+ Post New Thread
Results 1 to 14 of 14
Internet Related/Filtering/Firewall Thread, DNS Issue in Technical; We have a network running of a Windows server. The domain we use is in the format schoolname.co.uk. We also ...
  1. #1

    Join Date
    Aug 2013
    Posts
    10
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    DNS Issue

    We have a network running of a Windows server. The domain we use is in the format schoolname.co.uk. We also use this for our website - the DNS for this is handled externally by our web hosting provider. We've possibly been to clever for our own good - we've got a subdomain vle.schoolname.co.uk which, as far as our domain is concerned, has an A record pointing to one of our two external IPs for our broadband connection (i.e to get to in house servers). Our internal DNS on the Windows box also has a record for vle.schoolname.co.uk to tell all our internal clients the vle.schoolname.co.uk can use our Linux box running the VLE. All was fine when we began to this endeavour and clients began with clean DNS caches. However, now, internal clients are beginning to hit errors using vle.schoolname.co.uk. This is resolving to the external IP of the A record - and getting our internal clients absolutely nowhere.
    Is there anyway that I can get around this issue? We are not open to changing where our main website is hosted, nor really messing with the domain. We'd also ideally like the subdomain to be exactly the same for students and teachers when they are both in and out of school. BYOD is also in use - so devices will change where the domain needs to resolve itself.

  2. #2
    Archer's Avatar
    Join Date
    Sep 2011
    Location
    Harlow, Essex
    Posts
    2
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Hi,

    The two things spring to mind, the first would be to delete the internal A record from your domain controllers and secondly make sure that the forwarding server entries on the domain controllers are working correctly. If you haven't done so already I'd suggest pointing the forwarders to your ISP's Public DNS Servers rather thanks google for example.

    This should get you out of a hole short term. But without looking at your lookup zones I couldn't be sure what's going on. We have nicked named DNS "Black Magic" in my department!

    One last though, could it be someone to do with your Firewall which may be running DNS?

    Regards

    Archer

  3. #3
    Archer's Avatar
    Join Date
    Sep 2011
    Location
    Harlow, Essex
    Posts
    2
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Oh god my grammar! Crappy iPhone autocorrect!

  4. #4
    Jamo's Avatar
    Join Date
    Jan 2009
    Posts
    1,361
    Thank Post
    66
    Thanked 178 Times in 150 Posts
    Rep Power
    61
    Quote Originally Posted by etoipi View Post
    We have a network running of a Windows server. The domain we use is in the format schoolname.co.uk. We also use this for our website - the DNS for this is handled externally by our web hosting provider. We've possibly been to clever for our own good - we've got a subdomain vle.schoolname.co.uk which, as far as our domain is concerned, has an A record pointing to one of our two external IPs for our broadband connection (i.e to get to in house servers). Our internal DNS on the Windows box also has a record for vle.schoolname.co.uk to tell all our internal clients the vle.schoolname.co.uk can use our Linux box running the VLE. All was fine when we began to this endeavour and clients began with clean DNS caches. However, now, internal clients are beginning to hit errors using vle.schoolname.co.uk. This is resolving to the external IP of the A record - and getting our internal clients absolutely nowhere.
    Is there anyway that I can get around this issue? We are not open to changing where our main website is hosted, nor really messing with the domain. We'd also ideally like the subdomain to be exactly the same for students and teachers when they are both in and out of school. BYOD is also in use - so devices will change where the domain needs to resolve itself.
    OK so do you mean you created a separate DNS zone for the vle.schoolname.co.uk address or created a new AD domain?

    Normally, you would (unless firewall rules didn't permit) let DNS resolve to your local DNS servers which would resolve to the internal IP addresses of the VLE server, then let the ISP resolve the names for external users. That way you don't have to get DNS to forward to the ISP just to resolve what is effectively a local host.

    Why do you have the internal cilents going to the external IP for resolving the vle.schoo... domain rather than its internal address?

  5. #5

    Join Date
    Aug 2013
    Posts
    10
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    I'll have a go at doing that - as you say, should certainly help short term.

    The firewall was initially one of my thoughts. It doesn't do any DNS stuff switched on - it does however deal with some bizzare routings around the place (I've just inherited the system - and am getting out of the idea of this is what you do at school, this as what you do at home to just this is what you do).

  6. #6

    Join Date
    Aug 2013
    Posts
    10
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by Jamo View Post
    OK so do you mean you created a separate DNS zone for the vle.schoolname.co.uk address or created a new AD domain?
    Under the schoolname.co.uk DNS zone (which is only used internally) I created a record to point vle.schoolname.co.uk to the IP of the server running the VLE stuff. Externally - the domain schoolname.co.uk has had an A record added pointing to an external IP of ours. The firewall then forwards HTTP traffic to this IP over port 80 to the server running VLE stuff.

