DNS forwarders not working

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Hi all ,
Weird one here I just cant get my head around. Currently running NT4 domain
and need to get forwarders working on my DNS server.
The reason being we have a server here that is a dns server for a third
party company that resolves addresses on their closed intranet. The problems
we have is clients all have to have different dns server search orders
depending on what they need access to as the third party dns server does not
resolve internet addresses only their own.
So my solution was to set up DNS forwarders on my DNS server to try and
resolve the third party queries using a forwarder to their server.
However it doesnt work. If I put the IP of their server in the forwarders
then clients using my server for DNS can resolve their addresses fine, BUT
internet resolution provided by my DNS server stops working.
Ive tried putting an ISP DNS address in the forwarders as well , in both
orders thinking interent will resolve using this , and if the interent DNS
cannot resolve it will move onto the the third party server and resolve. But
this stops third party resolution working.
Even if i have third party server first and ISP second internet resolution
stops working.
So in desperation thinking my DNS is somehow broken ive just set up a test
2000 server with fresh install of DNS and I have the exact same symptoms.

Im stuck now and dont really know where else to look ?

Any ideas ?

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"Andy Taylor" <Andy Taylor@discussions.microsoft.com> wrote in message
news:E2F05DE0-22AE-4B65-8F65-784F4F586DA8@microsoft.com...
> Hi all ,
> Weird one here I just cant get my head around. Currently running NT4
domain
> and need to get forwarders working on my DNS server.
> The reason being we have a server here that is a dns server for a third
> party company that resolves addresses on their closed intranet. The
problems
> we have is clients all have to have different dns server search orders
> depending on what they need access to as the third party dns server does
not
> resolve internet addresses only their own.

You cannot expect the search order to be reliable.

ALL DNS clients must use the same set of DNS server,
or (at least) DNS servers that can ALL return the same
answers.

You cannot use different DNS servers on the client NIC
in the expectation that they will 'supplement' each other
-- i.e., give back additional answers not known by all.

> So my solution was to set up DNS forwarders on my DNS server to try and
> resolve the third party queries using a forwarder to their server.

That is the correct concept -- DNS server for your clients
MUST handle the resolutions it does not know (does not
have a zone) by forwarding or recursing other servers.

Problem is, if their server (to which you forward) cannot
resolve ALL other names (e.g., THE Internet) you will be
limited to what your server knows direct PLUS what their
server knows.

(Win2003 solves this problem through "conditional forwarding").

If this is not suitable, you must hold a secondary for their zone(s)
on your DNS server.

> However it doesnt work. If I put the IP of their server in the forwarders
> then clients using my server for DNS can resolve their addresses fine, BUT
> internet resolution provided by my DNS server stops working.
> Ive tried putting an ISP DNS address in the forwarders as well , in both
> orders thinking interent will resolve using this , and if the interent DNS
> cannot resolve it will move onto the the third party server and resolve.
But
> this stops third party resolution working.
> Even if i have third party server first and ISP second internet resolution
> stops working.

This is the way DNS clients and servers are expected to work.


> So in desperation thinking my DNS is somehow broken ive just set up a test
> 2000 server with fresh install of DNS and I have the exact same symptoms.

Win2000 is fine but it will give the SAME results.


> Im stuck now and dont really know where else to look ?

It's a design misunderstanding.


Do this:

Use your forwarder (you only get the one) to resolve the
Internet, by forwarding to the ISP

Create a secondary zone (on each of your DNS servers)
for each of "their" zones -- you may need them to enable
"zone transfers" to your DNS server IP

Make sure that ALL of your clients NIC->IP properties->DNS
settings are set to STRICTLY your internal DNS servers

Remember that generally your "servers" are DNS clients too

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Hi Herb thanks for taking the time -

"Herb Martin" wrote:


> > So my solution was to set up DNS forwarders on my DNS server to try and
> > resolve the third party queries using a forwarder to their server.
>
> That is the correct concept -- DNS server for your clients
> MUST handle the resolutions it does not know (does not
> have a zone) by forwarding or recursing other servers.
>
> Problem is, if their server (to which you forward) cannot
> resolve ALL other names (e.g., THE Internet) you will be
> limited to what your server knows direct PLUS what their
> server knows.
>
> (Win2003 solves this problem through "conditional forwarding").

