having some
problems.

"If you try nslookup with both internal and then external addresses, I bet
it fails on the first and works on the second."

When you mean fails just exactly what would I get in response to running a
lookup on 192.168.1.99?

nslookup -q=SOA -time=10 thatZoneItHolds.com 192.168.1.99 (whatever it's
private ip address)

nslookup -q=SOA -time=10 thatZoneItHolds.com pub.lic.ip.addr


Now one thing that I don't recall if I mentioned (famous last words) is that
I am running behind a router and port forwarding my external IP to my box
but I'm fairly confident this isn't out of the norm. It's the only thing
that I can think of that might impact things.

so private: 192.168.1.99
public from the router: 192.168.2.99

AJM,


"Ace Fekay [MVP]"

 

[Kevin D. Goodknecht [MVP]]

In

"So I guess you're going to wind up hosting your external zone? Do
you have two external DNS servers and separate IPs to fulfill the
requirements?"

I do currently have 2 DNS servers at my disposal, so keeping with the
registrar requirements isn't a problem.

"Remember, I also previously mentioned that if you forward from the
internal server to this server, you have to set it to listen."

Currently the internal server is doing nothing more than acting as a
secondary, no forwarding or anything else that I can think of. Aside
from the secondary being listed as a NameServer the is no reference
to it.

"Maybe I got this one -- the DNS server is RUNNING on the internal
address caused by binding order."

"I assumed by this time that hopefully Adam got the Binding order
correct ..."

If the only place to bind the private IP to the DNS server is located
in the DNS snapin then it's not referenced at all. I have the DNS set
to "Listen on: Only the following IP addresses" and that is my
external IP.

If you are behind a router, you cannot be listening on you external (Public)
IP address. On the router you can forward incoming connections on port 53 to
your internal (private) IP address that DNS is listening on.

"If you really test it from outside, I bet it works."

Exactly what should I test it? I ran NS test on my domain on
DNSreport.com and it does have the correct information listed for the
name servers. I would post the info but I hate to post with actual IP
info. publicly, no need in adding to the traffic and announicing that
I might be having some problems.

If you are interested in resolving the issue you should post it, but from
your email address I think I've found some of your problems. If WebAJM.com
is your domain you have some serious issues. One of you NS records resolves
to a private IP address.

WebAJM.com. 3595 IN NS w2k.ajm1.WebAJM.com.
w2k.ajm1.WebAJM.com. 3595 IN A 192.168.1.100

You need to give you NS record a name that only resolve to a public address

From this I get the picture that your AD Domain name is ajm1.WebAJM.com, do
not use this name in the name of your NS record. You have a zone named
WebAJM.com, in that zone create a host with name for your name server, such
as NS1, give that record a public address ONLY. Register that name with
ZoneEdit as a name server host.

Then in your WebAJM.com zone correct your NS records and SOA records to use
ONLY that name.

You have registered your AD Name server name, so this is going to take a
couple of days to completely clear up, because you new NS record will have
to propagate.

 

[Ace Fekay [MVP]]

In

In

If you are behind a router, you cannot be listening on you external
(Public) IP address. On the router you can forward incoming
connections on port 53 to your internal (private) IP address that DNS
is listening on.



If you are interested in resolving the issue you should post it, but
from your email address I think I've found some of your problems. If
WebAJM.com is your domain you have some serious issues. One of you NS
records resolves to a private IP address.

WebAJM.com. 3595 IN NS w2k.ajm1.WebAJM.com.
w2k.ajm1.WebAJM.com. 3595 IN A 192.168.1.100

You need to give you NS record a name that only resolve to a public
address

From this I get the picture that your AD Domain name is
ajm1.WebAJM.com, do not use this name in the name of your NS record.
You have a zone named WebAJM.com, in that zone create a host with
name for your name server, such as NS1, give that record a public
address ONLY. Register that name with ZoneEdit as a name server host.

Then in your WebAJM.com zone correct your NS records and SOA records
to use ONLY that name.

You have registered your AD Name server name, so this is going to
take a couple of days to completely clear up, because you new NS
record will have to propagate.



--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================

Nice job Kevin!


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Ace Fekay [MVP]]

In

In

If you are behind a router, you cannot be listening on you external
(Public) IP address. On the router you can forward incoming
connections on port 53 to your internal (private) IP address that DNS
is listening on.



