internal DNS (windows server) conflict with external DNS (ISP) - f

Discussion in 'DNS Server' started by randyv, Sep 16, 2004.

  1. randyv

    randyv Guest

    I'm having a frustrating problem.

    I have an internal DNS set up on our Windows2000 Advanced Server. This DNS
    resolves our server names to their internal IPs for folks at the corporate
    office. That's all it really does, there are no forwarders, nor is it really
    'public' - not publishing/syncing 'internal' IPs for our server names with
    other DNS servers.
    We have an external DNS that resolves our server names to their external IP
    addresses - the DNS service is supplied by our ISP.

    Corporate users for the most part are using WindowsXP Pro. Their TCP/IP
    properties are set to use an internal DHCP server to get their IP address
    (this runs behind our corporate firewall). The DNS servers however are set
    - one (internal DNS) is primary and alternate is our ISP's external DNS.

    The idea here was that these corporate clients would always resolve at the
    primary first - hence all our server names would get the proper (internal) IP
    for the users
    at corporate, and all external names (like www.google.com) would resolve at
    the alternate (external) DNS server at our ISP. External (branch) users
    would always resolve the server names with their external IP addresses using
    the external DNS provided by our ISP.

    PROBLEM DESCRIPTION -
    What happens is that when a corporat user's WindowsXP Pro client reboots,
    for some reason, the company server names try to resolve to the external name
    server (alternate not primary DNS), which resolves to an external IP address.
    Since our firewall keeps the corporate users from 'going out and coming back
    in', this resolution fails - mail cannot pop, web pages cannot load.

    It is easy for me to fix, I can shut down the DNS server and client service
    and restart it, or I can do an ipconfig /release and ipconfig /renew - why
    that works I cannot figure out DHCP has nothing to do with name resolving, I
    just figure it is forcing the client to recognize the internal DNS server
    somehow.

    However, while it is easy for me, it is constantly happening all over
    corporate, which is irritating, and giving IT unwanted exposure in the
    executive office.

    Does anyone have an idea why the WindowsXP Pro client is not resolving names
    'hierarchically'? That is, why isn't the client trying to resolve the name
    first at the primary, and only if not found at the primary, resolving to the
    alternate?

    Any advice is appreciated !!!


    --
    randyv
     
    randyv, Sep 16, 2004
    #1
    1. Advertising

  2. While opinions vary on the wisdom of this, it sounds like you must be using
    the same domain name inside and out ??

    The failover interval between querying the first or second dns server listed
    in dns properties is almost instantaneous. It's purpose isn't for
    sequencing, but to find a DNS server that holds a zone. If two servers hold
    a zone of the same name, it is likely that they will send queries to both
    available dns servers listed.

    An alternative configuration to try, would be to remove the ISP's dns server
    listing on the clients. Create static A records on you internal dns server
    for your external servers that are supposed to be accessed with a public IP
    by internal users.

    Then configure forwarders on your dns server pointing the ISP's DNS Servers.






    "randyv" <> wrote in message
    news:...
    > I'm having a frustrating problem.
    >
    > I have an internal DNS set up on our Windows2000 Advanced Server. This
    > DNS
    > resolves our server names to their internal IPs for folks at the corporate
    > office. That's all it really does, there are no forwarders, nor is it
    > really
    > 'public' - not publishing/syncing 'internal' IPs for our server names with
    > other DNS servers.
    > We have an external DNS that resolves our server names to their external
    > IP
    > addresses - the DNS service is supplied by our ISP.
    >
    > Corporate users for the most part are using WindowsXP Pro. Their TCP/IP
    > properties are set to use an internal DHCP server to get their IP address
    > (this runs behind our corporate firewall). The DNS servers however are
    > set
    > - one (internal DNS) is primary and alternate is our ISP's external DNS.
    >
    > The idea here was that these corporate clients would always resolve at the
    > primary first - hence all our server names would get the proper (internal)
    > IP
    > for the users
    > at corporate, and all external names (like www.google.com) would resolve
    > at
    > the alternate (external) DNS server at our ISP. External (branch) users
    > would always resolve the server names with their external IP addresses
    > using
    > the external DNS provided by our ISP.
    >
    > PROBLEM DESCRIPTION -
    > What happens is that when a corporat user's WindowsXP Pro client reboots,
    > for some reason, the company server names try to resolve to the external
    > name
    > server (alternate not primary DNS), which resolves to an external IP
    > address.
    > Since our firewall keeps the corporate users from 'going out and coming
    > back
    > in', this resolution fails - mail cannot pop, web pages cannot load.
    >
    > It is easy for me to fix, I can shut down the DNS server and client
    > service
    > and restart it, or I can do an ipconfig /release and ipconfig /renew - why
    > that works I cannot figure out DHCP has nothing to do with name resolving,
    > I
    > just figure it is forcing the client to recognize the internal DNS server
    > somehow.
    >
    > However, while it is easy for me, it is constantly happening all over
    > corporate, which is irritating, and giving IT unwanted exposure in the
    > executive office.
    >
    > Does anyone have an idea why the WindowsXP Pro client is not resolving
    > names
    > 'hierarchically'? That is, why isn't the client trying to resolve the
    > name
    > first at the primary, and only if not found at the primary, resolving to
    > the
    > alternate?
    >
    > Any advice is appreciated !!!
    >
    >
    > --
    > randyv
     
