none
When DNS disconnect from internet no one can connect to internet RRS feed

  • Question

  • Hello

    We have 2 Internal DNS and 1 External DNS in DMZ. both internals forwards to External DNS and external DNS forwards queries to 4.2.2.4 and 8.8.8.8.    When we disconnect Internal DNS server from internet no one can see the internet. what should I check after forwarders?

    There is accounting software named Spooler for internet users, that authenticates by AD.

    Thanks in advance


    Monday, March 5, 2018 8:00 AM

All replies

  • Hi,

    Thanks for your question.

    1. Please check the external DNS connectivity with the internetwork and if it can connect to internet normally. Then check internal DNS can connect to intranet and make sure of their physical connectedness.  
    1. Please check all your DNS servers’ properties setting. Right click DNS server on he DNS console and select “properties” ---“Advanced”, and make sure not to select the option “ Disable recursion (also disables forwarders) ”. Please refer to the exhibit as below,

             

    1. If external DNS works properly, then we can do a test by setting external DNS server instead of the two internal DNS as the preferred DNS for intranet. To see if can resolve internet query.
    1. I want to confirm with you that does service server named Spooler seat on your non-DMZ area and designate with the internal DNS.
    1. Please type “nslookup -d2 <internet site>”(example www.google.com ) on your external DNS and one client on the intranet, monitor the name query process and drop me the result at your convenience.

    Hope above information helpful. Highly appreciate your effort and time. If you have any questions and concerns, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com


    Tuesday, March 6, 2018 6:15 AM
  • Hello Michael thanks for your kindly reply

    1- Its ok

    2-"Disable recursion"on Internal DC's is unchecked but on external one is checked.  disabling forwarders on external DNS server shouldn't cause the problem, if forwarders are disabled it uses root hints. right??

    3- I will check that

    4- Yes its on non-DMZ area

    5-

    on DNS external:

        QUESTIONS:
    google.com, type = A, class = IN

    ------------
    ------------
    Got answer (44 bytes):
        HEADER:
    opcode = QUERY, id = 4, rcode = NOERROR
    header flags:  response, want recursion, recursion avail.
    questions = 1,  answers = 1,  authority records = 0,  additional = 0

        QUESTIONS:
    google.com, type = A, class = IN
        ANSWERS:
        ->  google.com
    type = A, class = IN, dlen = 4
    internet address = 216.58.209.174
    ttl = 280 (4 mins 40 secs)

    ------------
    ------------
    SendRequest(), len 28
        HEADER:
    opcode = QUERY, id = 5, rcode = NOERROR
    header flags:  query, want recursion
    questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
    google.com, type = AAAA, class = IN

    ------------
    ------------
    Got answer (56 bytes):
        HEADER:
    opcode = QUERY, id = 5, rcode = NOERROR
    header flags:  response, want recursion, recursion avail.
    questions = 1,  answers = 1,  authority records = 0,  additional = 0

        QUESTIONS:
    google.com, type = AAAA, class = IN
        ANSWERS:
        ->  google.com
    type = AAAA, class = IN, dlen = 16
    AAAA IPv6 address = 2a00:1450:450d:806::200e
    ttl = 32 (32 secs)

    ------------
    Name:    google.com
    Addresses:  2a00:1450:450d:806::200e
      216.58.209.174

    on client:

    ------------
    SendRequest(), len 42
        HEADER:
    opcode = QUERY, id = 1, rcode = NOERROR
    header flags:  query, want recursion
    questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
    20.8.31.172.in-addr.arpa, type = PTR, class = IN

    ------------
    ------------
    Got answer (119 bytes):
        HEADER:
    opcode = QUERY, id = 1, rcode = NXDOMAIN
    header flags:  response, want recursion, recursion avail.
    questions = 1,  answers = 0,  authority records = 1,  additional = 0

