Stop Win2k DNS Server Resolving External DNS Requests

[Guest]

I work with Peter and he asked me to see if I could make the problem we're trying to solve clearer

We have a domain adm.uow.edu.au which is an active directory domain, delegated to the domain controlle
admincat01.adm.uow.edu.au. The DC is on a private address. Our two public addresses dns servers are acting a
secondaries for the adm.uow.edu.au zone

The problem occurs when anyone external to our network attempts to resolve an address in the adm.uow.edu.au zone
eg. computera.adm.uow.edu.au. computera is on a public address. The external client or their dns server when trying t
resolve computera.adm.uow.edu.au will, on average one time out of three, attempt to connect t
admincat01.adm.uow.edu.au which will fail (or possibly connect to a host on their own private network with the same I
address) Once this times out, it should then connect to one of our two public dns servers and everything works from there

It's the delay, due to timeout then failover, that we're trying to remove

The way we fix the problem in our unix/bind environment is to not have an NS record for the master for its zones, ofte
referred to as a "Hidden Master" arrangement. We were hoping to do the same thing with our windows environment, bu
whenever the NS record for the master is removed, it's replaced next reload, and xfer'd back to the secondaries

 

[Herb Martin]

You explanation was confusing but if the subject is the issue:

You can disable MS DNS server on a per NIC/IP basis.

--
Herb Martin

I work with Peter and he asked me to see if I could make the problem we're trying to solve clearer.

We have a domain adm.uow.edu.au which is an active directory domain,

delegated to the domain controller

admincat01.adm.uow.edu.au. The DC is on a private address. Our two public

addresses dns servers are acting as

secondaries for the adm.uow.edu.au zone.

The problem occurs when anyone external to our network attempts to resolve

an address in the adm.uow.edu.au zone,

eg. computera.adm.uow.edu.au. computera is on a public address. The

external client or their dns server when trying to

resolve computera.adm.uow.edu.au will, on average one time out of three, attempt to connect to
admincat01.adm.uow.edu.au which will fail (or possibly connect to a host

on their own private network with the same IP

address) Once this times out, it should then connect to one of our two

public dns servers and everything works from there.

It's the delay, due to timeout then failover, that we're trying to remove.

The way we fix the problem in our unix/bind environment is to not have an

NS record for the master for its zones, often

referred to as a "Hidden Master" arrangement. We were hoping to do the

same thing with our windows environment, but

whenever the NS record for the master is removed, it's replaced next

reload, and xfer'd back to the secondaries.

 

[Deji Akomolafe]

This is a bit hard to follow, but let me try to see if I understand.

adm.uow.edu.au is your zone name, and it's been delegated from uow.edu.au
admincat01 is the Primary DNS server. It is internal.
You have DNSb and DNSc on the outside acting as Secondary DNS servers for
the adm.uow.edu.au zone
An EXTERNAL user (me) looking for computera in the adm.uow.edu.au domain
WILL connect to a host on MY private network BEFORE eventually asking MY DNS
server to ask your DNSb or DNSc?

IF my understanding of your description is right, then this is incorrect.
This will only be correct IF I have a zone called adm.uow.edu.au on MY DNS
server OR I was only looking for computera instead of
computera.adm.uow.edu.au
I am not saying you don't have an issue, I am just saying your
interpretation or explanation of this issue is not logical. You may be
troubleshooting the wrong problem.

Of course, my understanding of your issue could be incorrect, in which case
I profusely apologize.

--
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

I work with Peter and he asked me to see if I could make the problem we're trying to solve clearer.

We have a domain adm.uow.edu.au which is an active directory domain,

delegated to the domain controller

admincat01.adm.uow.edu.au. The DC is on a private address. Our two public

addresses dns servers are acting as

secondaries for the adm.uow.edu.au zone.

The problem occurs when anyone external to our network attempts to resolve

an address in the adm.uow.edu.au zone,

eg. computera.adm.uow.edu.au. computera is on a public address. The

external client or their dns server when trying to

resolve computera.adm.uow.edu.au will, on average one time out of three, attempt to connect to
admincat01.adm.uow.edu.au which will fail (or possibly connect to a host

on their own private network with the same IP

address) Once this times out, it should then connect to one of our two

public dns servers and everything works from there.

It's the delay, due to timeout then failover, that we're trying to remove.

The way we fix the problem in our unix/bind environment is to not have an

NS record for the master for its zones, often

referred to as a "Hidden Master" arrangement. We were hoping to do the

same thing with our windows environment, but

whenever the NS record for the master is removed, it's replaced next

reload, and xfer'd back to the secondaries.

 

[Ace Fekay [MVP]]

In

This is a bit hard to follow, but let me try to see if I understand.

adm.uow.edu.au is your zone name, and it's been delegated from
uow.edu.au admincat01 is the Primary DNS server. It is internal.
You have DNSb and DNSc on the outside acting as Secondary DNS servers
for the adm.uow.edu.au zone
An EXTERNAL user (me) looking for computera in the adm.uow.edu.au
domain WILL connect to a host on MY private network BEFORE eventually
asking MY DNS server to ask your DNSb or DNSc?

IF my understanding of your description is right, then this is
incorrect. This will only be correct IF I have a zone called
adm.uow.edu.au on MY DNS server OR I was only looking for computera
instead of computera.adm.uow.edu.au
I am not saying you don't have an issue, I am just saying your
interpretation or explanation of this issue is not logical. You may be
troubleshooting the wrong problem.

Of course, my understanding of your issue could be incorrect, in
which case I profusely apologize.


Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon

delegated to the domain controller
addresses dns servers are acting as
an address in the adm.uow.edu.au zone,
external client or their dns server when trying to
on their own private network with the same IP
public dns servers and everything works from there.
NS record for the master for its zones, often
same thing with our windows environment, but
reload, and xfer'd back to the secondaries.

This has been multiposted to another group that I was trying to help out in.
I can't remember which newsgroup it was. If only it was cross posted, this
way you can see my responses as well.

I believe they wanted to remove the NS record out of the namesrever tab, but
being a DNS server, it continues to register. The reason is on his
secondaries (BIND with outside access allowed thru the firewall), any
requests that hit them, for some reason gets sent to this server for a
response (it's a DC) but their firewall rules prevent outside access from
this guy. I pointed out a couple reg entries to eliminate that behavior.
Maybe the poster will cross post his response and you can find out what the
other group is.

My feeling is that maybe it's a registration request sent to the
secondaries. If this is the case, then the client will pull the MNAME and
send it there, which happens to be his DC. Who knows...


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Jonathan de Boyne Pollard]

RNR> The external client [...] when trying to resolve
RNR> computera.adm.uow.edu.au will, on average one time out of three,
RNR> attempt to connect to admincat01.adm.uow.edu.au which will fail
RNR> (or possibly connect to a host on their own private network with
RNR> the same IP address)

Your problem is that this:

RNR> We have a domain adm.uow.edu.au which is an active
RNR> directory domain [...]. The DC is on a private address.
RNR> Our two public addresses dns servers are acting as
RNR> secondaries for the adm.uow.edu.au zone.

is wrong. Since you have private data in your DNS database that you
don't want published to the world (because they cause the aforementioned
problem) you should be implementing "split horizon" DNS service
using separate content DNS servers. Your two public content DNS
servers should have a _separate_ database, rather than have a replica
of the "internal" database that your internal content DNS server
has. That second database should contain only those data that
you wish to publish to the rest of Internet.

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-split-horizon.html#SeparateContentServers>