Internal DNS issue?

[ryrae]

We have had issues sending email and access the website of an external domain.....domain.com. We can't ping, trace route, etc to the external domain. When we attempt to send an email to any email address existing at that domain the email sits in the queue with an DNS error message. For SnG we added the remote domain to our internal DNS and magically we could access the website and all email was delievered to the receipient(s). To me it seems like for some reason when we attempt to access anything at that domain our intenal DNS is not forwarding the requests outbound. I have attempted to add the domain to our forward exceptions in DNS, but that did not seem to work. I can also create an entry in my local host file for the domain and access the website, but for any email to be delivered we need the internal DNS to exist with the MX records of the remote domain. I am at a loss, any help is appreciated. Thanks

A+, Network+, MCP, MCTS:Exchange

 

[ITPangaeaArchitect]

What type of DNS (what OS as well)?

-Brandon Wilson
MCSE:Security00/03
MCSA:Messaging00
MCSA:Security03
A+

 

[ryrae]

Windows server 2003 Ent. x64. Default DNS on server 2003.

 

[ITPangaeaArchitect]

Is this meant to be a conditional forwarder, or a catch all forwarder? Which do you currently have configured?

-Brandon Wilson
MCSE:Security00/03
MCSA:Messaging00
MCSA:Security03
A+

 

[ryrae]

I tried to set up the external domain as a conditional forwarder using the domain name and the NS for the domain....no luck. I am currently trying to set up the "All Other DNS domains" and adding our ISPs DNS servers, but so far still a no go.

 

[ITPangaeaArchitect]

Yea your ISP should be in all other DNS domains. If you put a conditional forwarder in, after doing so, did you flush your dns cache before reattempting a connection? I have also seen the DNS server service needing a restart before a forwarder takes effect as well.

-Brandon Wilson
MCSE:Security00/03
MCSA:Messaging00
MCSA:Security03
A+

 

[ryrae]

I have added my ISP NS and restarted DNS service on the server. I have also flushed/renewed my DNS registration locally and on the server. Still no luck. I have provided a portion of the debugging log below.....

20090508 09:51:27 9BC PACKET UDP Snd 10.20.31.41 e2ac R Q [8281 DR SERVFAIL] (3)

http://www(13)sherbertgroup(3)com(0)

UDP response info at 0000000000B85B00
Socket = 540
Remote addr 10.20.31.41, port 60988
Time Query=2142084, Queued=2142088, Expire=2142091
Buf length = 0x0200 (512)
Msg length = 0x0027 (39)
Message:
XID 0xe2ac
Flags 0x8182
QR 1 (RESPONSE)
OPCODE 0 (QUERY)
AA 0
TC 0
RD 1
RA 1
Z 0
RCODE 2 (SERVFAIL)
QCOUNT 1
ACOUNT 0
NSCOUNT 0
ARCOUNT 0
QUESTION SECTION:
Offset = 0x000c, RR count = 0
Name "(3)

http://www(13)sherbertgroup(3)com(0)"

QTYPE A (1)
QCLASS 1
ANSWER SECTION:
empty
AUTHORITY SECTION:
empty
ADDITIONAL SECTION:
empty

 

[ITPangaeaArchitect]

What is your internal domain name?

-Brandon Wilson
MCSE:Security00/03
MCSA:Messaging00
MCSA:Security03
A+

 

[ryrae]

internal domain name is ncr.org
External domain name that is not accessible from internally sherbertgroup.com
When I add sherbertgroup.com to our internal DNS servers as a forward lookup zone we can email and access the webpage for sherbertgroup.com. If the zone is removed nothing works going to sherbertgroup.comh. Seems like for some reason our internal DNS beleives that it is internal and will not forward the requests externally.

 

[ITPangaeaArchitect]

ok it sounds like your ISP DNS server is not capable of recursive queries then in that case. In those situations, forwarders typically will nto work.
If you don't want to go with the secondary zone option that you have seen work, try adding a root hint for your public domain.

- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (

http://it-pangaea.com)

 

[ryrae]

can you explain how to add a root hint? I am guessing that I will just add the NS of the external Domain that I am trying to access, but I have not done this in the past. Thanks

 

[ITPangaeaArchitect]

BTW, if your ISP dns server does not accept recursive queries, you should be getting errors stating this in your event log...


If you do a DNS test in the properties, does the recursive test pass?


As far as root hints creation..its pretty simple, you just add a new root hint, provide the domain name, then provide the IP info...

- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (

http://it-pangaea.com)

 

[ryrae]

Yes, the recursive and simple tests pass. I do not have any errors in the event log.

 

[ITPangaeaArchitect]

Interesting. If those tests do pass, then your server most likely can answer recursive tests, which would indicate either a problem with forwarder configuration, or blocked ports....



- Brandon Wilson
MCSE:Security00/03; MCSA:Security03
MCSA:Messaging00; MCP; A+
IT Pangaea (

http://it-pangaea.com)