DNS resolcing externally for local machines..

Discussion in 'DNS Server' started by GaryB, Apr 23, 2006.

  1. GaryB

    GaryB Guest

    Thanx Kevin, must be close now!
    I have implemented the GPO which seems to have sorted my issue with DNS
    suffix list. This is the new client ipconfig /all

    Windows IP Configuration

    Host Name . . . . . . . . . . . . : XP_LAN_IT
    Primary Dns Suffix . . . . . . . : corp.OURcompany.co.uk
    Node Type . . . . . . . . . . . . : Hybrid
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No
    DNS Suffix Search List. . . . . . : corp.OURcompany
    OURcompany.co.uk

    co.uk

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . : LanServer
    Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit
    Controller
    Physical Address. . . . . . . . . : 00-0F-1F-E7-8A-F3
    Dhcp Enabled. . . . . . . . . . . : Yes
    Autoconfiguration Enabled . . . . : Yes
    IP Address. . . . . . . . . . . . : 192.168.45.141 (XP Pro)
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.45.1 (FireWALL)
    DHCP Server . . . . . . . . . . . : 192.168.45.10 (DC)
    DNS Servers . . . . . . . . . . . : 192.168.45.10 (DC)
    Primary WINS Server . . . . . . . : 192.168.45.10 (DC)
    Lease Obtained. . . . . . . . . . : 24 April 2006 18:21:04
    Lease Expires . . . . . . . . . . : 19 January 2038 04:14:07

    I have also checked "Do not use recursion for this domain".

    For some reason I am still unable to browse the internet with the settings
    above. It seems the only way I can access the internet is to point the
    browser proxy settings (IE6) at the LAN proxy server, but long term thats no
    good for me. If we didnt have this proxy server no-one would be able to
    connect, so I am guessing there is something wrong in the DNS somewhere.

    If a clients machine requests "http://www.google.co.uk" shouldnt that route
    to the DNS server, whereby the forwarders then send the request to the ISP
    external DNS server? I do not think this is happening as I watch the FireWALL
    (192.168.45.1) and no outbound requests appear from the DNS server.

    Hope this makes sense, seems like I have been tring to sort this for months!

    Thanx again
    G
     
    GaryB, Apr 25, 2006
    #21
    1. Advertisements

  2. Apparently the policy has not been applied here, the only suffix that should
    appear in the suffix search list is corp.OURcompany.co.uk
    Try these lookups and post results please do not edit the results, copy and
    paste them directly:

    From any machine:
    nslookup -d2 -qtype=ns . 192.168.45.10
    nslookup -d2 <DCsNetBIOSName>


    From the DC.
    nslookup -qtype=ns . 192.168.45.1
    There are a couple of reasons your DNS is not forwarding, the first nslookup
    above should answer that.

    The others are for my information that the Forwarder is a valid forwarder
    and that the firewall can or cannot act as a DNS proxy.

    If the firewall can be a DNS proxy, I would make it your forwarder.



    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    https://secure.lsaol.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Apr 25, 2006
    #22
    1. Advertisements

  3. GaryB

    GaryB Guest

    OK Kevin, here we go, I am sure it means something to you!!....We now also
    have a LAN client who cannot connect to a CITRIX client (443), even though
    they are setup to connect to WAN via the proxy! May not be connected to this
    issue..
    ------------
    SendRequest(), len 44
    HEADER:
    opcode = QUERY, id = 1, rcode = NOERROR
    header flags: query, want recursion
    questions = 1, answers = 0, authority records = 0, additional = 0

    QUESTIONS:
    10.45.168.192.in-addr.arpa, type = PTR, class = IN

    ------------
    ------------
    Got answer (85 bytes):
    HEADER:
    opcode = QUERY, id = 1, rcode = NOERROR
    header flags: response, auth. answer, want recursion, recursion avail.
    questions = 1, answers = 1, authority records = 0, additional = 0

    QUESTIONS:
    10.45.168.192.in-addr.arpa, type = PTR, class = IN
    ANSWERS:
    -> 10.45.168.192.in-addr.arpa
    type = PTR, class = IN, dlen = 29
    name = lanserver.corp.ghlplc.co.uk
    ttl = 1200 (20 mins)

