Proxy 2.0 Routing DNS Queries in Wrong Direction

[CHANGE USERNAME TO westes]

I need help with a DNS problem. We have a fairly stable configuration that
puts our Active Directory controller on the internal network, and a proxy
server as the gateway to a firewall, which then connects to the Internet.
Our internal machines are set to use the Active Directory controller as the
DNS server, and the DNS server on the Active Directory controller is set to
use the proxy server as a forwarder. We have a DNS server running on the
proxy server. The domain controller doesn't do the resolution of Internet
domain names directly because we do not allow unauthenticated requests to
leave our internal network. We always require a specific userid to allow
outgoing requests.

The problem we are seeing is that on occasion, for reasons we cannot
determine yet, the DNS requests to the proxy server end up getting routed
back to the internal network instead of out to the Internet. The internal
network's DNS server sends ICMP redirects to the proxy server, but these get
ignored when the proxy goes into this mode. Even though the default route
on the proxy is to the Internet, the DNS requests are getting routed back
inwards.

What would cause such strange behavior, and how do I fix it?

If I want to have the internal DNS server just do its own smart lookups, do
I simply disable the "Enable Forwarders" feature? I guess I could create
a separate userid just for running the DNS server on the Active Directory
server, then give that user permission to get out on DNS on proxy services.

 

[Phillip Windell]

I need help with a DNS problem. We have a fairly stable configuration that
puts our Active Directory controller on the internal network, and a proxy
server as the gateway to a firewall, which then connects to the Internet.
Our internal machines are set to use the Active Directory controller as the
DNS server, and the DNS server on the Active Directory controller is set to
use the proxy server as a forwarder.
........................
We have a DNS server running on the proxy server.

The DNS running on the Proxy needs to use the ISP's DNS in its own
Forwarders List. The Query for an Internet Host first gets sent to the
AD/DNS and then it can't be resolved in the Database, then is forwarded to
the DNS on the proxy and again can't be resolved in the Database, it is then
passed to the ISP's DNS and it does successfully resolve.

If I want to have the internal DNS server just do its own smart lookups, do
I simply disable the "Enable Forwarders" feature?

No, just the opposite.

I guess I could create
a separate userid just for running the DNS server on the Active Directory
server, then give that user permission to get out on DNS on proxy

services.

I don't understand that comment.

 

[CHANGE USERNAME TO westes]

The DNS running on the Proxy needs to use the ISP's DNS in its own
Forwarders List. The Query for an Internet Host first gets sent to the
AD/DNS and then it can't be resolved in the Database, then is forwarded to
the DNS on the proxy and again can't be resolved in the Database, it is then
passed to the ISP's DNS and it does successfully resolve.

Actually, we run the proxy service DNS as a smart DNS, and it does its own
lookups. I don't see a reason why we should introduce extra latency to go
to another forwarder. We also have a complexity in our case of having two
ISPs, and I cannot always guarantee that the forward request to one ISP's
DNS will go through that ISP's network.

No, just the opposite.

I said *smart* lookups. By definition, a smart lookup is mutually
exclusive with a forwarding request.

 

[Phillip Windell]

Actually, we run the proxy service DNS as a smart DNS, and it does its own
lookups. I don't see a reason why we should introduce extra latency to go
to another forwarder.

How do you know it will cause latency?

We also have a complexity in our case of having two
ISPs, and I cannot always guarantee that the forward request to one ISP's
DNS will go through that ISP's network.

It doesn't matter who's DNS you use as long as you use one, it doesn't
matter how many ISP's you have. We have our own ISP, yet I include our Corp
HQ's DNS in our forwarder's list and we aren't even one of their customers.

I said *smart* lookups. By definition, a smart lookup is mutually
exclusive with a forwarding request.

Does it cost anything to try what I suggested? It is the pattern MS
suggests, or at least one of them. To be honest my area is "proxy servers"
and "general networking" [Layers1, 2, & 3 mainly],...I am not a DNS guy an
have never even heard of "smart lookups".

How to: Configure DNS for Internet Access In Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;300202

323380 - HOW TO: Configure DNS for Internet Access in Windows Server 2003
http://support.microsoft.com/default.aspx?scid=kb;en-us;323380

 

[CHANGE USERNAME TO westes]

Does it cost anything to try what I suggested? It is the pattern MS
suggests, or at least one of them. To be honest my area is "proxy servers"
and "general networking" [Layers1, 2, & 3 mainly],...I am not a DNS guy an
have never even heard of "smart lookups".

DNS servers generally have two modes of operation. Forwarders just passes
the request to another DNS server. The second mode is where the DNS server
uses the Internet root servers to find the registered primary DNS servers
for a target DNS name, and then contacts those servers directly to get an
authoratative answer. That second mode is referred to as doing "smart
lookups".

 

[Phillip Windell]

DNS servers generally have two modes of operation. Forwarders just passes
the request to another DNS server. The second mode is where the DNS server
uses the Internet root servers to find the registered primary DNS servers
for a target DNS name, and then contacts those servers directly to get an
authoratative answer. That second mode is referred to as doing "smart
lookups".

Known as using "root hints"? Perhaps I knew of it then, but just different
terminology...