DNS resolcing externally for local machines..

Discussion in 'DNS Server' started by GaryB, Apr 23, 2006.

  1. GaryB

    GaryB Guest

    Hi,
    Windows Server 2003 running DHCP, DNS & WINS which replicates with our
    remote office working fine until last week. Now for some reason when you
    attempt to ping any LAN client it returns the external IP of our company
    website which is hosted on a completely seperate server in the DMZ! If I
    ipconfig /renew it comes back correctly for several minutes before doing it
    again.
    Our AD domain is named corp.companyname.co.uk & the website to which its
    resolving through is www.companyname.co.uk! I have checked DNS, restarted,
    cleared the cache with no success, and am wondering where this has gone wrong
    as its worked fine for over a year now. I have our ISP DNS servers set as
    forwarders but it appears that it looks at these servers for local DNS
    entries then sees the domain mycompany.co.uk and goes to the external web IP!
    Can anyone unravel this mystery?
    Thanx
     
    GaryB, Apr 23, 2006
    #1
    1. Advertisements

  2. In
    What does an ipconfig /all on one of the clients show you?
    Anyone using a hosts file, perchance?
     
    Lanwench [MVP - Exchange], Apr 24, 2006
    #2
    1. Advertisements

  3. GaryB

    GaryB Guest

    Hi there, thanx for taking the time..
    This shows correctly and is exactly the same after I renew the IP
    All using hosts but this entry is not in there.

    Additonally nslookup resolves OK on all clients also. The machiens are
    reachable because I can ping them by IP so it must be a DNS issue, and I
    think that all LAN clients are being sent out to external DNS servers when
    they request the data. Strangley enough though apart from the fact they
    cannot connect with exchange server everything else is fine..

    Baffled!
     
    GaryB, Apr 24, 2006
    #3
  4. GaryB

    Hank Arnold Guest

    Try running

    IPCONFIG /FLUSHDNS

    Regards,
    Hank Arnold
     
    Hank Arnold, Apr 24, 2006
    #4
  5. GaryB

    Hank Arnold Guest

    What happens if you rename the HOSTS file temporarily?

    Regards,
    Hank Arnold
     
    Hank Arnold, Apr 24, 2006
    #5
  6. GaryB

    GaryB Guest

    Hi Hank,
    Have done so many time followed by IPCONFIG /REGISTERDNS on both clients and
    server. This does resolve this issue for around 30 seconds, thens its back to
    how it was..

    Cheers
    G
     
    GaryB, Apr 24, 2006
    #6
  7. GaryB

    Hank Arnold Guest

    What happens if you don't do

    IPCONFIG /REGISTERDNS

    ?

    Regards,
    Hank Arnold
     
    Hank Arnold, Apr 24, 2006
    #7
  8. GaryB

    GaryB Guest

    -Thanx Hank,
    Renamed the hosts file refreshed DNS but same problem occurring. We have a
    client on the LAN called LANNAS. When I ping by IP its fine but when I ping
    by FQDN it comes back as www.companydomain.co.uk (External IP), which
    suggests that DNS is resolving on our ISPs DNS server, hence the reason its
    hitting our website in the DMZ.

    I'm really confused now, but appreciate your time
     
    GaryB, Apr 24, 2006
    #8
  9. GaryB

    GaryB Guest

    Hi Hank,
    Same thing happens Im afraid. Even if I block outgoing traffic (LAN >> WAN)
    on port 53 it still tries to resolve to the external IP..

    What could be stopping the internal DNS server form resolning requests?

    Cheers
    G
     
    GaryB, Apr 24, 2006
    #9
  10. GaryB

    GaryB Guest

    An update if it may help any experts, seem odd that I have 4 entries in the
    DNS Suffix Search List. On the 2000 member servers & 20003 DC its only 1
    entry which is the corp.OURcompany.