    ------------
    Server: lanserver.corp.ghlplc.co.uk
    Address: 192.168.45.10

    ------------
    SendRequest(), len 17
    HEADER:
    opcode = QUERY, id = 2, rcode = NOERROR
    header flags: query, want recursion
    questions = 1, answers = 0, authority records = 0, additional = 0

    QUESTIONS:
    (root), type = NS, class = IN

    ------------
    ------------
    Got answer (449 bytes):
    HEADER:
    opcode = QUERY, id = 2, rcode = NOERROR
    header flags: response, want recursion, recursion avail.
    questions = 1, answers = 13, authority records = 0, additional = 13

    QUESTIONS:
    (root), type = NS, class = IN
    ANSWERS:
    -> (root)
    type = NS, class = IN, dlen = 20
    nameserver = b.root-servers.net
    ttl = 84420 (23 hours 27 mins)
    -> (root)
    type = NS, class = IN, dlen = 4
    nameserver = c.root-servers.net
    ttl = 84420 (23 hours 27 mins)
    -> (root)
    type = NS, class = IN, dlen = 4
    nameserver = d.root-servers.net
    ttl = 84420 (23 hours 27 mins)
    -> (root)
    type = NS, class = IN, dlen = 4
    nameserver = e.root-servers.net
    ttl = 84420 (23 hours 27 mins)
    -> (root)
    type = NS, class = IN, dlen = 4
    nameserver = f.root-servers.net
    ttl = 84420 (23 hours 27 mins)
    -> (root)
    type = NS, class = IN, dlen = 4
    nameserver = g.root-servers.net
    ttl = 84420 (23 hours 27 mins)
    -> (root)
    type = NS, class = IN, dlen = 4
    nameserver = h.root-servers.net
    ttl = 84420 (23 hours 27 mins)
    -> (root)
    type = NS, class = IN, dlen = 4
    nameserver = i.root-servers.net
    ttl = 84420 (23 hours 27 mins)
    -> (root)
    type = NS, class = IN, dlen = 4
    nameserver = j.root-servers.net
    ttl = 84420 (23 hours 27 mins)
    -> (root)
    type = NS, class = IN, dlen = 4
    nameserver = k.root-servers.net
    ttl = 84420 (23 hours 27 mins)
    -> (root)
    type = NS, class = IN, dlen = 4
    nameserver = l.root-servers.net
    ttl = 84420 (23 hours 27 mins)
    -> (root)
    type = NS, class = IN, dlen = 4
    nameserver = m.root-servers.net
    ttl = 84420 (23 hours 27 mins)
    -> (root)
    type = NS, class = IN, dlen = 4
    nameserver = a.root-servers.net
    ttl = 84420 (23 hours 27 mins)
    ADDITIONAL RECORDS:
    -> b.root-servers.net
    type = A, class = IN, dlen = 4
    internet address = 192.228.79.201
    ttl = 84420 (23 hours 27 mins)
    -> c.root-servers.net
    type = A, class = IN, dlen = 4
    internet address = 192.33.4.12
    ttl = 84420 (23 hours 27 mins)
    -> d.root-servers.net
    type = A, class = IN, dlen = 4
    internet address = 128.8.10.90
    ttl = 84420 (23 hours 27 mins)
    -> e.root-servers.net
    type = A, class = IN, dlen = 4
    internet address = 192.203.230.10
    ttl = 84420 (23 hours 27 mins)
    -> f.root-servers.net
    type = A, class = IN, dlen = 4
    internet address = 192.5.5.241
    ttl = 84420 (23 hours 27 mins)
    -> g.root-servers.net
    type = A, class = IN, dlen = 4
    internet address = 192.112.36.4
    ttl = 84420 (23 hours 27 mins)
    -> h.root-servers.net
    type = A, class = IN, dlen = 4
    internet address = 128.63.2.53
    ttl = 84420 (23 hours 27 mins)
    -> i.root-servers.net
    type = A, class = IN, dlen = 4
    internet address = 192.36.148.17
    ttl = 84420 (23 hours 27 mins)
    -> j.root-servers.net
    type = A, class = IN, dlen = 4
    internet address = 192.58.128.30
    ttl = 84420 (23 hours 27 mins)
    -> k.root-servers.net
    type = A, class = IN, dlen = 4
    internet address = 193.0.14.129
    ttl = 84420 (23 hours 27 mins)
    -> l.root-servers.net
    type = A, class = IN, dlen = 4
    internet address = 198.32.64.12
    ttl = 84420 (23 hours 27 mins)
    -> m.root-servers.net
    type = A, class = IN, dlen = 4
    internet address = 202.12.27.33
    ttl = 84420 (23 hours 27 mins)
    -> a.root-servers.net
    type = A, class = IN, dlen = 4
    internet address = 198.41.0.4
    ttl = 84420 (23 hours 27 mins)

