New DNS (2k) not working...

  • Thread starter Thread starter Ali
  • Start date Start date
A

Ali

Hi everyone,
kinda strange problem here. got 2 NT4 DNS (PDC, BDC) servers, which the
clients in the LAN have been set to. (the DNS servers have public IPs). what
the admin told me was that they want to upgrade to 2000, so they installed a
clean installation of 2k AS (not joined to a domain), installed DNS,
configured it... deleted the dot zone and all, assigned a public IP. but the
problem is that it doesnt resolve external queries (queries to the Net). it
can resolve names in the LAN, but cannot open web sites via name, unless
they specify one of the NT4 servers as a forwarder (duhh). the NT4 servers
are registered with internic, and they are working properly. upgrading the
NT4 servers to 2000 is not possible at the moment as they said. I've checked
the root hints (cache.dns) on the 2k server, and it's all ok. is there
anything missing here in the config?
thanks in advance,
Ali,
MCSA, CCNA
 
In
Ali said:
Hi everyone,
kinda strange problem here. got 2 NT4 DNS (PDC, BDC) servers, which
the clients in the LAN have been set to. (the DNS servers have public
IPs). what the admin told me was that they want to upgrade to 2000,
so they installed a clean installation of 2k AS (not joined to a
domain), installed DNS, configured it... deleted the dot zone and
all, assigned a public IP. but the problem is that it doesnt resolve
external queries (queries to the Net). it can resolve names in the
LAN, but cannot open web sites via name, unless they specify one of
the NT4 servers as a forwarder (duhh). the NT4 servers are registered
with internic, and they are working properly. upgrading the NT4
servers to 2000 is not possible at the moment as they said. I've
checked the root hints (cache.dns) on the 2k server, and it's all ok.
is there anything missing here in the config?
thanks in advance,
Ali,
MCSA, CCNA
Click to expand...

Hmm, seems like you did all the right things with only using the new server,
deleting the Root (dot) zone, etc. The only thing I can suggest is when I
saw this problem in the past are firewall rules.

Is there a firewall in place?

Can you perform some nslookups from the new server and get responses?
Remove the forwarder before testing that so you'll know if it works from
that machine.

If it doesn't work, while in nslookup (interactive mode), set virtual
circuit:
set vc
That command will force nslookup to use TCP only instead of UDP. If a
subsequent command works, then it would appear a firewall rule is blocking
it.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Hi Ace thanks for the reply,
I'll do those nslookups as soon as I get there. I should say that they do
not have any firewalls at the present, but they do have a couple of
access-lists on the perimiter router (bound to the 'in' direction of the
serial interface that the leased line goes in), for the blaster worm...
disabling ports 13x, etc... and all ports from 1000 up. but that doesn't
really seem an issue because everything works right now.
I'll inform you about the nslookups as soon as I do it.
thanks again,
Ali,
MCSA, CCNA

"Ace Fekay [MVP]"
 
In
Ali said:
Hi Ace thanks for the reply,
I'll do those nslookups as soon as I get there. I should say that
they do not have any firewalls at the present, but they do have a
couple of access-lists on the perimiter router (bound to the 'in'
direction of the serial interface that the leased line goes in), for
the blaster worm... disabling ports 13x, etc... and all ports from
1000 up. but that doesn't really seem an issue because everything
works right now.
I'll inform you about the nslookups as soon as I do it.
thanks again,
Ali,
MCSA, CCNA
Click to expand...


Ok, thanks Ali. Looking forward to your responses. Keep in mind, that MS
DNS, *may* need ports 1024 and above opened, unfortunately. But waiting for
your responses..

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Hi Ace!
got the prob fixed ;o) well, after your reply I thought to myself, hey, when
a client wants to open a session to a server, it has to use a well known
port to get there. ok, fine with that, but when the server wants to get back
to the client, it uses a random port above 1024. so, the access lists bound
to the 'IN' direction of the Ser0/0 of the router would prevent the DNS
replies from entering the network. I told the admin to remove the access
lists to test if it works. and yeah, it does.
the only question that has been bothering me is, why is their DNS (NT4)
working with no problems even with the access lists?

thanks a bunch Ace ;o)
Ali,
MCSA, CCNA


"Ace Fekay [MVP]"
 
In
Ali said:
Hi Ace!
got the prob fixed ;o) well, after your reply I thought to myself,
hey, when a client wants to open a session to a server, it has to use
a well known port to get there. ok, fine with that, but when the
server wants to get back to the client, it uses a random port above
1024. so, the access lists bound to the 'IN' direction of the Ser0/0
of the router would prevent the DNS replies from entering the
network. I told the admin to remove the access lists to test if it
works. and yeah, it does.
the only question that has been bothering me is, why is their DNS
(NT4) working with no problems even with the access lists?

thanks a bunch Ace ;o)
Ali,
MCSA, CCNA
Click to expand...


Glad you got it working.

They changed it from NT4....
:-)


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
 
Back
Top