why doesn't this DNS server on windows 2008 work?

[Kumar]

This is a long post but has all the information I did. I posted it on windows
2000 DNS. If it is a different news group please point me to the windows 2008
dns group.
I have been trying hard to set up my own DNS on windows 2008 server. I only
have one server and is for web hosting my personal websites. I intend to host
my own websites and their sub domains. The server is having DC + DNS and IIS
(including websites) - all-in-one. But it doesn't seem to work. Ofcourse I
want to have active directory as well so that I could extend for couple of
more users and clients later. Here is the background.

- Setting up the DNS for the first time ( No experience) on windows 2008
server
- Installed windows 2008
- Changed the computer name to NS1 (Pointed to this ns1.mywebsite.com from
godaddy name server and gave this server ip in godaddy @ ip)
- Installed first DC and AD and DNS with the following info
FQDN : mywebsite.com
( didn't put NS1 as that was the computer name. Should I use
NS1.mywebsite.com for FQDN instead?)
netbois : mywebsite

( what do I need to check if the above has been installed correctly? what
nslookup commands I need to run? I tried with NS1.mywebsite.com and it works
correclty locally on the server pointing to the same ip)

Created new host record with
sub.mywebstie.com
demo.mywebsite.com

created their corresponding websites in IIS on the same server

my server uses internal IP that I got from colocation provider as below:

10.10.12.201 for DMZ and
10.0.12.210 for VPN

where as my external public ip is 209.218.213.201
(ip's not correct but just for understanding)

mostly

ns1.mywebsite.com works pointing to a website in IIS

however
sub.mywebsite.com
demo.mywebsite.com

doesn't work.

I tried to look up at checkdns.net
sub.mywebsite.com
mywebsite.com

It comes back with
Error fetching SOA from ns1.bharathosting.net [209.218.213.201], request
timed out. Probably DNS server is offline.

my questions are:
What is going wrong?
Have I configured it correctly?
How do I check if all I did is correct?
are there any specific steps that one could give me to setup my own dns on
windows 2008 from scratch. I can start all over fresh again. However, before
hosting I want everything to be setup correctly.
do I need to get any thing at my domain name registrar (godaddy.com)?

I greatly appreciate any help.

 

[Ray]

From the new DNS server itself, what does

nslookup sub.mywebsite.com

and

nslookup demo.mywebsite.com

return? If they're not working from the DNS server itself, they won't work
from the Internet. They should return the public IP, not the private IP.

When you go a site that has whois, such as
http://www.networksolutions.com/whois/index.jsp and put in your domain of
mywebsite.com, does it return the DNS servers that you expect it to?

Ray

This is a long post but has all the information I did. I posted it on
windows
2000 DNS. If it is a different news group please point me to the windows
2008
dns group.
I have been trying hard to set up my own DNS on windows 2008 server. I
only
have one server and is for web hosting my personal websites. I intend to
host
my own websites and their sub domains. The server is having DC + DNS and
IIS
(including websites) - all-in-one. But it doesn't seem to work. Ofcourse I
want to have active directory as well so that I could extend for couple of
more users and clients later. Here is the background.

- Setting up the DNS for the first time ( No experience) on windows 2008
server
- Installed windows 2008
- Changed the computer name to NS1 (Pointed to this ns1.mywebsite.com from
godaddy name server and gave this server ip in godaddy @ ip)
- Installed first DC and AD and DNS with the following info
FQDN : mywebsite.com
( didn't put NS1 as that was the computer name. Should I use
NS1.mywebsite.com for FQDN instead?)
netbois : mywebsite

( what do I need to check if the above has been installed correctly? what
nslookup commands I need to run? I tried with NS1.mywebsite.com and it
works
correclty locally on the server pointing to the same ip)

Created new host record with
sub.mywebstie.com
demo.mywebsite.com

created their corresponding websites in IIS on the same server

my server uses internal IP that I got from colocation provider as below:

10.10.12.201 for DMZ and
10.0.12.210 for VPN

where as my external public ip is 209.218.213.201
(ip's not correct but just for understanding)

mostly

ns1.mywebsite.com works pointing to a website in IIS

however
sub.mywebsite.com
demo.mywebsite.com

doesn't work.