    ------------
    (root)
    type = NS, class = IN, dlen = 20
    nameserver = b.root-servers.net
    ttl = 84420 (23 hours 27 mins)
    (root)
    type = NS, class = IN, dlen = 4
    nameserver = c.root-servers.net
    ttl = 84420 (23 hours 27 mins)
    (root)
    type = NS, class = IN, dlen = 4
    nameserver = d.root-servers.net
    ttl = 84420 (23 hours 27 mins)
    (root)
    type = NS, class = IN, dlen = 4
    nameserver = e.root-servers.net
    ttl = 84420 (23 hours 27 mins)
    (root)
    type = NS, class = IN, dlen = 4
    nameserver = f.root-servers.net
    ttl = 84420 (23 hours 27 mins)
    (root)
    type = NS, class = IN, dlen = 4
    nameserver = g.root-servers.net
    ttl = 84420 (23 hours 27 mins)
    (root)
    type = NS, class = IN, dlen = 4
    nameserver = h.root-servers.net
    ttl = 84420 (23 hours 27 mins)
    (root)
    type = NS, class = IN, dlen = 4
    nameserver = i.root-servers.net
    ttl = 84420 (23 hours 27 mins)
    (root)
    type = NS, class = IN, dlen = 4
    nameserver = j.root-servers.net
    ttl = 84420 (23 hours 27 mins)
    (root)
    type = NS, class = IN, dlen = 4
    nameserver = k.root-servers.net
    ttl = 84420 (23 hours 27 mins)
    (root)
    type = NS, class = IN, dlen = 4
    nameserver = l.root-servers.net
    ttl = 84420 (23 hours 27 mins)
    (root)
    type = NS, class = IN, dlen = 4
    nameserver = m.root-servers.net
    ttl = 84420 (23 hours 27 mins)
    (root)
    type = NS, class = IN, dlen = 4
    nameserver = a.root-servers.net
    ttl = 84420 (23 hours 27 mins)

    b.root-servers.net
    type = A, class = IN, dlen = 4
    internet address = 192.228.79.201
    ttl = 84420 (23 hours 27 mins)
    c.root-servers.net
    type = A, class = IN, dlen = 4
    internet address = 192.33.4.12
    ttl = 84420 (23 hours 27 mins)
    d.root-servers.net
    type = A, class = IN, dlen = 4
    internet address = 128.8.10.90
    ttl = 84420 (23 hours 27 mins)
    e.root-servers.net
    type = A, class = IN, dlen = 4
    internet address = 192.203.230.10
    ttl = 84420 (23 hours 27 mins)
    f.root-servers.net
    type = A, class = IN, dlen = 4
    internet address = 192.5.5.241
    ttl = 84420 (23 hours 27 mins)
    g.root-servers.net
    type = A, class = IN, dlen = 4
    internet address = 192.112.36.4
    ttl = 84420 (23 hours 27 mins)
    h.root-servers.net
    type = A, class = IN, dlen = 4
    internet address = 128.63.2.53
    ttl = 84420 (23 hours 27 mins)
    i.root-servers.net
    type = A, class = IN, dlen = 4
    internet address = 192.36.148.17
    ttl = 84420 (23 hours 27 mins)
    j.root-servers.net
    type = A, class = IN, dlen = 4
    internet address = 192.58.128.30
    ttl = 84420 (23 hours 27 mins)
    k.root-servers.net
    type = A, class = IN, dlen = 4
    internet address = 193.0.14.129
    ttl = 84420 (23 hours 27 mins)
    l.root-servers.net
    type = A, class = IN, dlen = 4
    internet address = 198.32.64.12
    ttl = 84420 (23 hours 27 mins)
    m.root-servers.net
    type = A, class = IN, dlen = 4
    internet address = 202.12.27.33
    ttl = 84420 (23 hours 27 mins)
    a.root-servers.net
    type = A, class = IN, dlen = 4
    internet address = 198.41.0.4
    ttl = 84420 (23 hours 27 mins)

