Nslookup fails for external lookups

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

I have a Windows 2000 Server set as primary DNS for my internal clients,
this is behind an ISA Server 2000. When I run nslookup from the WK server
for an external domain such as www.aol.com I get the response

"DNS request Timed out"

However if I specify the server in nslookup with the serevr option for
example nslookup -server 194.72.6.52 I get the correct response to the
lookup.

I have enabled a forwarder on the WK DNS and I can perform the DNS lookups
through the ISA correctly as above. This has been baffling for a while, it
just seems my server will not perform recursive lookups for external
domains. Im sure Ive missed something in the config here, any help would be
appreciated.

Cheers

Kyle

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:uC2Oj9yaEHA.2516@TK2MSFTNGP10.phx.gbl,
uce@cscm.co.uk <uce@cscm.co.uk> asked for help and I offered my suggestions
below:
> I have a Windows 2000 Server set as primary DNS for my internal
> clients, this is behind an ISA Server 2000. When I run nslookup from
> the WK server for an external domain such as www.aol.com I get the
> response
>
> "DNS request Timed out"
>
> However if I specify the server in nslookup with the serevr option for
> example nslookup -server 194.72.6.52 I get the correct response to the
> lookup.
>
> I have enabled a forwarder on the WK DNS and I can perform the DNS
> lookups through the ISA correctly as above. This has been baffling
> for a while, it just seems my server will not perform recursive
> lookups for external domains. Im sure Ive missed something in the
> config here, any help would be appreciated.
>
> Cheers
>
> Kyle

Do you have rule allowed for DNS traffic? UDP 53 at least.

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Yes I have a rule for the server to use UDP 53 send/receive and also a
packet filter for DNS on the ISA Server itself.

I can perform the lookups if I specify an external server, its just the
forwarder on my DNS server that seems to timeout?

"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
message news:euFbtk0aEHA.3792@TK2MSFTNGP09.phx.gbl...
> In news:uC2Oj9yaEHA.2516@TK2MSFTNGP10.phx.gbl,
> uce@cscm.co.uk <uce@cscm.co.uk> asked for help and I offered my
suggestions
> below:
> > I have a Windows 2000 Server set as primary DNS for my internal
> > clients, this is behind an ISA Server 2000. When I run nslookup from
> > the WK server for an external domain such as www.aol.com I get the
> > response
> >
> > "DNS request Timed out"
> >
> > However if I specify the server in nslookup with the serevr option for
> > example nslookup -server 194.72.6.52 I get the correct response to the
> > lookup.
> >
> > I have enabled a forwarder on the WK DNS and I can perform the DNS
> > lookups through the ISA correctly as above. This has been baffling
> > for a while, it just seems my server will not perform recursive
> > lookups for external domains. Im sure Ive missed something in the
> > config here, any help would be appreciated.
> >
> > Cheers
> >
> > Kyle
>
> Do you have rule allowed for DNS traffic? UDP 53 at least.
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Active Directory
>
> HAM AND EGGS: A day's work for a chicken;
> A lifetime commitment for a pig.
> --
> =================================
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:uHKsSX$aEHA.2408@tk2msftngp13.phx.gbl,
Kyle Heath <uce@cscm.co.uk> asked for help and I offered my suggestions
below:
> Yes I have a rule for the server to use UDP 53 send/receive and also a
> packet filter for DNS on the ISA Server itself.
>
> I can perform the lookups if I specify an external server, its just
> the forwarder on my DNS server that seems to timeout?
>

You'll need to allow TCP 53 as well, to get answers for some domains such as
AOL, Yahoo, Hotmail, etc, because their responses are large. UDP is used
when the packet size is below 512 bytes. If the answer is greater than 512,
the transport is changed to TCP. If using W2k3 DNS, it has a new feature
called EDNS0 which allows UDP packets greater than 512.

Give that a shot and let us know!

--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Active Directory

HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

u> I have a Windows 2000 Server [...]
u> domain such as www.aol.com [...]

It's definitely not Windows NT 2003 Server ?

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-edns0-and-firewalls.html>

u> When I run nslookup [...]

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/nslookup-flaws.html>

u> Im sure Ive missed something in the config here [...]

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dns-monolithic-server-as-proxy.html>

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

I have already tried that one! If the DNS server is installed on the ISA
Server itself I can perform the lookups, the problem is because the DNS
server is behind the ISA Server as a Firewall Client, this seems to be the
issue.


"Ace Fekay [MVP]"
<PleaseSubstituteMyActualFirstName&LastNameHere@hotmail.com> wrote in
message news:#kK4wnAbEHA.3016@tk2msftngp13.phx.gbl...
> In news:uHKsSX$aEHA.2408@tk2msftngp13.phx.gbl,
> Kyle Heath <uce@cscm.co.uk> asked for help and I offered my suggestions
> below:
> > Yes I have a rule for the server to use UDP 53 send/receive and also a
> > packet filter for DNS on the ISA Server itself.
> >
> > I can perform the lookups if I specify an external server, its just
> > the forwarder on my DNS server that seems to timeout?
> >
>
> You'll need to allow TCP 53 as well, to get answers for some domains such
as
> AOL, Yahoo, Hotmail, etc, because their responses are large. UDP is used
> when the packet size is below 512 bytes. If the answer is greater than
512,
> the transport is changed to TCP. If using W2k3 DNS, it has a new feature
> called EDNS0 which allows UDP packets greater than 512.
>
> Give that a shot and let us know!
>
> --
> Regards,
> Ace
>
> Please direct all replies ONLY to the Microsoft public newsgroups
> so all can benefit.
>
> This posting is provided "AS-IS" with no warranties or guarantees
> and confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
> Microsoft Windows MVP - Active Directory
>
> HAM AND EGGS: A day's work for a chicken;
> A lifetime commitment for a pig.
> --
> =================================
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:%23dXVNGIcEHA.2388@TK2MSFTNGP11.phx.gbl,
Kyle Heath <uce@cscm.co.uk> asked for help and I offered my suggestions
below:
> I have already tried that one! If the DNS server is installed on the
> ISA Server itself I can perform the lookups, the problem is because
> the DNS server is behind the ISA Server as a Firewall Client, this
> seems to be the issue.
>
Then this comes down to an ISA/firewall issue. As far as I remember, just
allow access for your firewall clients and allow that traffic. So its just
basically a rule you are allowing for your firewall clients. If you need
further instructions, you can post this in the ISA newsgroup for specific
help in this matter.

You can also check www.isaserver.org for help as well.



--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
--
=================================