internal DNS (windows server) conflict with external DNS (ISP) - f

Discussion in 'DNS Server' started by randyv, Sep 16, 2004.

  1. randyv

    randyv Guest

    I'm having a frustrating problem.

    I have an internal DNS set up on our Windows2000 Advanced Server. This DNS
    resolves our server names to their internal IPs for folks at the corporate
    office. That's all it really does, there are no forwarders, nor is it really
    'public' - not publishing/syncing 'internal' IPs for our server names with
    other DNS servers.
    We have an external DNS that resolves our server names to their external IP
    addresses - the DNS service is supplied by our ISP.

    Corporate users for the most part are using WindowsXP Pro. Their TCP/IP
    properties are set to use an internal DHCP server to get their IP address
    (this runs behind our corporate firewall). The DNS servers however are set
    - one (internal DNS) is primary and alternate is our ISP's external DNS.

    The idea here was that these corporate clients would always resolve at the
    primary first - hence all our server names would get the proper (internal) IP
    for the users
    at corporate, and all external names (like www.google.com) would resolve at
    the alternate (external) DNS server at our ISP. External (branch) users
    would always resolve the server names with their external IP addresses using
    the external DNS provided by our ISP.

    PROBLEM DESCRIPTION -
    What happens is that when a corporat user's WindowsXP Pro client reboots,
    for some reason, the company server names try to resolve to the external name
    server (alternate not primary DNS), which resolves to an external IP address.
    Since our firewall keeps the corporate users from 'going out and coming back
    in', this resolution fails - mail cannot pop, web pages cannot load.

    It is easy for me to fix, I can shut down the DNS server and client service
    and restart it, or I can do an ipconfig /release and ipconfig /renew - why
    that works I cannot figure out DHCP has nothing to do with name resolving, I
    just figure it is forcing the client to recognize the internal DNS server
    somehow.

    However, while it is easy for me, it is constantly happening all over
    corporate, which is irritating, and giving IT unwanted exposure in the
    executive office.

    Does anyone have an idea why the WindowsXP Pro client is not resolving names
    'hierarchically'? That is, why isn't the client trying to resolve the name
    first at the primary, and only if not found at the primary, resolving to the
    alternate?

    Any advice is appreciated !!!
     
    randyv, Sep 16, 2004
    #1
    1. Advertisements

  2. While opinions vary on the wisdom of this, it sounds like you must be using
    the same domain name inside and out ??

    The failover interval between querying the first or second dns server listed
    in dns properties is almost instantaneous. It's purpose isn't for
    sequencing, but to find a DNS server that holds a zone. If two servers hold
    a zone of the same name, it is likely that they will send queries to both
    available dns servers listed.

    An alternative configuration to try, would be to remove the ISP's dns server
    listing on the clients. Create static A records on you internal dns server
    for your external servers that are supposed to be accessed with a public IP
    by internal users.

    Then configure forwarders on your dns server pointing the ISP's DNS Servers.
     
    Steve Bruce, mct, Sep 17, 2004
    #2
    1. Advertisements

  3. In
    Your idea is incorrect, DNS resolution does not work this way, if either DNS
    answers not found, the query stops and the other DNS will not be queried.

    If this is Active Directory, and I assume it is, there should be no
    references for external or ISP's DNS in TCP/IP properties, this must be
    strictly adhered to. All DNS resolution for domain clients must come from
    the internal DNS servers. The DNS server is capable of resolving any name in
    the ICANN root of the internet without using a forwarder.

    I'm also assuming that the internal AD domain name is the same as your
    Public domain name? Therefore, any host name in the public domain, such as
    www or mail, must be added to the internal DNS zone. You cannot access the
    external site by only the domain name without a host name, this record must
    point to domain controller's IP address that has file sharing enable for the
    SYSVOL DFS share to be accessed.

    Because you whole scenario as to how DNS resolution is handled by the DNS
    client is incorrect, and you have chosen the same internal name as your
    public domain name.



    --
    Best regards,
    Kevin D4 Dad Goodknecht Sr. [MVP]
    Hope This Helps
    ================================================
    --
    When responding to posts, please "Reply to Group"
    via your newsreader so that others may learn and
    benefit from your issue, to respond directly to
    me remove the nospam. from my email address.
    ================================================
    http://www.lonestaramerica.com/
    ================================================
    Use Outlook Express?... Get OE_Quotefix:
    It will strip signature out and more
    http://home.in.tum.de/~jain/software/oe-quotefix/
    ================================================
    Keep a back up of your OE settings and folders
    with OEBackup:
    http://www.oehelp.com/OEBackup/Default.aspx
    ================================================
     
    Kevin D. Goodknecht Sr. [MVP], Sep 17, 2004
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.