DNS Corruption

[rubbersoul]

I have an AD with 2 sites. I'm using Dynamic DNS and seem to be having the strangest problem. We have internal and external DNS servers.....when our users are within our network we want all there queries to resolve to the internal DNS servers.....so here goes...in our first site...will call it SiteA I can do a ping mail.acme.com and sometimes it'll resolve to the internal IP of that box (192.168.1.1) which is great! However, sometimnes it try's to resolve to the external IP of that box (66.200.x.x). When it does this I can't recieve mail....so what I usually have to do to resolve it is a ipconfig/flushdns and an ipconfig/registerdns....then it works and a ping resolves back to the internal address (192.168.1.1).....However, and this is were it get's even more weird....our other site (which has it's own DNS server...and exact copy of SiteA's DNS server) dosen't work at all....It always try's to resolve to the external IP of the box...no matter what I do.

I've tried flushing the DNS on the client machine and re-registering it. I've tried clearing the cache of the DNS server....I've brought the DNS service down and up, checked to ensure that all the hostA records and MX records are in the right place....they are (there exact copies of SiteA's config)

This is very strange and I can't seem to figure it out.....I should let you know that if I add the FQDN of our network to thos address it always works. Anotherwords...ping mail.acme.com.mycompany.local

If I remove the forwarders (which forward unknown traffic to our extrenal DNS servers) everythig works fine....mail.acme.com will resolve to the internal address....but at that point we can't resolve say

http://www.ggole.com

because our DNS has no one to forward that unknown traffic to......HELP!

 

[NetIntruder]

On the external network card of the mail server, check to see if that connection is set to register in DNS. If this is set, try removing that option and do a flush/register.

~Intruder~
CEH, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong"

 

[rubbersoul]

Can you explain.....why would I want to do that?

 

[NetIntruder]

If you have 2 addresses registering to your DNS server, you will get 2 entries. DNS will hand out both as valid (which they are, but you only want to use one) and since you only want the internal one to be used, remove the other.

Here's the one tricky part: Does your DNS server on the outside handle resolution for your domain name from the Internet or is it purely for resolving Internet addresses?

~Intruder~
CEH, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong"

 

[rubbersoul]

I think we got a little confused.....My Internal DNS only has one nic...with a private IP. My external DNS has 2 nic's....one internal and one external...The external DNS is the authorative server for our acme.com domain name....our domain name is acme.local internally....

 

[NetIntruder]

what DNS server is your mail server set to on the NIC properties though? Your internal or external?

~Intruder~
CEH, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong"

 

[rubbersoul]

On both DNS servers....the one in SiteA and the one in SiteB...the nic's are set to use the DNS there own DNS servers (internal)

 

[rubbersoul]

My settings are the same for both DNS servers on both sites. They are as follows....

I have both DNS servers listed....of course SiteB is first and SiteA's DNS is second...
Append primary specific dns is selected and so is Append parent suffix
Also, register this connection's address is checked

.....?

What kills me is how SiteA works (even though sometimes it starts resolving to the external...and that's when I have to do the ipconfig/flushdns to get it to work again) but SiteB NEVER resolves properly....and there mirror images of each other....almost exactly the same with the exception of ther ip's????

 

[NetIntruder]

so just to clarify though, on your mail server, the NIC settings for DNS are set to register with your domain.local server, not the domain.com server?... is that accurate?

~Intruder~
CEH, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong"

 

[rubbersoul]

Yes....that is accurate!

 

[NetIntruder]

Ok, so both the internal and external address on the mail server are registering to the domain.local DNS server? If that's the case, set the NIC on the mail server that points to the outside to not register to the domain.local zone and you won't have this record in DNS on the zone anymore to be handed out to clients. Do an ipconfig flush/register and try it out.

~Intruder~
CEH, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong"

 

[rubbersoul]

No....I don't think that's the case. Here is our external DNS server record for the acme.com domain (by yhe way...our external DNS is using BIND)

pop3.acme.com. IN CNAME mail.acme.com.
smtp.acme.com. IN CNAME mail.acme.com.
imap.acme.com. IN CNAME mail.acme.com.
mail1.acme.com. IN CNAME mail.acme.com.

