DNS server not working for external access?

[htsource 0]

Hi,

 

I have a full W2K Server Active Directory running on my network and lately for the last few days, all of a sudden, AD will lose Internet connection. Basically, the box is also handling DNS queries and DHCP. Any internal DNS queries belongs to my LAN are okay, but whatever from outside is not working (i.e. ping www.google.ca).

 

I'm not getting any errors through Event Viewer and if I restart DNS Server through Services, everything is back up again. It's getting annoying as all the clients are connected to this box and I have the forwarders set up to go externally. Therefore if this box is not connecting to the Internet, nobody else can from the LAN side.

 

I checked the forwarders and they all matched the WAN DNS servers. I haven't changed any of the settings and it was running very stable for a long time until now.

 

Any pointers as to where to look would be really appreciated.

 

Thanks,

 

Simon

[htsource 0]

Hi again,

 

After a bit of lookup on Google, I was told NOT to use forwarders but instead use Root Hints Servers.

 

For the forwarders, I was using whatever DNS servers from the router from my ISP. For Root Hints, server name is the Linksys router with the router's IP. Is this the correct way to set up root hints servers? Should I add the DNS servers from my ISP's as well? I need a server name though on top of the IP address, how do I find out what DNS server names my ISP use?

 

Sorry for so many questions but I'd like to get this problem resolved.

 

P.S. After I configured Root Hints Server and disabled forwarders, Internet still working fine.

 

Thanks,

 

Simon

[clutch 1]

First, you will want to use forwarders so you were doing the right thing. Root hints are rather slow to respond, and many times bomb out. What is the configuration of your server? Do you have multiple network adapters (or multiple IPs) in it? Is the DNS server referencing itself it its NIC TCP/IP properties for DNS, and only itself (no other DNS IPs entered)? How many IPs do you have setup in the forwarders?

[htsource 0]

Hi clutch,

 

Thanks for your response. I have 2 NICs but one is disabled in Windows and it's wireless and server has single IP. The DNS server is referencing itself for its TCP/IP properties. There's only 1 IP entered and that's true for the rest of the computers in the LAN side.

 

I have 4 IPs setup in the forwarders and they are from the Linksys router.

 

Thanks,

 

Simon

[clutch 1]

OK, so when you first start the DNS service (such as when the machine first boots or you restart it) it works fine for both internal and external resolution. After a while, it stops forwarding to the outside world. Is this correct? If it does work for a while, how long is that time period? You might simply have to reinstall the DNS service, which isn't a big deal.

[clutch 1]

One other thing you could try is using a different DNS box for your forwarder. Can you get any from another ISP (or any other public provider) in your area? Give this a shot before reinstalling.

[zen69x 0]

Just out of curiousity and I've no idea why it would just add itself, but check in your forward lookup zones that there is not a "." zone.

 

If there is, remove it.

[clutch 1]

Just so others know, having a zone name of "." in your DNS setup makes the server believe it's authoritative for all zones. So, if you do not have a zone for a given address (such as www.microsoft.com) then it will not use forwarders or root hints, and simply return an error.

 

This behavior, however, would be consistent. This zone would have to be added and removed to generate the seemingly time-related errors. If the server was working for about an error, and then stopped working until it was restarted, and had this as a cause that would mean that "." was added to the server after an hour. What would then happen is that all new DNS requests would be compromised (have errors returned) by the server thinking that it was authoritative. Meanwhile, it would keep fielding responses that were cached with the correct IPs until those entries' TTL expired. Once expired and a lookup has been requested, the server would return an error since it would now think it is authoritative for all domains. In order for the service to start working "properly" after a reboot or restart of DNS, the "." zone would have to be removed again.

[adamvjackson 0]

Sounds like your DNS is properly configured; this may be obvious, but have you installed SP4 and any/all hotfixes available?

[htsource 0]

Hi guys,

 

Thanks for all the suggestions. I checked and I don't have "." zone in DNS. I had to reboot the day after I posted my initial post and it's been working fine since. I'm not sure if it somehow fixed itself or what.

 

The server has SP4 and all latest MS patches.

 

Thanks again for all the help,

 

Simon