If you are interested in resolving the issue you should post it, but
from your email address I think I've found some of your problems. If
WebAJM.com is your domain you have some serious issues. One of you NS
records resolves to a private IP address.

WebAJM.com. 3595 IN NS w2k.ajm1.WebAJM.com.
w2k.ajm1.WebAJM.com. 3595 IN A 192.168.1.100

You need to give you NS record a name that only resolve to a public
address

From this I get the picture that your AD Domain name is
ajm1.WebAJM.com, do not use this name in the name of your NS record.
You have a zone named WebAJM.com, in that zone create a host with
name for your name server, such as NS1, give that record a public
address ONLY. Register that name with ZoneEdit as a name server host.

Then in your WebAJM.com zone correct your NS records and SOA records
to use ONLY that name.

You have registered your AD Name server name, so this is going to
take a couple of days to completely clear up, because you new NS
record will have to propagate.



--
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
============================

In addition, 64.253.110.74 reverse doesn't come back as a webajm.com name.
Who is iglou.com? That may cause problems sending mail.

server 64.253.110.74

Default Server: loudsl01.4.0.6.104.a.iglou.com
Address: 64.253.110.74

Suggest to have your ISP set a PTR to your mail server name.

And I did catch this as well Kevin using NetDig with his server:
ANSWER SECTION:
w2k.ajm1.webajm.com. 3600 IN A 192.168.1.100



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Ace Fekay [MVP]]

In

"So I guess you're going to wind up hosting your external zone? Do
you have two external DNS servers and separate IPs to fulfill the
requirements?"

I do currently have 2 DNS servers at my disposal, so keeping with the
registrar requirements isn't a problem.

"Remember, I also previously mentioned that if you forward from the
internal server to this server, you have to set it to listen."

Currently the internal server is doing nothing more than acting as a
secondary, no forwarding or anything else that I can think of. Aside
from the secondary being listed as a NameServer the is no reference
to it.

"Maybe I got this one -- the DNS server is RUNNING on the internal
address caused by binding order."

"I assumed by this time that hopefully Adam got the Binding order
correct ..."

If the only place to bind the private IP to the DNS server is located
in the DNS snapin then it's not referenced at all. I have the DNS set
to "Listen on: Only the following IP addresses" and that is my
external IP.

"If you really test it from outside, I bet it works."

Exactly what should I test it? I ran NS test on my domain on
DNSreport.com and it does have the correct information listed for the
name servers. I would post the info but I hate to post with actual IP
info. publicly, no need in adding to the traffic and announicing that
I might be having some problems.

"If you try nslookup with both internal and then external addresses,
I bet it fails on the first and works on the second."

When you mean fails just exactly what would I get in response to
running a lookup on 192.168.1.99?

nslookup -q=SOA -time=10 thatZoneItHolds.com 192.168.1.99 (whatever
it's private ip address)

nslookup -q=SOA -time=10 thatZoneItHolds.com pub.lic.ip.addr


Now one thing that I don't recall if I mentioned (famous last words)
is that I am running behind a router and port forwarding my external
IP to my box but I'm fairly confident this isn't out of the norm.
It's the only thing that I can think of that might impact things.

so private: 192.168.1.99
public from the router: 192.168.2.99

AJM,

One thing, if you have two DNS server JUST for Internet name hosting, that's
great. But one major problem with your scenario, is that with NAT you can
ONLY port remap ONE port to ONE internal IP. That's it. So that kind of
throws a kink into your plans. You actually need mutliple public IPs with
the servers sitting on a public subnet.

Believe me, it's easier to let your ISP or registrar do it.

Kevin pointed out some major issues with your domain name. We mentioned
earlier on last week that you cannot have private IPs referenced in your
public zone. On top of that, your AD zone is now exposed to the Internet.
Major security issues. With some tools, me or anyone else knowing that info,
now have a starting point to hack in. Another reason not to do this unless
the machines are stand alones and on a public subnet and have no
relationship to the internal infrastructure.