Limited to what my server knows ( that is the internet ) PLUS what their
server knows ( Their Intranet addresses ) is all I need. This is what i cant
understand why it is not working. Pointing vclients at my DNS server I can
get EITHER internet or 3rd party working but not both a the same time.
Depending on the order of my forwarders whatever is first in the list works.

So 3rd party forwarder first makes 3rd party work but not internet.

ISP forwarder first makes Internet work but not third party.


> If this is not suitable, you must hold a secondary for their zone(s)
> on your DNS server.
>
> Do this:
>
> Use your forwarder (you only get the one) to resolve the
> Internet, by forwarding to the ISP
>
> Create a secondary zone (on each of your DNS servers)
> for each of "their" zones -- you may need them to enable
> "zone transfers" to your DNS server IP
>
> Make sure that ALL of your clients NIC->IP properties->DNS
> settings are set to STRICTLY your internal DNS servers
>
> Remember that generally your "servers" are DNS clients too
>

I have tried this but have come against 2 problems -

I have a choice of 2 DNS servers that will successfully resolve the third
party addresses.

The first is the 3rd party server at my site. THis the address that they say
my clients have to point to to resolve their names. ( we know that is
impractical ). This is in fact not a proper DNS server at all, but is running
winrouteproxy which I have examined and can see it forwards DNS requests on
to the 'proper' DNS server in Germany.

The second is the DNS server in Germany as i have routing in place to query
it directly.

Trying to add a zone for the first server fails as it is indeed not running
DNS itself.

Trying the second fails as they obviously have transfers disabled. Getting
this enabled would be night on impossible as they are a large maulti national
company and doing it just because little me asks them to is probably not
going to happen.

Am i barking up the wrong tree trying to get forwarders working instead of
the zone solution ?

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

> > > So my solution was to set up DNS forwarders on my DNS server to try
and
> > > resolve the third party queries using a forwarder to their server.
> >
> > That is the correct concept -- DNS server for your clients
> > MUST handle the resolutions it does not know (does not
> > have a zone) by forwarding or recursing other servers.
> >
> > Problem is, if their server (to which you forward) cannot
> > resolve ALL other names (e.g., THE Internet) you will be
> > limited to what your server knows direct PLUS what their
> > server knows.
> >
> > (Win2003 solves this problem through "conditional forwarding").
>
> Limited to what my server knows ( that is the internet ) PLUS what their
> server knows ( Their Intranet addresses ) is all I need. This is what i
cant
> understand why it is not working.

So EITHER:

1) You don't need the Internet resolution (doesn't sound like it)
OR
2) Their DNS server will (be trusted) to resolve Internet FOR YOU?


> Pointing vclients at my DNS server I can
> get EITHER internet or 3rd party working but not both a the same time.

Sounds like #2 is NOT working that way.

You cannot forward to two places in Win2000 or earlier.

> Depending on the order of my forwarders whatever is first in the list
works.

Forwarders are like CLIENT settings -- ALL Forwarders
in the list MUST return the same, consistent, correct results.

You cannot expect that multiple forwarders will be used.

> So 3rd party forwarder first makes 3rd party work but not internet.

Exactly as it is designed.

You cannot do it this way.

> ISP forwarder first makes Internet work but not third party.

That is right. All forwarders must returrn the same, consistent,
correct results.

> > If this is not suitable, you must hold a secondary for their zone(s)
> > on your DNS server.

You need to do it this way.

> > Do this:
> >
> > Use your forwarder (you only get the one) to resolve the
> > Internet, by forwarding to the ISP
> >
> > Create a secondary zone (on each of your DNS servers)
> > for each of "their" zones -- you may need them to enable
> > "zone transfers" to your DNS server IP
> >
> > Make sure that ALL of your clients NIC->IP properties->DNS
> > settings are set to STRICTLY your internal DNS servers
> >
> > Remember that generally your "servers" are DNS clients too
> >
>
> I have tried this but have come against 2 problems -
>
> I have a choice of 2 DNS servers that will successfully resolve the third
> party addresses.
>
> The first is the 3rd party server at my site. THis the address that they
say
> my clients have to point to to resolve their names. ( we know that is
> impractical ). This is in fact not a proper DNS server at all, but is
running
> winrouteproxy which I have examined and can see it forwards DNS requests
on
> to the 'proper' DNS server in Germany.
>
> The second is the DNS server in Germany as i have routing in place to
query
> it directly.
>
> Trying to add a zone for the first server fails as it is indeed not
running
> DNS itself.
>
> Trying the second fails as they obviously have transfers disabled. Getting
> this enabled would be night on impossible as they are a large maulti
national
> company and doing it just because little me asks them to is probably not
> going to happen.
>
> Am i barking up the wrong tree trying to get forwarders working instead of
> the zone solution ?

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Herb,

Thanks for clearing that up.

It was a misunderstanding by me obviously as to how forwarders work. Ive
read tons of documentation on this and none of it implied it works that way.

So thats that cleared up , but now leaves me with a bigger
problem....finding a solution so that both sets of addresses can be resolved
by my clients.

Forwarders dont work.
Adding their zone will not work.

Is there any other solutions that Ive not thought of ?

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"Andy Taylor" <AndyTaylor@discussions.microsoft.com> wrote in message
news:7405083B-2B97-4241-B270-C04E3B20B00B@microsoft.com...
> Herb,
>
> Thanks for clearing that up.
>
> It was a misunderstanding by me obviously as to how forwarders work. Ive
> read tons of documentation on this and none of it implied it works that
way.
>
> So thats that cleared up , but now leaves me with a bigger
> problem....finding a solution so that both sets of addresses can be
resolved
> by my clients.
>
> Forwarders dont work.


> Adding their zone will not work.

Why not?

Anyone willing to let you forward to them, should likely
trust you enough to allow you to hold a secondary.

> Is there any other solutions that Ive not thought of ?

Win2003, Conditional Forwarding or perhaps Stub zone.

Or having them properly delegate it -- but that requires
some complicated things be true.

 

[obiwan]

Archived from groups: microsoft.public.win2000.dns (More info?)

<snippage>
> Forwarders dont work.
> Adding their zone will not work.

Hmm; let's say you have an external
domains like acme.com you want your
DNS to resolve queries for that domain
by sending them to the respective server
and also you want your DNS to resolve
internet queries; am I correct here ?

First of all you'll need to ask the "admin"
for the acme.com zone to allow zone
transfers from your server

once the above will work, you will need
to create a secondary zone on your DNS
call it "acme.com" and point its master
DNS to the acme.com DNS servers

at this point it everything is working your
DNS will transfer the zone from acme.com
if not, check your firewall settings (or the
acme.com firewall settings) and ensure it
doesn't block zone transfers

once the above will be working, your DNS
should be able to solve acme.com queries

now configure the forwarders for internet
name resolution, due to the latest "dns
cache poisoning" issue I'd suggest you
to avoid using the forwarders and setting
up your DNS for full recursive resolution
but it you can't or don't want to do it, the
best you can do is pointing the forwarders
to 4.2.2.2 and 4.2.2.1; if on the other side
you can setup a full recursive DNS, ensure
to follow the steps you'll find here

http://support.microsoft.com/default.aspx?scid=kb;en-us;300202

at the section titled "using root hints", also, be
sure that recursion hasn't been disabled on
your DNS



Regards

--

* ObiWan

Microsoft MVP: Windows Server - Networking
http://www.microsoft.com/communities/MVP/MVP.mspx
http://mvp.support.microsoft.com

DNS "fail-safe" for Windows clients.
http://www.ntcanuck.com

Newsgroups and forums
news://news.ntcanuck.com
http://forums.ntcanuck.com

408+ XP/2000 tweaks and tips
http://www.ntcanuck.com/tq/Tip_Quarry.htm