    ------------
    SendRequest(), len 44
    HEADER:
    opcode = QUERY, id = 1, rcode = NOERROR
    header flags: query, want recursion
    questions = 1, answers = 0, authority records = 0, additional = 0

    QUESTIONS:
    10.45.168.192.in-addr.arpa, type = PTR, class = IN

    ------------
    ------------
    Got answer (85 bytes):
    HEADER:
    opcode = QUERY, id = 1, rcode = NOERROR
    header flags: response, auth. answer, want recursion, recursion avail.
    questions = 1, answers = 1, authority records = 0, additional = 0

    QUESTIONS:
    10.45.168.192.in-addr.arpa, type = PTR, class = IN
    ANSWERS:
    -> 10.45.168.192.in-addr.arpa
    type = PTR, class = IN, dlen = 29
    name = lanserver.corp.ghlplc.co.uk
    ttl = 1200 (20 mins)

    ------------
    Server: lanserver.corp.ghlplc.co.uk
    Address: 192.168.45.10

    ------------
    SendRequest(), len 63
    HEADER:
    opcode = QUERY, id = 2, rcode = NOERROR
    header flags: query, want recursion
    questions = 1, answers = 0, authority records = 0, additional = 0

    QUESTIONS:
    lanserver.corp.ghlplc.co.uk.corp.GHLplc.co.uk, type = A, class = IN

    ------------
    ------------
    Got answer (150 bytes):
    HEADER:
    opcode = QUERY, id = 2, rcode = NXDOMAIN
    header flags: response, auth. answer, want recursion, recursion avail.
    questions = 1, answers = 0, authority records = 1, additional = 0

    QUESTIONS:
    lanserver.corp.ghlplc.co.uk.corp.GHLplc.co.uk, type = A, class = IN
    AUTHORITY RECORDS:
    -> corp.ghlplc.co.uk
    type = SOA, class = IN, dlen = 58
    ttl = 3600 (1 hour)
    primary name server = lanserver.corp.ghlplc.co.uk
    responsible mail addr = hostmaster.genesis.local
    serial = 2082
    refresh = 900 (15 mins)
    retry = 600 (10 mins)
    expire = 86400 (1 day)
    default TTL = 900 (15 mins)

    ------------
    ------------
    SendRequest(), len 58
    HEADER:
    opcode = QUERY, id = 3, rcode = NOERROR
    header flags: query, want recursion
    questions = 1, answers = 0, authority records = 0, additional = 0

    QUESTIONS:
    lanserver.corp.ghlplc.co.uk.GHLplc.co.uk, type = A, class = IN

    ------------
    DNS request timed out.
    timeout was 2 seconds.
    timeout (2 secs)
    ------------
    SendRequest(), len 45
    HEADER:
    opcode = QUERY, id = 4, rcode = NOERROR
    header flags: query, want recursion
    questions = 1, answers = 0, authority records = 0, additional = 0

    QUESTIONS:
    lanserver.corp.ghlplc.co.uk, type = A, class = IN

    ------------
    ------------
    Got answer (61 bytes):
    HEADER:
    opcode = QUERY, id = 4, rcode = NOERROR
    header flags: response, auth. answer, want recursion, recursion avail.
    questions = 1, answers = 1, authority records = 0, additional = 0

    QUESTIONS:
    lanserver.corp.ghlplc.co.uk, type = A, class = IN
    ANSWERS:
    -> lanserver.corp.ghlplc.co.uk
    type = A, class = IN, dlen = 4
    internet address = 192.168.45.10
    ttl = 3600 (1 hour)

    ------------
    Name: lanserver.corp.ghlplc.co.uk
    Address: 192.168.45.10
    DNS request timed out.
    timeout was 2 seconds.
    Server: UnKnown
    Address: 192.168.45.1

    DNS request timed out.
    timeout was 2 seconds.
    ------------
    SendRequest(), len 42
    HEADER:
    opcode = QUERY, id = 1, rcode = NOERROR
    header flags: query, want recursion
    questions = 1, answers = 0, authority records = 0, additional = 0

    QUESTIONS:
    57.6.72.192.in-addr.arpa, type = PTR, class = IN

    ------------
    DNS request timed out.
    timeout was 2 seconds.
    timeout (2 secs)
    Server: UnKnown
    Address: 192.72.6.57

    ------------
    SendRequest(), len 17
    HEADER:
    opcode = QUERY, id = 2, rcode = NOERROR
    header flags: query, want recursion
    questions = 1, answers = 0, authority records = 0, additional = 0

    QUESTIONS:
    (root), type = NS, class = IN
     
    GaryB, Apr 25, 2006
    #23
  4. All queries are pretty much ass expected except the query to the forwarder.