I'm not trying to be a pessimist or anything, I just want you to be aware of
the implications of what you're trying to do with the limited resources you
have. But it looks like zonedit.com already is hosting your zone. I see your
one server, 64.253.110.74 is apparently the server we've been discussing.
You can see more info here on your zone, which comes back clean only because
it's probably using zonedits's DNS servers, which are at the top of the
nameserver list for your domain name. If it were to be using your
64.253.110.74 DNS, then the results would have been not what you wanted to
see.
http://www.dnsreport.com/tools/dnsreport.ch?domain=webajm.com

btw- 192.168.2.99 is not a public IP. That's a private IP. Also, what Keving
mentioned, using your own DNS server, 64.253.110.74, it resolves to your
private IP:

using nslookup:

server 64.253.110.74
w2k.ajm1.webajm.com

Server: loudsl01.4.0.6.104.a.iglou.com
Address: 64.253.110.74

Name: w2k.ajm1.webajm.com
Address: 192.168.1.100


And using NetDig:
ANSWER SECTION:

w2k.ajm1.webajm.com. 3600 IN A 192.168.1.100



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Adam Marx]

Kevin, hello again we've spoken before.

I am extremely eager to clear this up.

2 things,

1. You are correct about webajm.com I believe and now know that it is setup
incorrectly. When I run a test from DNSreport.com it points
w2k.ajm1.webajm.com to a public IP? why? I mean isn't that correct? How did
you get a private IP? The server is behind a router and is essentially using
a private IP.

If I add a record called NS1 in the zone Webajm.com and point it a public
IP will I then need to register it as NS1.webajm.com with my registrar? and
I can leave my AD naming convention alone or does it also need to be
changed? can you walk me through the resolution of the site webajm.com if
someone were looking for it?

2. I'm actually trying to set up a new domain (correctly) hostingky.com
which is where I am having my problem that is almost resolved. I am going to
assume that it also is setup incorrectly from you post.

 

[Adam Marx]

"Ace Fekay [MVP]"

In


One thing, if you have two DNS server JUST for Internet name hosting, that's
great. But one major problem with your scenario, is that with NAT you can
ONLY port remap ONE port to ONE internal IP. That's it. So that kind of
throws a kink into your plans. You actually need mutliple public IPs with
the servers sitting on a public subnet.

Believe me, it's easier to let your ISP or registrar do it.

Kevin pointed out some major issues with your domain name. We mentioned
earlier on last week that you cannot have private IPs referenced in your
public zone. On top of that, your AD zone is now exposed to the Internet.
Major security issues. With some tools, me or anyone else knowing that info,
now have a starting point to hack in. Another reason not to do this unless
the machines are stand alones and on a public subnet and have no
relationship to the internal infrastructure.

I'm not trying to be a pessimist or anything, I just want you to be aware of
the implications of what you're trying to do with the limited resources you
have. But it looks like zonedit.com already is hosting your zone. I see your
one server, 64.253.110.74 is apparently the server we've been discussing.
You can see more info here on your zone, which comes back clean only because
it's probably using zonedits's DNS servers, which are at the top of the
nameserver list for your domain name. If it were to be using your
64.253.110.74 DNS, then the results would have been not what you wanted to
see.
http://www.dnsreport.com/tools/dnsreport.ch?domain=webajm.com

btw- 192.168.2.99 is not a public IP. That's a private IP. Also, what Keving
mentioned, using your own DNS server, 64.253.110.74, it resolves to your
private IP:

using nslookup:
Server: loudsl01.4.0.6.104.a.iglou.com
Address: 64.253.110.74

Name: w2k.ajm1.webajm.com
Address: 192.168.1.100


And using NetDig:
ANSWER SECTION:

w2k.ajm1.webajm.com. 3600 IN A 192.168.1.100



--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

Iglou = ISP

yes, I am aware of some issues with webajm.com that is why I am setting up a
public and private DNS. The host in question is hostingky.com not the
webajm.com that will be merged into the hostingky.com.

Did you see my last post Ace?

 

[Adam Marx]

Kevin,

When I register my domain name with my registrar it asks for a NameServer
(FQDN). I took that to mean the FQDN of my server running DNS.

From my interpretation of your posting you are saying not to register my
FQDN of my server but to register my FQDN of the NameServer and by adding
the record in my DNS in zone webajm.com "NS1" this will essentially be
creating the FQDN of "NS1.webajm.com"? correct?

 

[Ace Fekay [MVP]]

In

Iglou = ISP

yes, I am aware of some issues with webajm.com that is why I am
setting up a public and private DNS. The host in question is
hostingky.com not the webajm.com that will be merged into the
hostingky.com.

Did you see my last post Ace?

Yes I did, but sorry, I didn't see it before I posted because it showed up
afterwards due to the latency with these newsgroups.




--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory