DNS Forwarders not working?

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Hi
We have a Windows 2000 server (actually SBS with ISA disabled) at head
office location and a branch office connected by VPN using Netscreen
firewalls. VPN is working fine. Branch office clients authenticate on the
2000 server via the VPN. We only just changed firewalls to the NetScreens.
The old firewalls acted as a proxy servers and client PCs' Internet Explorer
connection settings were set to use the old firewalls as their proxy server
and we had no problems. The new Netscreens are not proxies so I have removed
the all LAN connection settings in IE and the clients NICs are set to use the
Netscreen as the gateway and the 2000 server as DNS. I have set up DNS
forwarders to our ISP's DNS but I cannot browse the internet from the 2000
server or our terminal server (the branch office users access the TS via the
VPN) unless I put the ISP's DNS on the NIC's TCP/IP settings, and even then I
cannot get to all sites or links within sites. I am at the limits of my
knowledge and would really appreciate any suggestions please!

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Hello Geoff,

I really am not quite sure about your situation. But if you find you even
cannot browse internet on your server, and you think the DNS forwarder
doesn't work, then make sure your DC points to itself and nowhere else. Make
sure you can ping your DNS forwarder IP. You better do a nslookup with the
IP and see if it can resolve domain names.

Make sure you can browse on the server first. If you cannot browse, try to
ping your target and see where is the problem. Or if you can ping, see if
you can browse with the IP only. These are all I can think of at the moment.
You need to provide more detail and clear info.

br,
Denis

"Geoff Hewitt" <GeoffHewitt@discussions.microsoft.com> wrote in message
news:E16EEA92-324E-42D5-AB1F-E46790F3D76E@microsoft.com...
> Hi
> We have a Windows 2000 server (actually SBS with ISA disabled) at head
> office location and a branch office connected by VPN using Netscreen
> firewalls. VPN is working fine. Branch office clients authenticate on the
> 2000 server via the VPN. We only just changed firewalls to the NetScreens.
> The old firewalls acted as a proxy servers and client PCs' Internet
Explorer
> connection settings were set to use the old firewalls as their proxy
server
> and we had no problems. The new Netscreens are not proxies so I have
removed
> the all LAN connection settings in IE and the clients NICs are set to use
the
> Netscreen as the gateway and the 2000 server as DNS. I have set up DNS
> forwarders to our ISP's DNS but I cannot browse the internet from the 2000
> server or our terminal server (the branch office users access the TS via
the
> VPN) unless I put the ISP's DNS on the NIC's TCP/IP settings, and even
then I
> cannot get to all sites or links within sites. I am at the limits of my
> knowledge and would really appreciate any suggestions please!

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Hi Denis

DC is pointing to itself in the DNS on the NIC, it is the only DNS entry.
I can successfully ping both ISP DNS IP's and other public IP's.
I can ping all IP's on the internal network.
Nslookup fails on all external and internal IP's except the server
(192.168.0.6), message on external fail is:
*** <server>.<domain>.com can't find www.microsoft.com: server failed
message on internal nslookup fail on the terminal server is:
*** <server>.<domain>.com can't find 192.168.0.9: Non-existent domain

I've tried browsing by IP on the server with strange results, sometimes a
partial page appears but hyperlinks do not work, mostly "Page cannot be
dispalyed".

Hope these details give some more clues

Geoff

"Denis Wong @ Hong Kong" wrote:

> Hello Geoff,
>
> I really am not quite sure about your situation. But if you find you even
> cannot browse internet on your server, and you think the DNS forwarder
> doesn't work, then make sure your DC points to itself and nowhere else. Make
> sure you can ping your DNS forwarder IP. You better do a nslookup with the
> IP and see if it can resolve domain names.
>
> Make sure you can browse on the server first. If you cannot browse, try to
> ping your target and see where is the problem. Or if you can ping, see if
> you can browse with the IP only. These are all I can think of at the moment.
> You need to provide more detail and clear info.
>
> br,
> Denis
>
> "Geoff Hewitt" <GeoffHewitt@discussions.microsoft.com> wrote in message
> news:E16EEA92-324E-42D5-AB1F-E46790F3D76E@microsoft.com...
> > Hi
> > We have a Windows 2000 server (actually SBS with ISA disabled) at head
> > office location and a branch office connected by VPN using Netscreen
> > firewalls. VPN is working fine. Branch office clients authenticate on the
> > 2000 server via the VPN. We only just changed firewalls to the NetScreens.
> > The old firewalls acted as a proxy servers and client PCs' Internet
> Explorer
> > connection settings were set to use the old firewalls as their proxy
> server
> > and we had no problems. The new Netscreens are not proxies so I have
> removed
> > the all LAN connection settings in IE and the clients NICs are set to use
> the
> > Netscreen as the gateway and the 2000 server as DNS. I have set up DNS
> > forwarders to our ISP's DNS but I cannot browse the internet from the 2000
> > server or our terminal server (the branch office users access the TS via
> the
> > VPN) unless I put the ISP's DNS on the NIC's TCP/IP settings, and even
> then I
> > cannot get to all sites or links within sites. I am at the limits of my
> > knowledge and would really appreciate any suggestions please!
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:77992C80-567A-4B10-A9AD-CC4BFF6F62C1@microsoft.com,
Geoff Hewitt <GeoffHewitt@discussions.microsoft.com> posted this:
> Hi Denis
>
> DC is pointing to itself in the DNS on the NIC, it is the only DNS
> entry. I can successfully ping both ISP DNS IP's and other public
> IP's.

Ping is not the tool to test connectivity to a DNS server since ping uses
ICMP. Use nslookup and change server to the external DNS you are using as
your forwarder.
If you are not using a forwarder verify that you can query the root servers
with this:
nslookup
set type=ns
server 198.41.0.4
..
(yes. that's a dot) If you get an answer back like this then you should
also be able to navigate the firewall to all external DNS servers.
(root) nameserver = A.ROOT-SERVERS.NET
(root) nameserver = H.ROOT-SERVERS.NET
(root) nameserver = C.ROOT-SERVERS.NET
(root) nameserver = G.ROOT-SERVERS.NET
(root) nameserver = F.ROOT-SERVERS.NET
(root) nameserver = B.ROOT-SERVERS.NET
(root) nameserver = J.ROOT-SERVERS.NET
(root) nameserver = K.ROOT-SERVERS.NET
(root) nameserver = L.ROOT-SERVERS.NET
(root) nameserver = M.ROOT-SERVERS.NET
(root) nameserver = I.ROOT-SERVERS.NET
(root) nameserver = E.ROOT-SERVERS.NET
(root) nameserver = D.ROOT-SERVERS.NET
A.ROOT-SERVERS.NET internet address = 198.41.0.4
H.ROOT-SERVERS.NET internet address = 128.63.2.53
C.ROOT-SERVERS.NET internet address = 192.33.4.12
G.ROOT-SERVERS.NET internet address = 192.112.36.4
F.ROOT-SERVERS.NET internet address = 192.5.5.241
B.ROOT-SERVERS.NET internet address = 192.228.79.201
J.ROOT-SERVERS.NET internet address = 192.58.128.30
K.ROOT-SERVERS.NET internet address = 193.0.14.129
L.ROOT-SERVERS.NET internet address = 198.32.64.12
M.ROOT-SERVERS.NET internet address = 202.12.27.33
I.ROOT-SERVERS.NET internet address = 192.36.148.17
E.ROOT-SERVERS.NET internet address = 192.203.230.10
D.ROOT-SERVERS.NET internet address = 128.8.10.90

> I can ping all IP's on the internal network.
> Nslookup fails on all external and internal IP's except the server
> (192.168.0.6), message on external fail is:
> *** <server>.<domain>.com can't find www.microsoft.com: server failed
> message on internal nslookup fail on the terminal server is:
> *** <server>.<domain>.com can't find 192.168.0.9: Non-existent domain

You obviously don't have a PTR record registered for this IP address.
If you get a message from nslookup saying
"Can't find server name for address <ipaddressofDNSserver>..."
That is nslookup performing a reverse lookup on the DNS server's address.

>
> I've tried browsing by IP on the server with strange results,
> sometimes a partial page appears but hyperlinks do not work, mostly
> "Page cannot be dispalyed".

This is likely beiong caused by a firewall rule not allowing your DNS server
recurse domain names, for recursion to work, your DNS server must be able to
contact EVERY DNS server on the internet.
If you want your DNS server to contact only its forwarder, make sure the
firewall has a rule allowing connections to the forwarder's IP on UDP & TCP
port 53. Then, on the forwarders tab check the box "Do not use recursion".
If you do this make sure the forwarder is capable of handling all external
DNS queries, if it fails, the external query will fail, because the root
hints won't be used. A couple of very good forwarders to use are 4.2.2.1 &
4.2.2.2



--?
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

Hi Kevin

Thanks for suggestions, here's my results:

