Problems with DNS on W2K (not responding to external)

[eastsh]

I have been trying to configure DNS for a friend of mine using MS DNS
server on windows 2000 server. I was able to simplify his router
configuration so that there is a single router/firewall between the
public access point and the server. I have forwarded port 53 to the
server and I am able to use nslookup to perform a listing of all records
for the domain. i.e. ls -d acme.com which responds with all of my A
records.

However, if I attempt to query the server for a single host record, such
as www.acme.com I get a DNS timeout.

When I remote to the server and use nslookup from the server itself,
everything looks to work exactly as expected. I have turned on logging
down to the packet level, but have yet to see a sinlge thing logged to
%windir%\logs\dns.log

Does anyone have an idea on what might cause the DNS server to behave
this way? I am particularly confused as to why it would allow me to do
an ls -d and get back the listing but not allow me to get a single host
record. Any help is greatly appreciated. If there are additional tools
you could point me to for diagnosing this, that would help as well. Thanks!

John P

 

[Kevin D. Goodknecht Sr. [MVP]]

In

I have been trying to configure DNS for a friend of mine
using MS DNS server on windows 2000 server. I was able to
simplify his router configuration so that there is a
single router/firewall between the
public access point and the server. I have forwarded port
53 to the
server and I am able to use nslookup to perform a listing
of all records for the domain. i.e. ls -d acme.com
which responds with all of my A records.

However, if I attempt to query the server for a single
host record, such as www.acme.com I get a DNS timeout.

When I remote to the server and use nslookup from the
server itself, everything looks to work exactly as
expected. I have turned on logging down to the packet
level, but have yet to see a sinlge thing logged to
%windir%\logs\dns.log

Does anyone have an idea on what might cause the DNS
server to behave
this way? I am particularly confused as to why it would
allow me to do
an ls -d and get back the listing but not allow me to get
a single host record. Any help is greatly appreciated. If
there are additional tools
you could point me to for diagnosing this, that would
help as well. Thanks!

John P

Check that 53 UDP is open.
When you do an ls -d you are using 53 TCP but normal queries use 53 UDP.

 

[John Parrish]

Check that 53 UDP is open.
When you do an ls -d you are using 53 TCP but normal queries use 53 UDP.

Well.. I was excited for a moment, that maybe I had only forwarded TCP
traffic on 53, but I checked and it is set to forward both TCP/UDP. I
did remove the dual port forwarding and replaced it with a UPnP
forwarding UDP for 53, and the server disappeared to me altogether.
Switched it back, I can connect with nslookup.. I can ls -d acme.com to
get the whole zone, but if I try www.acme.com I get a DNS timeout. I am
wondering if something else is stealing the requests for UDP/53? I
cannot get the logs for the server to work other than the basic things
that are showing up in the event log (like zone transfers).

Any additional help is greatly appreciated, I have been banging my head
and things are starting to get dark =\

 

[Ace Fekay [MVP]]

In

Well.. I was excited for a moment, that maybe I had only forwarded TCP
traffic on 53, but I checked and it is set to forward both TCP/UDP. I
did remove the dual port forwarding and replaced it with a UPnP
forwarding UDP for 53, and the server disappeared to me altogether.
Switched it back, I can connect with nslookup.. I can ls -d acme.com
to get the whole zone, but if I try www.acme.com I get a DNS timeout.
I am wondering if something else is stealing the requests for UDP/53?
I cannot get the logs for the server to work other than the basic
things that are showing up in the event log (like zone transfers).

Any additional help is greatly appreciated, I have been banging my
head and things are starting to get dark =\

Did you try rebooting your router? What brand router is it? If the logs are
empty, then its kind of saying DNS is not even getting the query.


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[John Parrish]

Did you try rebooting your router? What brand router is it? If the logs are
empty, then its kind of saying DNS is not even getting the query.

Thanks for replying. I have not rebooted the router yet. I might try
that tonight, I installed a packet sniffer on the server to capture
whether or not the DNS request is making its way to the server at all.
If it is, then at least I can rule out the network. If not.. then oh boy
that should be fun. =\

 

[Ace Fekay [MVP]]

In

Thanks for replying. I have not rebooted the router yet. I might try
that tonight, I installed a packet sniffer on the server to capture
whether or not the DNS request is making its way to the server at all.
If it is, then at least I can rule out the network. If not.. then oh
boy that should be fun. =\

Ok, let us know what happens after that.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.