DNS

[ashpp]

Setup
-----

A small R&D centre attached to a corporate Class A network & the internet.
All machines are using public address, all internet access is proxied. Firewalled on the internet side.

DNS server is a NT4.0 machine. IP forwarding appears to be set to 3 external (ie. internet DNS) servers. All clients point to thisserver.

We are secondary for a couple of zones

bpe.eu.company.com
suk.eu.company.com
bprl.eu.company.com

Problem
-------

We are unable to resolve newer domains such as

ishop.eu.company.com
hr.eu.company.com

on both the proxy and the clients. NSLookup cannot find these domains. NSLookup times out if we try and change the dns server it uses to dnsserver.eu.company.com.

I'm not a DNS expert, and I'm very new to this company. But I believe the solution is either

1) Setup a new IP forwarder to the highest company.com DNS server (or eu.company.com), and use this as the first forwarder.

2) Become a secondary zone to eu.company.com OR

3) Become a secondary for these ishop.eu.company.com /
hr.eu.company.com domains.

Can any one else suggest anything, or whether I am barking up the wrong tree etc?

Thanks

 

[jsauce]

DNS must be enabled to forward queries to another name server. By doing this you will be able to ensure that if the server is unable to find an answer to the dns query, it will forward it to the server h igher up, until it finds the answer, then sends it back. That is essentially how DNS works. Now looking at how your dns is setup from what you have entered:

bpe.eu.company.com
suk.eu.company.com
bprl.eu.company.com

Those servers should be forwarding queries also, if not that will cause a problem if the query is not resolved. Basically its proper to have the list of root servers in your DNS configuration, so that you do not run into these problems. Its also possible that the list of root servers are not being updated regularly.


John D. Saucier
jsauce@magicguild.com
Certified Technician
Network Administrator

 

[ashpp]

Thanks for the repsonse John

Sorry I didn't make this very clear in my original question...

These domains I am trying to resolve are all internal domains, and do not exist outside on the internet - root servers won't be any help.
(FYI we are talking about a major global network here.)

The problem was that the IP forwarders were set to three internet DNS servers. So resolving above these domains just wasn't possible.

So, I have changed the setup on the DNS server to now forward to a external internet DNS server and an internal DNS server (eu.company.com).
The problem now is that only the first DNS forwarder seems to be queried.

By changing the order of the forwarders I can either get internet resolution, or company wide resolution but not both at the same time. I have tried on both a w2k server and nt4 server.

A good solution would be to find the companys root DNS servers, which can resolve both. But finding that amazing server is like finding a needle in a hay stack. None of the internal DNS servers I have NSLookedup have been unable to resolve outside their own SOA.

btw. The NT4 DNS server is pointing to itself in TCP/IP DNS server properties.

 

[jsauce]

hmm, okay i see you are secondary. Are your primary servers transferring their database to the secondary servers like they should? Like if you use two nameservers to resolve everything the primary and the secondary. The primary should be forwarding queries to your isp for external resolution requirements, but the secondary server should be getting transfers of whatever the primary has stored on a regular interval. Thats how you keep them synced. And of course any request to the secondary server that cannot be resolved should be forwarded to the first.

John D. Saucier
jsauce@magicguild.com
Certified Technician
Network Administrator

 

[DG659]

hmmm
do each of the dns servers include each other
in the forward list

ie
dns1 -> dns2
dns2 -> dns3
dns3 -> dns1

 

[jsauce]

Well the purpose of the secondary servers is to provide a stable backup, which is why they must never be on the same machine, in fact its perferred they don't even exist on the same network. You primary name servers should be forwarding their data to the secondaries at a regular interval. Its not really needed to have the secondaries repeat the process since they should already have the data that was sent from the primaries. But A chain shouldn't be a problem either. Just as long as the primary and secondary are clones. Remember that a client should only be querying the secondary server when the first server does not respond to the request.

Both primary and secondary dns should be forwarding queries higher up when they are not found.

John D. Saucier
jsauce@magicguild.com
Certified Technician
Network Administrator

 

[jsauce]

sorry was late when I typed this out: You primary name servers should be forwarding their data to the secondaries at a regular interval.

That should read: Your primary name servers should be transferring. Had to crrect that just in case, since forwarding is different. Also note that you can transfer to up to three servers in bind, not sure about the microsoft dns though.

John D. Saucier
jsauce@magicguild.com
Certified Technician
Network Administrator