I tried to look up at checkdns.net
sub.mywebsite.com
mywebsite.com

It comes back with
Error fetching SOA from ns1.bharathosting.net [209.218.213.201], request
timed out. Probably DNS server is offline.

my questions are:
What is going wrong?
Have I configured it correctly?
How do I check if all I did is correct?
are there any specific steps that one could give me to setup my own dns on
windows 2008 from scratch. I can start all over fresh again. However,
before
hosting I want everything to be setup correctly.
do I need to get any thing at my domain name registrar (godaddy.com)?

I greatly appreciate any help.

 

[Kumar]

from the dns server itself it shows
10.10.12.201

for both
However I just changed the demo.mywebsite to external ip (209.218.213.201)
to see how it works
and it shows
209.218.213.201 on the dns server itself

and for whois
it shows my own dns server correctly.

even it works correctly for
NS1.mywebsite.com when I browse the site outside of the network. but not the
sub domains like sub.mywebsite.com or demo.mywebsite.com

From the new DNS server itself, what does

nslookup sub.mywebsite.com

and

nslookup demo.mywebsite.com

return? If they're not working from the DNS server itself, they won't work
from the Internet. They should return the public IP, not the private IP.

When you go a site that has whois, such as
http://www.networksolutions.com/whois/index.jsp and put in your domain of
mywebsite.com, does it return the DNS servers that you expect it to?

Ray

This is a long post but has all the information I did. I posted it on
windows
2000 DNS. If it is a different news group please point me to the windows
2008
dns group.
I have been trying hard to set up my own DNS on windows 2008 server. I
only
have one server and is for web hosting my personal websites. I intend to
host
my own websites and their sub domains. The server is having DC + DNS and
IIS
(including websites) - all-in-one. But it doesn't seem to work. Ofcourse I
want to have active directory as well so that I could extend for couple of
more users and clients later. Here is the background.

- Setting up the DNS for the first time ( No experience) on windows 2008
server
- Installed windows 2008
- Changed the computer name to NS1 (Pointed to this ns1.mywebsite.com from
godaddy name server and gave this server ip in godaddy @ ip)
- Installed first DC and AD and DNS with the following info
FQDN : mywebsite.com
( didn't put NS1 as that was the computer name. Should I use
NS1.mywebsite.com for FQDN instead?)
netbois : mywebsite

( what do I need to check if the above has been installed correctly? what
nslookup commands I need to run? I tried with NS1.mywebsite.com and it
works
correclty locally on the server pointing to the same ip)

Created new host record with
sub.mywebstie.com
demo.mywebsite.com

created their corresponding websites in IIS on the same server

my server uses internal IP that I got from colocation provider as below:

10.10.12.201 for DMZ and
10.0.12.210 for VPN

where as my external public ip is 209.218.213.201
(ip's not correct but just for understanding)

mostly

ns1.mywebsite.com works pointing to a website in IIS

however
sub.mywebsite.com
demo.mywebsite.com

doesn't work.

I tried to look up at checkdns.net
sub.mywebsite.com
mywebsite.com

It comes back with
Error fetching SOA from ns1.bharathosting.net [209.218.213.201], request
timed out. Probably DNS server is offline.

my questions are:
What is going wrong?
Have I configured it correctly?
How do I check if all I did is correct?
are there any specific steps that one could give me to setup my own dns on
windows 2008 from scratch. I can start all over fresh again. However,
before
hosting I want everything to be setup correctly.
do I need to get any thing at my domain name registrar (godaddy.com)?

I greatly appreciate any help.

