Announcement

Collapse
No announcement yet.

Strange DNS issue on Windows server when behind Cisco 877

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Strange DNS issue on Windows server when behind Cisco 877

    Hi all

    We have a Windows 2003 server (SBS) that sits behind our Cisco 877 router. Within the DNS settings in Windows we have forwarders set up, using either OpenDNS (208.67.222.222) or the router (192.168.9.1).

    If I run the DCDiag command in Windows to diagnose DNS issues (Dcdiag /test: DNS) I get a whole string of errors, e.g.

    Code:
       Running enterprise tests on : SHF.local
          Starting test: DNS
             Test results for domain controllers:
    
                DC: meat.SHF.local
                Domain: SHF.local
    
    
                   TEST: Forwarders/Root hints (Forw)
                      Error: Forwarders list has invalid forwarder: 192.168.9.1 (<na
    me unavailable>)
                      Error: Forwarders list has invalid forwarder: 208.67.220.220 (
    <name unavailable>)
                      Error: Forwarders list has invalid forwarder: 208.67.222.222 (
    <name unavailable>)
                      Error: Root hints list has invalid root hint server: a.root-se
    rvers.net. (198.41.0.4)
                      Error: Root hints list has invalid root hint server: b.root-se
    rvers.net. (128.9.0.107)
                      Error: Root hints list has invalid root hint server: c.root-se
    rvers.net. (192.33.4.12)
                      Error: Root hints list has invalid root hint server: d.root-se
    rvers.net. (128.8.10.90)
                      Error: Root hints list has invalid root hint server: e.root-se
    rvers.net. (192.203.230.10)
                      Error: Root hints list has invalid root hint server: f.root-se
    rvers.net. (192.5.5.241)
                      Error: Root hints list has invalid root hint server: g.root-se
    rvers.net. (192.112.36.4)
                      Error: Root hints list has invalid root hint server: h.root-se
    rvers.net. (128.63.2.53)
                      Error: Root hints list has invalid root hint server: i.root-se
    rvers.net. (192.36.148.17)
                      Error: Root hints list has invalid root hint server: j.root-se
    rvers.net. (198.41.0.10)
                      Error: Root hints list has invalid root hint server: k.root-se
    rvers.net. (193.0.14.129)
                      Error: Root hints list has invalid root hint server: l.root-se
    rvers.net. (198.32.64.12)
                      Error: Root hints list has invalid root hint server: m.root-se
    rvers.net. (202.12.27.33)
    
             Summary of test results for DNS servers used by the above domain contro
    llers:
    
                DNS server: 208.67.222.222 (<name unavailable>)
                   1 test failure on this DNS server
                   This is not a valid DNS server. PTR record query for the 1.0.0.12
    7.in-addr.arpa. failed on the DNS server 208.67.222.222
    
                DNS server: 208.67.220.220 (<name unavailable>)
                   1 test failure on this DNS server
                   This is not a valid DNS server. PTR record query for the 1.0.0.12
    7.in-addr.arpa. failed on the DNS server 208.67.220.220
    
                DNS server: 202.12.27.33 (m.root-servers.net.)
                   1 test failure on this DNS server
                   This is not a valid DNS server. PTR record query for the 1.0.0.12
    7.in-addr.arpa. failed on the DNS server 202.12.27.33
    
                DNS server: 198.41.0.4 (a.root-servers.net.)
                   1 test failure on this DNS server
                   This is not a valid DNS server. PTR record query for the 1.0.0.12
    7.in-addr.arpa. failed on the DNS server 198.41.0.4
    
                DNS server: 198.41.0.10 (j.root-servers.net.)
                   1 test failure on this DNS server
                   This is not a valid DNS server. PTR record query for the 1.0.0.12
    7.in-addr.arpa. failed on the DNS server 198.41.0.10
    
                DNS server: 198.32.64.12 (l.root-servers.net.)
                   1 test failure on this DNS server
                   This is not a valid DNS server. PTR record query for the 1.0.0.12
    7.in-addr.arpa. failed on the DNS server 198.32.64.12
    However if I replace the router with a cheap 'n' cheerful Netgear DG834, I do not get the DCDIAG errors. So it looks like some issue with my Cisco config. Could anyone please advise?

    Many thanks,



    Jim

    Code:
    Current configuration : 7094 bytes
    !
    ! No configuration change since last restart
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec localtime
    service timestamps log datetime msec localtime
    service password-encryption
    service internal
    no service dhcp
    !
    hostname Butchers877
    !
    boot-start-marker
    boot system flash:c870-advipservicesk9-mz.124-24.T4.bin
    boot-end-marker
    !
    logging message-counter syslog
    logging buffered 4096
    logging rate-limit 100 except warnings
    no logging console
    no logging monitor
    enable secret 5 xxx
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication ppp default local
    !
    !
    aaa session-id common
    clock timezone GMT 0
    clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
    !
    !
    dot11 syslog
    ip source-route
    !
    !
    !
    !
    no ip cef
    no ip domain lookup
    ip domain name shf.local
    ip inspect log drop-pkt
    ip inspect name firewall tcp timeout 3600
    ip inspect name firewall udp timeout 3600
    login block-for 180 attempts 3 within 180
    login on-failure log
    login on-success log
    no ipv6 cef
    !
    multilink bundle-name authenticated
    !
    !
    object-group network og-L1-JimHome
     description Home IP
     host xx.xx.xx.xx
    !
    object-group network og-L1-MainServer
     description Main server
     host 192.168.9.2
    !
    object-group network og-L2-Allow-RDP
     description Allow Remote Desktop from these hosts
     group-object og-L1-JimHome
    !
    object-group network og-L2-Allow-SNMP
     description Allow SNMP from these hosts
     group-object og-L1-MainServer
     group-object og-L1-JimHome
    !
    object-group network og-L2-Allow-SSH
     description Allow SSH from these hosts
     group-object og-L1-JimHome
     group-object og-L1-MainServer
    !
    username root privilege 15 secret 5 xxxxxx
    !
    !
    !
    archive
     log config
      hidekeys
    !
    !
    ip ssh version 2
    !
    !
    interface ATM0
     description ADSL Connection
     no ip address
     no atm ilmi-keepalive
     pvc 0/38
      encapsulation aal5mux ppp dialer
      dialer pool-member 1
     !
     dsl enable-training-log failure
     dsl bitswap both
     hold-queue 200 in
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Vlan1
     description LAN
     ip address 192.168.9.1 255.255.255.0
     ip nat inside
     ip nat enable
     ip inspect firewall in
     ip virtual-reassembly
     ip tcp adjust-mss 1452
     hold-queue 100 in
     hold-queue 100 out
    !
    interface Dialer0
     bandwidth inherit
    
