Question for DNS guru's
tdean
Member Posts: 520
I'm having trouble with our network. we have 2 locations connected by a point to point EVPL. All servers etc reside at the main location. 2 DNS servers and one reverse lookup zone 172.22.1.X. the remote site uses DHCP handed out from the gateway router and is configured to get its DNS from the main site. however, its not working. We have thin clients over there that can connect via IP address, but not hostname. PC's however are fine.
Another issue is when i use our ISP's DNS servers as the forwarders, then run the nslookup tool, i get a message that it cant resolve. If i add 4.2.2.2 to the top of the forwarders list, it resolves just fine.
What is the quick/easy way of troubleshooting this? Its driving me nuts.
Should i add another reverse lookup zone for the remote subnet? What should be in the forwarders tab?
Another issue is when i use our ISP's DNS servers as the forwarders, then run the nslookup tool, i get a message that it cant resolve. If i add 4.2.2.2 to the top of the forwarders list, it resolves just fine.
What is the quick/easy way of troubleshooting this? Its driving me nuts.
Should i add another reverse lookup zone for the remote subnet? What should be in the forwarders tab?
Comments
-
undomiel Member Posts: 2,818Are they having problems connecting to the short netbios name or the fqdn from the other site? Connecting to host doesn't work but host.domain.local works just fine? If so then make sure that your DHCP is handing out the DNS suffix for the systems to append to their queries. If neither are working then you'll want to run nslookup and see if you can resolve queries from the servers. You might need to break out wireshark and see if you're getting any responses.
The reverse lookup zone is basically just to ease troubleshooting. I always recommend having them configured. For the forwarders I would run nslookup from the DNS servers and point it to the ISP's DNS and see if queries are resolving. Though I generally prefer to use Google's public DNS servers myself.Jumping on the IT blogging band wagon -- http://www.jefferyland.com/ -
tdean Member Posts: 520Are they having problems connecting to the short netbios name or the fqdn from the other site? Connecting to host doesn't work but host.domain.local works just fine? If so then make sure that your DHCP is handing out the DNS suffix for the systems to append to their queries. If neither are working then you'll want to run nslookup and see if you can resolve queries from the servers. You might need to break out wireshark and see if you're getting any responses.
The reverse lookup zone is basically just to ease troubleshooting. I always recommend having them configured. For the forwarders I would run nslookup from the DNS servers and point it to the ISP's DNS and see if queries are resolving. Though I generally prefer to use Google's public DNS servers myself.
Hi undomiel,
The thin clients cant connect with either name. Just IP's. They could yesterday before the firewall install, but i dont see how that would be the problem. i have other DNS issues.... i'd kinda just like to start from scratch. The DHCP is being handled by the AdTran router now. I'll have to see if i can add the suffix somehow, although it was working prior to the firewall install.
It seems now, the nslookups with the ISP's DNS servers listed IS working... it wasnt earlier today for some reason. -
TLeTourneau Member Posts: 616 ■■■■■■■■□□If it was working prior to the firewall install look at the firewall logs and see if it's doing anything to port 53/udp from or to the IP's of the thin clients. You may need to get a PC/laptop with a NIC in promiscuous mode with wireshark installed to diagnose it if it doesn't show anything in the firewall logs.Thanks, Tom
M.S. - Cybersecurity and Information Assurance
B.S: IT - Network Design & Management -
MentholMoose Member Posts: 1,525 ■■■■■■■■□□To narrow down the problem you can use nslookup. I don't know what thin client you're using but they are commonly based on either Windows or Linux and nslookup usually works similarly. Try running some standard queries and explicitly choose one of your DNS servers. Windows or Linux:
nslookup somehost dnsip
Also try querying with TCP (assuming your DNS server listens on TCP) since sometimes firewalls have problems with UDP. Windows or Linux:nslookup server dnsip set vc somehost
What is the new firewall, where was it installed, and what DNS servers are you using? Are the DNS servers now behind the new firewall? If the servers are running Windows and the standard Microsoft DNS server, and they are behind your new firewall, you can try disabling EDNS0 as explained here:
Some DNS name queries are unsuccessful after you deploy a Windows Server 2003 or Windows Server 2008 R2-based DNS server
You should also check the configuration on the new firewall since it may be doing something to DNS traffic, and the firewall logs as recommended by TLeTourneau.MentholMoose
MCSA 2003, LFCS, LFCE (expired), VCP6-DCV -
tdean Member Posts: 520Thanks guys.... i will try all this and let you know. Having so many problems today... ugh.