 

[Ace Fekay [MVP Direcrtory Services]]

In

from the dns server itself it shows
10.10.12.201

for both
However I just changed the demo.mywebsite to external ip
(209.218.213.201) to see how it works
and it shows
209.218.213.201 on the dns server itself

and for whois
it shows my own dns server correctly.

even it works correctly for
NS1.mywebsite.com when I browse the site outside of the network. but
not the sub domains like sub.mywebsite.com or demo.mywebsite.com

How did you create the child sites? Did you create them as child zones, such
as the following?
website.com
sub.mywebsite.com
demo.mywebsite.com

Did you create any records under the child zones, such as www, or even a
blank record? If not, I can see why you are getting nothing back.


Also, to make a point, it is not recommended to mix public records and
private records on a DNS server that is a domain controller that is hosting
the internal private zone for your company. Also, it is highly NOT
recommended to have two NICs on a domain controller. Either action will
cause problems with Active Directory. If this domain controller is truly a
domain controller for a production network, this is not recommended nor a
desired configuration.

Besides, you would want the internal machines resolve your records to the
private IP record, and outside queries to resolve to the public IP records.
Microsoft DNS is not capable at this time to offer "VIEWS" which is a
feature of BIND that you can configure it to respond with a particular
record based on the querying client.

If you really feel you want to host your own public zones, I would suggest
to get two separate machines that are not domain controllers, and that are
not part of the domain, lock them down using Security Policies, disable all
unnecessary services, disable recursion (so no one can use your server to
resolve other domains than what is configured on them). Why two DNS servers?
Because the Registrar requires you to have a minimum of two DNS servers.

Honestly, unless you are running a hosting service with hundreds of domains,
I would just recommend to use your ISP or the Registrar's DNS services to
host your public domain name.



--Â
Regards,
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer

For urgent issues, you may want to contact Microsoft PSS directly.
Please check http://support.microsoft.com for regional support phone
numbers.

Infinite Diversities in Infinite Combinations

 

[Ray]

Also, to make a point, it is not recommended to mix public records and
private records on a DNS server that is a domain controller that is
hosting the internal private zone for your company.

Agreed. This exposes the internal network topology toi an attacker.

Also, it is highly NOT recommended to have two NICs on a domain
controller. Either action will cause problems with Active Directory. If
this domain controller is truly a domain controller for a production
network, this is not recommended nor a desired configuration.

Depending on how the NICs are connected, this could lead to a hack opf the
internal network. We did this during a penetration test.

Besides, you would want the internal machines resolve your records to the
private IP record, and outside queries to resolve to the public IP
records. Microsoft DNS is not capable at this time to offer "VIEWS" which
is a feature of BIND that you can configure it to respond with a
particular record based on the querying client.

IMHO, it's always safer to have internal and external zones on completely
separate hardware, views notwithstanding. When they're on different servers,
a misconfiguration will hjave less effect.

Honestly, unless you are running a hosting service with hundreds of
domains, I would just recommend to use your ISP or the Registrar's DNS
services to host your public domain name.

Agreed. It's also far more failure resilient.

Good advice,

Ray

 

[Ace Fekay [MVP Direcrtory Services]]

In

Agreed. This exposes the internal network topology toi an attacker.


Depending on how the NICs are connected, this could lead to a hack
opf the internal network. We did this during a penetration test.


IMHO, it's always safer to have internal and external zones on
completely separate hardware, views notwithstanding. When they're on
different servers, a misconfiguration will hjave less effect.


Agreed. It's also far more failure resilient.

Good advice,

Ray

Thanks!

As for the multihomed DCs, besides the security implications, ( I can
understand and see how a penetration attempt with the right tools would
allow you to gain internal access), which of course we would NOT want, AD is
problematic if the machine is misconfigured including the NICs, disabling
NetBIOS on the outside NIC, registry changes to alter registration of the
NICs and Netlogon registration and manually creating SRV entries in the reg
to overcome the disabled registration. It's a nightmare for the laymen. I
just recommend for security and functionality to not multihome. However,
many do not heed the recommendation, unfortunately.

Curious, what did you use for penetration testing?

Ace