    Windows IP Configuration

    Windows IP Configuration
    Host Name . . . . . . . . . . . . : XP_LAN_IT
    Primary Dns Suffix . . . . . . . : corp.OURcompany.co.uk (This is our
    internal domain)
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . :
    corp.OURcompany(This is our internal domain)
    ADServer (Our DC)
    OURcompany (? This is also the name of our
    external website)
    co.uk
    Ethernet adapter Local Area Connection:
    Connection-specific DNS Suffix . : ADServer
    Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller
    Physical Address. . . . . . . . . : 00-0F-1F-E7-8A-F3
    Dhcp Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IP Address. . . . . . . . . . . . : 192.168.45.141
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.45.1
    DHCP Server . . . . . . . . . . . : 192.168.45.10
    DNS Servers . . . . . . . . . . . : 192.168.45.10
    194.72.6.57
    194.73.82.242
    Primary WINS Server . . . . . . . : 192.168.45.10
    Lease Obtained. . . . . . . . . . : 24 April 2006 11:15:14
    Lease Expires . . . . . . . . . . : 19 January 2038 04:14:07
     
    GaryB, Apr 24, 2006
    #10
  11. GaryB

    Glenn Guest

    I had something similar happen. I got rid of the secondary DNS server that
    the DHCP server was assiging (got rid of it in that I no longer had the DHCP
    server assign it) and all was fine.

    Hope this helps.
     
    Glenn, Apr 24, 2006
    #11
  12. GaryB

    GaryB Guest

    Hi Glen,
    Which secondary DNS server is that. I have 1 internally & 2 externally to
    resolve web requests. I need all these. Have I misunderstood?

    Thanx
    G
     
    GaryB, Apr 24, 2006
    #12
  13. Inline.....and this is why I wanted to see your ipconfig /all :)

    In
    Ding! Here's your problem. You must *not* use any external IP addresses in
    your AD clients' DNS settings. Only the internal (usually AD-integrated) DNS
    server's LAN IP. Then you use forwarders on the local DNS server itself to
    your ISP's DNS server to handle external lookups. AD relies heavily on DNS
    and this is a very common misconfiguration - it's easy to fix, however.
    Change your DHCP scope so it hands out only 192.168.45.10.

    See http://support.microsoft.com/default.aspx?scid=kb;en-us;323380 for more
    info.
     
    Lanwench [MVP - Exchange], Apr 24, 2006
    #13
  14. GaryB

    GaryB Guest

    Thanx Lanwench..
    The clients are picking up the external dns IPs from DHCP scope options. I
    have
    006 DNS servers (192.168.45.10, 194.72.6.57, 194.73.82.242 ). The DC has no
    DNS options set on its NIC, and the only other place the external DNS servers
    appear are as forwarders.

    Should I remove the external DNS from the DHCP scope options and simply
    leave the internal (192.168.45.10)?

    This had worked for a year like this so a tad confused..

    Appreciate you help..
    G
     
    GaryB, Apr 24, 2006
    #14
  15. Yes, remove the external DNS servers, use only the internal DNS.

    I suspect the problem arises from the DNS suffix search list and a Wildcard
    record in the public DNS zone for companyname.co.uk. When the client appends
    the suffixes it starts at corp.companyname.co.uk
    Then companyname.co.uk which hits the wildcard, and resolves to your website
    address.

    You really need to assign a custom DNS suffix search list containing only
    corp.companyname.co.uk. to prevent clients from searching the public zone.

    You can do this a a group policy for XP and Win2k3 clients.

    Computer Configuration
    -Administrative templates
    -Network
    -DNS Client


    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    https://secure.lsaol.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Apr 24, 2006
    #15
  16. GaryB

    GaryB Guest

    Hi Kevin, thanx for chipping in. I removed the external DNS entries from the
    DHCP scope options and flushed DNS on client & cache on DC. I can now ping
    all clients via FQDN but cannot access the internet unless its via our proxy
    server (LAN).

    This is the new client ipconfig /all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : XP_LAN_IT
    Primary Dns Suffix . . . . . . . : corp.OURcompany.co.uk
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : corp.OURcompany
    ADServer
    OURcompany.co.uk
    co.uk

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . : LanServer
    Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit
    Controller
    Physical Address. . . . . . . . . : 00-0F-1F-E7-8A-F3
    Dhcp Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IP Address. . . . . . . . . . . . : 192.168.45.141
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.45.1
    DHCP Server . . . . . . . . . . . : 192.168.45.10
    DNS Servers . . . . . . . . . . . : 192.168.45.10
    Primary WINS Server . . . . . . . : 192.168.45.10
    Lease Obtained. . . . . . . . . . : 24 April 2006 18:21:04
    Lease Expires . . . . . . . . . . : 19 January 2038 04:14:07

    Does that look better without the external DNS servers? Any reason why I
    wouldnt be able to access the internet directly without proxy? The gateway is
    a firewall which up until I removed the entries was fine.. I have searched
    DNS and cannot locate any wildcard entries, but will try to do as suggested
    with the group policy. Is this common practice as I couldnt find any ms docs
    on it..so far!