     ip address negotiated
     ip access-group acl-EXT-IN in
     ip access-group acl-EXT-OUT out
     ip nat outside
     ip inspect firewall out
     ip virtual-reassembly
     encapsulation ppp
     ip tcp header-compression iphc-format
     ip tcp adjust-mss 1452
     dialer pool 1
     dialer-group 1
     no cdp enable
     ppp authentication pap chap callin
     ppp chap hostname [email protected]
     ppp chap password 7 xxxxx
     ppp ipcp dns request
     ppp ipcp wins request
     ip rtp header-compression iphc-format
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer0
    no ip http server
    no ip http secure-server
    !
    !
    ip dns server
    no ip nat service sip udp port 5060
    ip nat inside source static tcp 192.168.9.2 3389 interface Dialer0 3389
    ip nat inside source static tcp 192.168.9.2 25 interface Dialer0 25
    ip nat inside source static tcp 192.168.9.2 443 interface Dialer0 443
    ip nat inside source static tcp 192.168.9.2 1723 interface Dialer0 1723
    ip nat inside source list acl-NAT-Ranges interface Dialer0 overload
    ip nat inside source static tcp 192.168.9.2 110 interface Dialer0 110
    ip nat inside source static tcp 192.168.9.2 4125 interface Dialer0 4125
    ip nat inside source static tcp 192.168.9.4 33890 interface Dialer0 33890
    
    ip access-list standard acl-NAT-Ranges
     remark Define NAT internal ranges
     permit 192.168.9.0 0.0.0.255
    !
    ip access-list extended acl-EXT-IN
     remark Inbound external interface
     remark The below set the rfc1918 private exclusions
     deny   ip 192.168.0.0 0.0.255.255 any
     deny   ip 172.16.0.0 0.15.255.255 any
     deny   ip 10.0.0.0 0.255.255.255 any
     deny   ip any any fragments
     remark Allow established sessions back in
     permit tcp any any established
     remark Any new ports opened in the IP NAT INSIDE SOURCE STATIC lines should also be added here
     permit tcp object-group og-L2-Allow-SSH any eq 22 log
     permit tcp any any eq smtp
     permit tcp any any eq 443
     permit tcp any any eq 1723
     permit udp object-group og-L2-Allow-SNMP any eq snmp
     permit tcp object-group og-L2-Allow-RDP any eq 3389
     permit tcp object-group og-L2-Allow-RDP any eq 33890
     permit tcp any any eq 4125
     permit gre any any
     permit udp any eq domain any
     remark Standard acceptable icmp rules
     permit icmp any any echo
     permit icmp any any echo-reply
     permit icmp any any source-quench
     permit icmp any any packet-too-big
     permit icmp any any time-exceeded
     deny   ip any any
    
    ip access-list extended acl-EXT-OUT
     remark Allow all outbound IP
     permit ip any any
    
    ip access-list logging interval 10
    logging 192.168.9.2
    dialer-list 1 protocol ip permit
    !
    !
    !
    !
    snmp-server community Butchers RO
    !
    control-plane
    !
    !
    line con 0
     exec-timeout 0 0
     no modem enable
     transport output all
    line aux 0
     transport output all
    line vty 0 4
     exec-timeout 0 0
     privilege level 15
     length 40
     width 160
     transport input ssh
     transport output all
    !
    scheduler max-task-time 5000
    ntp master
    ntp server 129.6.15.28
    !
    end

  • #2
    Re: Strange DNS issue on Windows server when behind Cisco 877

    I noticed you have ip dns server enabled on the router but you also have:

    no ip domain-lookup


    If you want to use your router as a proxy dns server then you need to enable it


    ip domain-lookup

    You would also need to specify some dns servers

    ip name-server X.X.X.X (could be your internal dns server or external dns servers)
    Last edited by auglan; 10th March 2012, 21:23.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Strange DNS issue on Windows server when behind Cisco 877

      Oh my goodness Thank you...that's all it was! How did I overlook that????

      Thank you!!!! That works a treat



      Jim

      PS I seem to remember setting the no ip domain lookup to prevent mistyped commands from going out to DNS. Could be mistaken though....
      Last edited by jimwillsher; 11th March 2012, 09:20.

      Comment


      • #4
        Re: Strange DNS issue on Windows server when behind Cisco 877

        Correct that command is usually disabled to prevent you from typing an invalid command in the parser and then have the router try and resolve it via dns.
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment

        Working...
        X