        QUESTIONS:
    20.8.31.172.in-addr.arpa, type = PTR, class = IN
        AUTHORITY RECORDS:
        ->  31.172.in-addr.arpa
    type = SOA, class = IN, dlen = 65
    ttl = 10745 (2 hours 59 mins 5 secs)
    primary name server = prisoner.iana.org
    responsible mail addr = hostmaster.root-servers.org
    serial  = 1
    refresh = 604800 (7 days)
    retry   = 60 (1 min)
    expire  = 604800 (7 days)
    default TTL = 604800 (7 days)

    ------------
    Server:  UnKnown
    Address:  172.31.8.20

    ------------
    SendRequest(), len 37
        HEADER:
    opcode = QUERY, id = 2, rcode = NOERROR
    header flags:  query, want recursion
    questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
    google.com.MyDomain.net, type = A, class = IN

    ------------
    ------------
    Got answer (37 bytes):
        HEADER:
    opcode = QUERY, id = 2, rcode = NXDOMAIN
    header flags:  response, recursion avail.
    questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
    google.com.MyDomain.net, type = A, class = IN

    ------------
    ------------
    SendRequest(), len 37
        HEADER:
    opcode = QUERY, id = 3, rcode = NOERROR
    header flags:  query, want recursion
    questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
    google.com.MyDomain.net, type = AAAA, class = IN

    ------------
    ------------
    Got answer (37 bytes):
        HEADER:
    opcode = QUERY, id = 3, rcode = NOERROR
    header flags:  response, recursion avail.
    questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
    google.com.MyDomain.net, type = AAAA, class = IN

    ------------
    ------------
    SendRequest(), len 28
        HEADER:
    opcode = QUERY, id = 4, rcode = NOERROR
    header flags:  query, want recursion
    questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
    google.com, type = A, class = IN

    ------------
    ------------
    Got answer (44 bytes):
        HEADER:
    opcode = QUERY, id = 4, rcode = NOERROR
    header flags:  response, want recursion, recursion avail.
    questions = 1,  answers = 1,  authority records = 0,  additional = 0

        QUESTIONS:
    google.com, type = A, class = IN
        ANSWERS:
        ->  google.com
    type = A, class = IN, dlen = 4
    internet address = 216.58.219.206
    ttl = 93 (1 min 33 secs)

    ------------
    ------------
    SendRequest(), len 28
        HEADER:
    opcode = QUERY, id = 5, rcode = NOERROR
    header flags:  query, want recursion
    questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
    google.com, type = AAAA, class = IN

    ------------
    ------------
    Got answer (28 bytes):
        HEADER:
    opcode = QUERY, id = 5, rcode = NOERROR
    header flags:  response, recursion avail.
    questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
    google.com, type = AAAA, class = IN

    ------------
    Name:    google.com
    Address:  216.58.219.206


    Tuesday, March 6, 2018 9:10 AM
  • Hi Ghasem,

    Very sorry for my delay.

    I mean that you should not disable recursion all your DNS servers. From the result of the post, external DNS server can resolve the name outside. It seems that internal DNS server failed forward name query to external DNS. Please reconfigure forwarders on internal DNS servers by using external DNS or ISP DNS and try resolution again.

    Highly appreciate your effort and time. If you have any questions and concerns, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, March 8, 2018 10:31 AM
  • Thanks for your replay Michael

    forwarders on both internal DNS are pointing to external DNS and "Disable recursion" on both internals are unchecked.

    what next?

    Sunday, March 11, 2018 5:36 AM
  • Hi Ghasem,

    Thanks for your update.

    Please add a forwarder pointing to public DNS server such as 8.8.8.8 on internal DNS to try name resolution.

    Highly appreciate your effort. If you have any questions and concerns, please feel free to let me know.

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, March 12, 2018 9:19 AM
  • Hi Ghasem,

    How are things going on? Was your issue resolved?

    Please let us know if you would like further assistance.

    Wish you have a nice day!

    Best regards,

    Michael


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, March 14, 2018 9:25 AM