While here is what the internal looks like on our acme.local network

Name Type Data
mail Host (A) 192.168.10.23
pop3 Host (A) 192.168.10.23
smtp Host (A) 192.168.10.23

http://www Host

(A) 192.168.10.24

Of course the above A records fall unger the acme.local > acme > com directorys.....they reside under the com directory.

So when I ping mail1.acme.com internally...it should resolve to 192.168.10.23.....instead I see it trying to resolve to the address of our external DNS server 66.200.x.x

 

[rubbersoul]

I found it!!! I found the problem! but I still dont know how to resolve it.....It seems that I was looking at the .cache folder on both DNS servers. The SiteA DNS has the proper hostA record in the cache...hence, why it's resolving properly. The SiteB has the external addressed cached.....I cleared it and the good internal address went in but was replaced afterwards by the wrong record again??

 

[rubbersoul]

I have no clue how to fix this cache problem on the server besides clearing it out.....but after that the crappy record comes back.....

 

[ITPangaeaArchitect]

the netlogon service calls ALL installed network cards and registers them in DNS per their individual settings if they are enabled (this includes if they are unplugged and not disabled)...it then calls the DNS API to register the host and ptr records in DNS.

the external NICs need to be set to not register in DNS...in fact, it would be a good idea to not even point them ot your internal DNS servers if possible...that way you can guarantee the wrong address wont register...if available, you can do some sort of port mapping to map back to the internal addresses from the outside if needed...alot of different ways for all of that though


hopefully these are not DCs....

-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there

 

[rubbersoul]

These are not DC's! Kind of....

What it is is one windows box running VMWARE so that we have a phyical sevrer called myphysical001.acme.local and two instances for file and print and Active directory. The settings on each nic are below:

myphysical001.acme.local IP 10.10.10.10 DNS 10.10.10.11
myactivedir001.acme.local IP 10.10.10.13 DNS 10.10.10.11
myfileandprint001.acme.local IP 10.10.10.14 DNS 10.10.10.11

So...as you can see. There is no 'external' nic address to unregister. Now if your talking about the 'External DNS Servers' then what should I be looking for? It's a linux box running BIND. What file should I be looking at...and what kind of entry should I be looking for? As far as I was always concerned...the only way the internal server knew about the external was through it's 'FORWARDER' settings, which obviously can't be changed.

 

[ITPangaeaArchitect]

yea BIND sucks with AD...in fact, all non-MS DNS servers do not work very well with AD. There is a whole slew of records you need to ensure you have.....

Honestly I would recommend making your DNS infrastructure more solid for Windows if you are moving to a windows domain....that is...DNS configured properly on Windows, then forward to BIND DNS box if you wish it to control name res. in/out of LAN...or bypass BIND...either or....


I'm pretty partial to MS....but, using non-MS DNS WILL lead to problems at one point or another. Although technically it is compatible...I see alot of SRV records not get registered, as well as other strange behavior (such as QIP DNS breaking trust paths, etc.). This is why I say its safer to use MS DNS and forward to BIND DNS for name res. in/out of LAN.



-Brandon Wilson
MCSE00/03, MCSA:Messaging, MCSA03, A+
almost got a paragraph there

 

[rubbersoul]

Well....that's wha's going on here. As far as I can see it....if I ping

http://www.acme.com

from inside my LAN.....my PC configured to use my internal DNS, should go first to my local PC cache....then to my internal DNS....and only then...forwarded to my external (BIND) DNS.....

So....I'm still at a loss...

 

[rubbersoul]

Anyone?

 

[NetIntruder]

You are correct. If you ping

http://www.acme.com,

that record does not exist on your internal network.... your zone on the inside is acme.local, so all other domains outside of acme.local will get forwarded. Try adding a zone for acme.com on your internal DNS server and add the

http://www record

with the internal IP address there and see if it works then (it should).

~Intruder~
CEH, MCSA/MCSE 2000/2003

"The Less You Do, The Less Can Go Wrong"