    Thanx again
    G
     
    GaryB, Apr 24, 2006
    #16
  17. Do you have a forwarder assigned in the DNS server properties, in the DNS
    management console?
    If forwarders are not available there likely is a ".' forward lookup zone,
    delete it.
    Then enable forwarding to the DNS servers you removed from TCP/IP
    properties.
    Make sure "Disable recursion" is not checked on the Advanced tab.

    When a browser is using a Proxy server, the web browser actually gets its
    DNS resolution from the proxy server and not from the DNS Client service. If
    the browser bypasses the proxy, it gets DNS resolution from the DNS client
    service.
    Who hosts your public DNS zone?
    Many DNS hosting companies use wildcard records, which is the likely place
    to look.

    Is there any reason for your clients to search zones for names not in your
    local zone?
    Your DNS does not have a zone for these extra domains and they need not be
    searched. It is common practice I usually have to recommend this several
    times a month for any domain using a third level domain, fourth level domain
    or lower. Yours is a fourth level, the DNS client will devolve the fourth
    level name corp.ourcompany.co.uk, to the third level ourcomany.co.uk down to
    the second level domain which is co.uk, the DNS client service will not
    devolve to the top level.

    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    https://secure.lsaol.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Apr 24, 2006
    #17
  18. In
    Sounds like an issue with your proxy server (see below)
    What proxy server do you use?

    Does it have a proxy client, or do you just configure it in your IE settings
    (connections) ?

    I don't see how the additional public DNS server entries would let you use
    your proxy server anyway. Can you provide more info about your network
    config?

    I think you could probably just adjust this in your DHCP server, non? But I
    cede to Kevin's expertise in these matters.
     
    Lanwench [MVP - Exchange], Apr 24, 2006
    #18
  19. GaryB

    GaryB Guest

    Thanx so much for you help - To answer your questions
    management console?
    Yes we have our ISP DNS server as forwarders in the DNS server properties &
    Do not use recursion for this domain" is unchecked as is Disable recursion on
    the Advanced tab.
    I manage our Public domain name zones from a webshell at a domain reseller.
    BT provide our external DNS servers.
    local zone?
    Absolutely not. I have a outbound rule within our firewall to allow only
    Port53 traffic to our ISP DNS servers. (LAN >> WAN)

    (connections) ?
    IE takes proxy settings via a group policy which points all clients (except
    mine) to the proxy server.

    Additonally I have noticed that my machine is the only client that has the
    ADServer entry from an IPCONFIG /ALL
    Where does thre DNS Suffix Search list come from?

    Thanx again
    G
     
    GaryB, Apr 25, 2006
    #19
  20. See my response to this below.

    As I mentioned, many DNS hosting providers automatically add a Wildcard
    record to zones they host. Some hosting providers allow you to disable the
    Wildcard, others do not. The way to test for a wildcard with nslookup is
    this command.


    nslookup qtype=a *.ourcompany.co.uk. <IPAddressofhostingprovidersDNS>


    Because this firewall rule is in place, you MUST check the box "Do not use
    recursion for this domain" This will prevent your DNS server from using root
    hints and all answers must come from the forwarder.




    Someone has apparently created a custom DNS suffix search list, it is very
    wrong for what you need and is messed up even from default.

    Your Default DNS suffix search list should be:
    corp.OURcompany.co.uk
    OURcompany.co.uk
    co.uk

    However, what you need for it to be is:
    corp.OURcompany.co.uk

    You can manually set the DNS suffix search list on the DNS tab in TCP/IP
    properties by selecting "Append these suffixes(in order)" then enter
    corp.OURcompany.co.uk.

    You can apply the Suffix search list in your Default domain Group policy
    here:
    Computer Configuration
    -Administrative templates
    -Network
    -DNS Client

    This will apply the DNS suffix search list only to XP and Win2k3 clients.
    Win2k does not support applying this policy, you will have a manually
    configure Win2k clients.


    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    https://secure.lsaol.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Apr 25, 2006
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.