Announcement

Collapse
No announcement yet.

Primary DNS server can't resolve External Host addresses

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Primary DNS server can't resolve External Host addresses

    Hello, I have a Windows Server 2003 server environment. For some time now, my DNS server can resolve internal servers addresses, but cannot resolve external host names. e.g. yahoo.com. The message I get after nslookup on yahoo.com / google, is:

    DNS request timed out.
    timeout was 2 seconds.
    *** Request to (MYDNSSERVER_NAME) timed-out


    What could be the problem?.. Thank you.

  • #2
    Re: Primary DNS server can't resolve External Host addresses

    How is your DNS server set up -- forwarders to your ISP or root hints?
    What is the timeout setting?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Primary DNS server can't resolve External Host addresses

      Can you give us a little bit more information on your setup?

      Do you have forwarders configured on your DNS server?
      Is this Windows DNS?
      Is your firewall allowing DNS queries outbound?
      Can you run nslookup against your ISP's DNS server or another internet server like 8.8.8.8 or 4.2.2.1?
      Regards,
      Jeremy

      Network Consultant/Engineer
      Baltimore - Washington area and beyond
      www.gma-cpa.com

      Comment


      • #4
        Re: Primary DNS server can't resolve External Host addresses

        Thanks for the replies.
        I have four forwarders configured to point to my ISP. And it is also a Windows based DNS. My firewall is allowing DNS queries outbound too. When I run nslookup to my ISPs addresses and to 8.8.8.8 or 4.2.2.1 too they get timeout, but internal addresses are resolved very quickly and accurately. What can I do next.. Thanks.

        Comment


        • #5
          Re: Primary DNS server can't resolve External Host addresses

          Confirm the ISPs forwarders are correct and you can ping them by IP

          Try removing the forwarders and use root hints directly
          Tom Jones
          MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
          PhD, MSc, FIAP, MIITT
          IT Trainer / Consultant
          Ossian Ltd
          Scotland

          ** Remember to give credit where credit is due and leave reputation points where appropriate **

          Comment


          • #6
            Re: Primary DNS server can't resolve External Host addresses

            Originally posted by nukunu View Post
            When I run nslookup to my ISPs addresses and to 8.8.8.8 or 4.2.2.1 too they get timeout, but internal addresses are resolved very quickly and accurately. What can I do next.. Thanks.
            You shouldn't be able to resolve internal addresses when querying external DNS servers. Did you set the server to an external DNS server in nslookup?

            Here's how (red is the commands you type in):
            Code:
            C:\>nslookup
            Default Server:  UnKnown
            Address:  192.168.0.1
            
            > server 4.2.2.1
            Default Server:  vnsc-pri.sys.gtei.net
            Address:  4.2.2.1
            
            > yahoo.com
            Server:  vnsc-pri.sys.gtei.net
            Address:  4.2.2.1
            
            Non-authoritative answer:
            Name:    yahoo.com
            Addresses:  98.137.149.56
                      209.191.122.70
                      67.195.160.76
                      69.147.125.65
                      72.30.2.43
            
            >
            But follow Tom's advice to remove the forwarders and see if that fixes the issue. If it does then there's something wrong with those DNS server and you may want to choose different ones or check with your ISP to see what the problem is with them.
            Regards,
            Jeremy

            Network Consultant/Engineer
            Baltimore - Washington area and beyond
            www.gma-cpa.com

            Comment


            • #7
              Re: Primary DNS server can't resolve External Host addresses

              Thanks for all the replies.
              I think you have helped in getting me halfway through my problem. Its got another twist now, that we figured out. The problem might be from our proxy settings.

              Well in my enterprise setup, we have the 192.168.0.* and 192.168.5.* network setup. The 0.* network passes all internet request through the Proxy server whiles the 5.* goes directly to the internet through the PIX firewall. My DNS server is located on that the 0.* subnet; thus when we changed the secondary DNS server's IP address to the 5.* subnet, that secondary DNS was able to resolve external hostnames, e.g yahoo.com. (locally on that server system)

              When I do nslookup on client machines in the organization they still refer they refer to the primary server and the DNS timesout. The problem is the Primary is currently authenticating users and I wouldn't want to redirect it now; because its against our organizational IT policy. also this is what i get from pinging my ISPs public IP address:
              Reply from (core_router_IP): TTL expired in transit.
              Reply from (core_router_IP): TTL expired in transit.
              Reply from (core_router_IP): TTL expired in transit.
              Reply from (core_router_IP): TTL expired in transit.

              Ping statistics for (public ISP address):
              Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
              Approximate round trip times in milli-seconds:
              Minimum = 0ms, Maximum = 0ms, Average = 0ms


              Now what changes can I do on the Proxy server to allow those external IPs to be resolved by my Primary DNS server... Users can still browse the internet, so I am short of ideas now... Sorry for the late reply, due to poor internet speed.
              Thanks...

              Comment


              • #8
                Re: Primary DNS server can't resolve External Host addresses

                Do you have a DNS server on the .5.0 subnet? Can the .0.0 network talk to the .5.0 network?

                If the answer is yes to both those questions you can make the forwarder for your primary point to your secondary and have the forwarders on your secondary go to your ISP. But that's a messy setup.

                Can you put a rule in the firewall to allow DNS traffic from your primary DNS server?
                Regards,
                Jeremy

                Network Consultant/Engineer
                Baltimore - Washington area and beyond
                www.gma-cpa.com

                Comment


                • #9
                  Re: Primary DNS server can't resolve External Host addresses

                  We have a DNS server set up on the 5 network and also the 0 network can talk to the 5 network but on specific IP addresses.
                  I think your second solution might hold for us, by setting up the firewall policy rule on our ISA to allow external traffic out from the primary DNS server.
                  Thanks.

                  Comment


                  • #10
                    Re: Primary DNS server can't resolve External Host addresses

                    Glad to help!
                    Regards,
                    Jeremy

                    Network Consultant/Engineer
                    Baltimore - Washington area and beyond
                    www.gma-cpa.com

                    Comment


                    • #11
                      Re: Primary DNS server can't resolve External Host addresses

                      Originally posted by nukunu View Post
                      We have a DNS server set up on the 5 network and also the 0 network can talk to the 5 network but on specific IP addresses.
                      I think your second solution might hold for us, by setting up the firewall policy rule on our ISA to allow external traffic out from the primary DNS server.
                      Thanks.
                      Yups you need to allow DNS traffic from your DNS server to external or to external hosts.
                      Notice just use DNS and not DNS server in your access rule.
                      Marcel
                      Technical Consultant
                      Netherlands
                      http://www.phetios.com
                      http://blog.nessus.nl

                      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                      "No matter how secure, there is always the human factor."

                      "Enjoy life today, tomorrow may never come."
                      "If you're going through hell, keep going. ~Winston Churchill"

                      Comment

                      Working...
                      X