    This verifies the firewall cannot be DNS proxy
    Server: UnKnown
    Address: 192.72.6.57
    Nslookup is apparently not able to get through the firewall either, or the
    DNS address is not valid, I've tried querying it myself and got no answer.
    This could also be that the ISP has it blocked off their network.

    Just to be sure, create a rule to allow 53 UDP to 4.2.2.2 then run this:

    nslookup -qtype=ns . 4.2.2.2

    It should return the ICANN Root servers.

    You could also try allowing 53 UDP to any IP

    I'm also going to gather some more info on your proxy, I know I use Wingate
    and it has a special configuration if it runs on a DNS server to prevent
    loops. I am not familiar with webmarshal


    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    https://secure.lsaol.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Apr 25, 2006
    #24
  5. GaryB

    GaryB Guest

    Really appreciate this kevin..
    I enabled a rule on the firewall to all all outbound traffic on port 53 (LANproperties on the server and ran nslookup -qtype=ns . 4.2.2.2 from an xp
    client and it returned:

    Server: vnsc-bak.sys.gtei.net
    Address: 4.2.2.2

    (root) nameserver = A.ROOT-SERVERS.NET
    (root) nameserver = B.ROOT-SERVERS.NET
    (root) nameserver = C.ROOT-SERVERS.NET
    (root) nameserver = D.ROOT-SERVERS.NET
    (root) nameserver = E.ROOT-SERVERS.NET
    (root) nameserver = F.ROOT-SERVERS.NET
    (root) nameserver = G.ROOT-SERVERS.NET
    (root) nameserver = H.ROOT-SERVERS.NET
    (root) nameserver = I.ROOT-SERVERS.NET
    (root) nameserver = J.ROOT-SERVERS.NET
    (root) nameserver = K.ROOT-SERVERS.NET
    (root) nameserver = L.ROOT-SERVERS.NET
    (root) nameserver = M.ROOT-SERVERS.NET

    I can also now seem to browse the internet from XP albeit very slow and on
    some sites it doesnt load at all, this one for example doesnt load! I wonder
    if my external ISPs DNS servers have stopped resolving requests, suddenly?

    Also on the previous post you suggested using GPO to assign dns suffix search.
    In primary DNS suffix I put corp.ghlplc.co.uk
    In dns suffix search I put 3 entries
    corp.ghlplc.co.uk
    GHLplc.co.uk

    Is this correct?

    Thanx amillion for your time on this.
    G
    co.uk
     
    GaryB, Apr 25, 2006
    #25
  6. GaryB

    GaryB Guest

    Hi kevin,
    Resolved at last! I have located the "new" external DNS servers from our ISP
    (nice of them to tell me!). It was your suggestion of nslookup 912 address
    that did it, many many thanx. Is my setup correct do you think on the GPO
    though (DNS suffix search)?

    If nothing else I have learnt a great deal about DNS in these past few days,
    so again thanx for that.

    Kind regards
    G
     
    GaryB, Apr 25, 2006
    #26
  7. No.

    The search is incorrect, you want only to search the local domain
    "corp.ghlplc.co.uk" (without the quotes) There is no need to search domains
    that are not local to you. It only puts extra load on your DNS.

    --
    Best regards,
    Kevin D. Goodknecht Sr. [MVP]
    Hope This Helps
    ===================================
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ===================================
    http://www.lonestaramerica.com/
    http://support.wftx.us/
    https://secure.lsaol.com/
    ===================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ===================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ===================================
     
    Kevin D. Goodknecht Sr. [MVP], Apr 25, 2006
    #27
  8. GaryB

    GaryB Guest

    Thanx to all who helped me resolve this issue, your time is greatly
    appreciated.
    G
     
    GaryB, Apr 27, 2006
    #28
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.