> Ping is not the tool to test connectivity to a DNS server since ping uses
> ICMP. Use nslookup and change server to the external DNS you are using as
> your forwarder.
> If you are not using a forwarder verify that you can query the root servers
> with this:
> nslookup
> set type=ns
> server 198.41.0.4
> ..
> (yes. that's a dot) If you get an answer back like this then you should
> also be able to navigate the firewall to all external DNS servers.
> (root) nameserver = A.ROOT-SERVERS.NET
> (root) nameserver = H.ROOT-SERVERS.NET
> (root) nameserver = C.ROOT-SERVERS.NET
> (root) nameserver = G.ROOT-SERVERS.NET
> (root) nameserver = F.ROOT-SERVERS.NET
> (root) nameserver = B.ROOT-SERVERS.NET
> (root) nameserver = J.ROOT-SERVERS.NET
> (root) nameserver = K.ROOT-SERVERS.NET
> (root) nameserver = L.ROOT-SERVERS.NET
> (root) nameserver = M.ROOT-SERVERS.NET
> (root) nameserver = I.ROOT-SERVERS.NET
> (root) nameserver = E.ROOT-SERVERS.NET
> (root) nameserver = D.ROOT-SERVERS.NET
> A.ROOT-SERVERS.NET internet address = 198.41.0.4
> H.ROOT-SERVERS.NET internet address = 128.63.2.53
> C.ROOT-SERVERS.NET internet address = 192.33.4.12
> G.ROOT-SERVERS.NET internet address = 192.112.36.4
> F.ROOT-SERVERS.NET internet address = 192.5.5.241
> B.ROOT-SERVERS.NET internet address = 192.228.79.201
> J.ROOT-SERVERS.NET internet address = 192.58.128.30
> K.ROOT-SERVERS.NET internet address = 193.0.14.129
> L.ROOT-SERVERS.NET internet address = 198.32.64.12
> M.ROOT-SERVERS.NET internet address = 202.12.27.33
> I.ROOT-SERVERS.NET internet address = 192.36.148.17
> E.ROOT-SERVERS.NET internet address = 192.203.230.10
> D.ROOT-SERVERS.NET internet address = 128.8.10.90

I got an answer back exactly as above for server 198.41.0.4 and my ISP's DNS
which is the forwarder.

> You obviously don't have a PTR record registered for this IP address.
> If you get a message from nslookup saying
> "Can't find server name for address <ipaddressofDNSserver>..."
> That is nslookup performing a reverse lookup on the DNS server's address.

I've manually added some host & PTR records for clients on the network to
solve this although I believe this should dynamically update.

> This is likely beiong caused by a firewall rule not allowing your DNS server
> recurse domain names, for recursion to work, your DNS server must be able to
> contact EVERY DNS server on the internet.
> If you want your DNS server to contact only its forwarder, make sure the
> firewall has a rule allowing connections to the forwarder's IP on UDP & TCP
> port 53. Then, on the forwarders tab check the box "Do not use recursion".
> If you do this make sure the forwarder is capable of handling all external
> DNS queries, if it fails, the external query will fail, because the root
> hints won't be used. A couple of very good forwarders to use are 4.2.2.1 &
> 4.2.2.2

Port 53 on the firewall is open as above

Thank you for your help but I still can't browse from the server. Any more
ideas please?

Regards, Geoff

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:AD40DC9D-44A4-4477-8729-CFD6607A1474@microsoft.com,
Geoff Hewitt <GeoffHewitt@discussions.microsoft.com> posted this:

> Thank you for your help but I still can't browse from the server. Any
> more ideas please?

Does your DNS server have a "." (Root) zone?
If it does delete it.



--?
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

"Kevin D. Goodknecht Sr. [MVP]" wrote:
>
> Does your DNS server have a "." (Root) zone?
> If it does delete it.
>
No there's no "." zone

I've discovered that the old firewall box that is still connected (just
because it allows us to capture all the incoming and outgoing email and
forward it off to an archive independent of Exchange) is also a DNS server
pointing to the ISP's DNS and if I point the server and clients at that IP
they can all browse without a problem.

So I tried putting that IP as a forwarder in the server DNS and re-pointing
everything back to the server for DNS but it still wouldn't work. I have a
workaround for now with the old firewall but it seems that DNS is screwed up
somewhere, I just can't locate where.

Thanks for all your help.

Geoff

 

[Guest]

Archived from groups: microsoft.public.win2000.dns (More info?)

In news:B2BC327E-EE28-4BCD-8010-B885EC36FE25@microsoft.com,
Geoff Hewitt <GeoffHewitt@discussions.microsoft.com> posted this:
> "Kevin D. Goodknecht Sr. [MVP]" wrote:
>>
>> Does your DNS server have a "." (Root) zone?
>> If it does delete it.
>>
> No there's no "." zone
>
> I've discovered that the old firewall box that is still connected
> (just because it allows us to capture all the incoming and outgoing
> email and forward it off to an archive independent of Exchange) is
> also a DNS server pointing to the ISP's DNS and if I point the server
> and clients at that IP they can all browse without a problem.
>
> So I tried putting that IP as a forwarder in the server DNS and
> re-pointing everything back to the server for DNS but it still
> wouldn't work. I have a workaround for now with the old firewall but
> it seems that DNS is screwed up somewhere, I just can't locate where.

Can you show me some local and external queries ran against your DNS server
using nslookup -d2 ?



--?
Best regards,
Kevin D4 Dad Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================