Nslookup fails for external lookups

[Guest]

I have a Windows 2000 Server set as primary DNS for my internal clients,
this is behind an ISA Server 2000. When I run nslookup from the WK server
for an external domain such as www.aol.com I get the response

"DNS request Timed out"

However if I specify the server in nslookup with the serevr option for
example nslookup -server 194.72.6.52 I get the correct response to the
lookup.

I have enabled a forwarder on the WK DNS and I can perform the DNS lookups
through the ISA correctly as above. This has been baffling for a while, it
just seems my server will not perform recursive lookups for external
domains. Im sure Ive missed something in the config here, any help would be
appreciated.

Cheers

Kyle

 

[Ace Fekay [MVP]]

In

I have a Windows 2000 Server set as primary DNS for my internal
clients, this is behind an ISA Server 2000. When I run nslookup from
the WK server for an external domain such as www.aol.com I get the
response

"DNS request Timed out"

However if I specify the server in nslookup with the serevr option for
example nslookup -server 194.72.6.52 I get the correct response to the
lookup.

I have enabled a forwarder on the WK DNS and I can perform the DNS
lookups through the ISA correctly as above. This has been baffling
for a while, it just seems my server will not perform recursive
lookups for external domains. Im sure Ive missed something in the
config here, any help would be appreciated.

Cheers

Kyle

Do you have rule allowed for DNS traffic? UDP 53 at least.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Kyle Heath]

Yes I have a rule for the server to use UDP 53 send/receive and also a
packet filter for DNS on the ISA Server itself.

I can perform the lookups if I specify an external server, its just the
forwarder on my DNS server that seems to timeout?

"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

Yes I have a rule for the server to use UDP 53 send/receive and also a
packet filter for DNS on the ISA Server itself.

I can perform the lookups if I specify an external server, its just
the forwarder on my DNS server that seems to timeout?

You'll need to allow TCP 53 as well, to get answers for some domains such as
AOL, Yahoo, Hotmail, etc, because their responses are large. UDP is used
when the packet size is below 512 bytes. If the answer is greater than 512,
the transport is changed to TCP. If using W2k3 DNS, it has a new feature
called EDNS0 which allows UDP packets greater than 512.

Give that a shot and let us know!

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Jonathan de Boyne Pollard]

u> I have a Windows 2000 Server [...]
u> domain such as www.aol.com [...]

It's definitely not Windows NT 2003 Server ?

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-edns0-and-firewalls.html>

u> When I run nslookup [...]

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/nslookup-flaws.html>

u> Im sure Ive missed something in the config here [...]

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-monolithic-server-as-proxy.html>

 

[Kyle Heath]

I have already tried that one! If the DNS server is installed on the ISA
Server itself I can perform the lookups, the problem is because the DNS
server is behind the ISA Server as a Firewall Client, this seems to be the
issue.


"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

I have already tried that one! If the DNS server is installed on the
ISA Server itself I can perform the lookups, the problem is because
the DNS server is behind the ISA Server as a Firewall Client, this
seems to be the issue.

Then this comes down to an ISA/firewall issue. As far as I remember, just
allow access for your firewall clients and allow that traffic. So its just
basically a rule you are allowing for your firewall clients. If you need
further instructions, you can post this in the ISA newsgroup for specific
help in this matter.

You can also check www.isaserver.org for help as well.



--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.