RE: internet and private Dn

From: TJ Campana [MSFT] (tcampana_at_online.microsoft.com)
Date: 04/12/04 

Date: Mon, 12 Apr 2004 15:24:17 GMT

--------------------
>Thread-Topic: internet and private Dn
>thread-index: AcQgeUGUmTzJJMv9RZuAOtKe753a6g==
>X-Tomcat-NG: microsoft.public.windows.server.dns
>From: "=?Utf-8?B?dmluY2VudCBrZWxsZXI=?=" <anonymous@discussions.microsoft.com>
>Subject: internet and private Dn
>Date: Mon, 12 Apr 2004 03:31:03 -0700
>Lines: 9
>Message-ID: <7497A6CB-4339-4D55-8722-FF231F983343@microsoft.com>
>MIME-Version: 1.0
>Content-Type: text/plain;
> charset="Utf-8"
>Content-Transfer-Encoding: 7bit
>X-Newsreader: Microsoft CDO for Windows 2000
>Content-Class: urn:content-classes:message
>Importance: normal
>Priority: normal
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
>Newsgroups: microsoft.public.windows.server.dns
>Path: cpmsftngxa06.phx.gbl
>Xref: cpmsftngxa06.phx.gbl microsoft.public.windows.server.dns:7416
>NNTP-Posting-Host: tk2msftcmty1.phx.gbl 10.40.1.180
>X-Tomcat-NG: microsoft.public.windows.server.dns
>
>I created a private name of nbg.local and added my isp addresses to the forwarders tab in the DNS mmc... but I can't connect to the
internet. The cisco firwall works fine with a standalone pc. I am able to connect to internet. I noticed that I can ping the firewall but not the isp
address.

one suggestion was to perform ..... This is common if win2k3 is behind a Firewall that doesn't support EDNS0

which allow UDP packets over 512 bytes.

828731 - An External DNS Query May Cause an Error Message in Windows Server

2003 ....... That didn't work.

any suggestions or links would be appreciated.... I also tried the monitoring tab and both tests did pass.

 
>
Did you say that you could not ping your ISP's DNS Servers from the internal DNS Server? That may simply be a function that the firewall
or the ISP is blocking ICMP Requests. Can you ping those external DNS Servers from other clients on the network. If so then the problem
is more than likely a rule on your firewall blocking traffic from the DNS Server.

The Enhanced DNS option in 2003 is something that is relatively common when dealing with some firewalls that do Stateful Inspections of
frames. My concern is that you may simply not have communication with the ISP DNS Server. If you remove the Forwarders can you then
resolve names on the internet? This will use Root Hints instead of the forwarders.

I real test to see if the ISP DNS Server is answering is to use NSLOOKUP. Type nslookup [ENTER], server <enter the IP address of the
ISP DNS Server here> [ENTER], and then query for something like www.yahoo.com. Do you get a response???? NSLOOKUP uses a
different resolver than the Operating system so this is a good test to make sure the ISP DNS server are function and you can connect to
them.

If you suspect EDNS playing a role, that is to say you can resolve more names on the internet from the DNS Server itself then you should
disable EDNS until the firewall is able to pass that traffic.

1. Verify that ping to the ISP DNS works from any other clients in the network.
2. Can you query the ISP DNS Servers using NSLOOKUP?
3. Check the firewall for an IP or MAC rule set to disallow certain traffic from this system.

200525 Using NSlookup.exe
http://support.microsoft.com/?id=200525

T.J. Campana [MSFT]
Microsoft EPS Networking 

-- 
This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms 
specified at http://www.microsoft.com/info/cpyright.htm 
Note:  For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they 
originated.

Relevant Pages

  • RE: ICMP/UDP flood
    ... when it can't resolve an address it then queries the upstream DNS server ... The Source is coming from my firewall box and the ... Destination is a DNS server on the Internet. ... to facilitate one-on-one interaction with one of our expert instructors. ...
    (Security-Basics)
  • Re: when connected to a domain. takes forever to login
    ... >> configure the internal DNS server to handle that too. ... Will using it as DNS server make it vulnerable to hackers since ... Your router or firewall will be dropping ...
    (microsoft.public.windowsxp.network_web)
  • mail problems
    ... We have a firewall running on a rh9 system. ... is on the internet (though it's in China, ... At one point (after some fiddling with the DNS server) ... Introducing the New Netscape Internet Service. ...
    (RedHat)
  • Re: mail problems
    ... You would probably have to work on this with your ISP. ... email as the 10.x.x.x range is non-routeable over the Internet. ... > The firewall gets it's IP from an ISP's dhcp server. ... > At one point (after some fiddling with the DNS server) ...
    (RedHat)
  • W2K Non-Microsoft DNS Entry
    ... Internet requests sent from our internal network has to ... Housed on the firewall is a split-brain DNS Server, ... NIC is configured as a slave that points to our internal ... DNS server that has an A record that points to the UNIX ...
    (microsoft.public.win2000.dns)