    Steve Bruce, mct, Sep 17, 2004
    #2
    1. Advertising

  3. In news:,
    randyv <> wrote their comments
    Then Kevin replied below:
    > I'm having a frustrating problem.
    >
    > I have an internal DNS set up on our Windows2000 Advanced
    > Server. This DNS resolves our server names to their
    > internal IPs for folks at the corporate office. That's
    > all it really does, there are no forwarders, nor is it
    > really 'public' - not publishing/syncing 'internal' IPs
    > for our server names with other DNS servers.
    > We have an external DNS that resolves our server names to
    > their external IP addresses - the DNS service is supplied
    > by our ISP.
    >
    > Corporate users for the most part are using WindowsXP
    > Pro. Their TCP/IP properties are set to use an internal
    > DHCP server to get their IP address (this runs behind
    > our corporate firewall). The DNS servers however are set
    > - one (internal DNS) is primary and alternate is our
    > ISP's external DNS.
    >
    > The idea here was that these corporate clients would
    > always resolve at the primary first - hence all our
    > server names would get the proper (internal) IP for the
    > users
    > at corporate, and all external names (like
    > www.google.com) would resolve at the alternate (external)
    > DNS server at our ISP. External (branch) users would
    > always resolve the server names with their external IP
    > addresses using the external DNS provided by our ISP.


    Your idea is incorrect, DNS resolution does not work this way, if either DNS
    answers not found, the query stops and the other DNS will not be queried.

    If this is Active Directory, and I assume it is, there should be no
    references for external or ISP's DNS in TCP/IP properties, this must be
    strictly adhered to. All DNS resolution for domain clients must come from
    the internal DNS servers. The DNS server is capable of resolving any name in
    the ICANN root of the internet without using a forwarder.

    I'm also assuming that the internal AD domain name is the same as your
    Public domain name? Therefore, any host name in the public domain, such as
    www or mail, must be added to the internal DNS zone. You cannot access the
    external site by only the domain name without a host name, this record must
    point to domain controller's IP address that has file sharing enable for the
    SYSVOL DFS share to be accessed.


    >
    > PROBLEM DESCRIPTION -
    > What happens is that when a corporat user's WindowsXP Pro
    > client reboots, for some reason, the company server names
    > try to resolve to the external name server (alternate not
    > primary DNS), which resolves to an external IP address.
    > Since our firewall keeps the corporate users from 'going
    > out and coming back in', this resolution fails - mail
    > cannot pop, web pages cannot load.
    >
    > It is easy for me to fix, I can shut down the DNS server
    > and client service and restart it, or I can do an
    > ipconfig /release and ipconfig /renew - why that works I
    > cannot figure out DHCP has nothing to do with name
    > resolving, I just figure it is forcing the client to
    > recognize the internal DNS server somehow.
    >
    > However, while it is easy for me, it is constantly
    > happening all over corporate, which is irritating, and
    > giving IT unwanted exposure in the executive office.
    >
    > Does anyone have an idea why the WindowsXP Pro client is
    > not resolving names 'hierarchically'? That is, why isn't
    > the client trying to resolve the name first at the
    > primary, and only if not found at the primary, resolving
    > to the alternate?


    Because you whole scenario as to how DNS resolution is handled by the DNS
    client is incorrect, and you have chosen the same internal name as your
    public domain name.



    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ================================================
    --
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ================================================
    http://www.lonestaramerica.com/
    ================================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ================================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ================================================
     
    Kevin D. Goodknecht Sr. [MVP], Sep 17, 2004
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Nick
    Replies:
    2
    Views:
    1,936
  2. Eduard Biteanu

    How to send the internal mail via an external isp ?

    Eduard Biteanu, Jun 13, 2007, in forum: Windows Small Business Server
    Replies:
    1
    Views:
    156
    Lanwench [MVP - Exchange]
    Jun 13, 2007
  3. CathieC
    Replies:
    1
    Views:
    280
    Kevin D. Goodknecht Sr. [MVP]
    May 8, 2006
  4. Gee
    Replies:
    0
    Views:
    214
  5. Gee
    Replies:
    1
    Views:
    229
    Anthony
    Aug 11, 2007
Loading...

Share This Page