    Quote Originally Posted by Jamo View Post
    Normally, you would (unless firewall rules didn't permit) let DNS resolve to your local DNS servers which would resolve to the internal IP addresses of the VLE server, then let the ISP resolve the names for external users. That way you don't have to get DNS to forward to the ISP just to resolve what is effectively a local host.
    I believe that's what we're doing - we have DNS running internally, which is first for a lookup. I'm just worried that devices, such as laptops, could be caching the DNS for vle.schoolname.co.uk when devices are at home and as soon as they're on our network it uses the old, cached, route.

    Quote Originally Posted by Jamo View Post
    Why do you have the internal cilents going to the external IP for resolving the vle.schoo... domain rather than its internal address?
    That's the problem - they shouldn't be. As far as I'm concerned by adding an internal DNS record on our DC all internal clients connected to the network should be pointing to the internal IP, and not resolving externally at all. However, the internal clients are (incorrectly) resolving to the external IP, causing issues.

  7. #7

    twin--turbo's Avatar
    Join Date
    Jun 2012
    Location
    Carlisle
    Posts
    2,334
    Thank Post
    1
    Thanked 381 Times in 340 Posts
    Rep Power
    150
    what DNS server are the clients pointing at?

    Rob

  8. #8

    Join Date
    Aug 2013
    Posts
    10
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Quote Originally Posted by twin--turbo View Post
    what DNS server are the clients pointing at?
    They point to three, and search our naked domain. First is our internal DNS on the DC. The second two are the two DNS servers our ISP provides. I'm considering (in an unrelated event!) changing the second and third DNS to OpenDNS / Google Public DNS.

  9. #9
    Jamo's Avatar
    Join Date
    Jan 2009
    Posts
    1,361
    Thank Post
    66
    Thanked 178 Times in 150 Posts
    Rep Power
    61
    Quote Originally Posted by etoipi View Post
    They point to three, and search our naked domain. First is our internal DNS on the DC. The second two are the two DNS servers our ISP provides. I'm considering (in an unrelated event!) changing the second and third DNS to OpenDNS / Google Public DNS.
    In an AD domain, the clients should only point to the internal DNS. Let your internal DNS make the decisions for them and make the forwarding decisions.

    HOW TO: Modify Time to Live on Domain Name System Records

    Change the TTL of a DNS record (this would only affect the internal DNS lookups though). I have not come across an issue of clients coming in with incorrect DNS caches, you can always run ipconfig /flushdns to test.

  10. #10

    Join Date
    Jun 2007
    Location
    London
    Posts
    895
    Thank Post
    64
    Thanked 171 Times in 140 Posts
    Rep Power
    56
    Make a new zone on your internal dns for vle.schoolname.co.uk. Your internal clients should only use internal dns for resolving, so remove the external dns entries and make the internal dns use the external dns servers as forwarders instead. That way your internal clients will only ever get the VLE address from the internal dns plus you'll improve lookup times as you'll be caching external lookups on your internal dns.

  11. #11
    Jamo's Avatar
    Join Date
    Jan 2009
    Posts
    1,361
    Thank Post
    66
    Thanked 178 Times in 150 Posts
    Rep Power
    61
    Quote Originally Posted by timzim View Post
    Make a new zone on your internal dns for vle.schoolname.co.uk. Your internal clients should only use internal dns for resolving, so remove the external dns entries and make the internal dns use the external dns servers as forwarders instead. That way your internal clients will only ever get the VLE address from the internal dns plus you'll improve lookup times as you'll be caching external lookups on your internal dns.
    If vle.schoolname.co.uk is a host, create a host A record, not a zone. A zone is for resolving *.vle.schoolname.co.uk the host A record can point to whatever IP you want it wouldn't have to be the internal address if the firewall only allows the external IP to be used.

  12. #12

    Join Date
    Aug 2013
    Posts
    10
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Cheers all. I shall have a look on Monday when I can sit down and have a play.

    We have been running ipconfig /flushdns

    After a flush, vle.schoolname.co.uk is resolved correctly (although not always persistent - mostly after a teacher takes a laptop home in the evening, and then have a DNS error in the morning - at the moment I'm just flushing the DNS when the problem arises).

  13. #13

    twin--turbo's Avatar
    Join Date
    Jun 2012
    Location
    Carlisle
    Posts
    2,334
    Thank Post
    1
    Thanked 381 Times in 340 Posts
    Rep Power
    150
    Quote Originally Posted by etoipi View Post
    They point to three, and search our naked domain. First is our internal DNS on the DC. The second two are the two DNS servers our ISP provides. I'm considering (in an unrelated event!) changing the second and third DNS to OpenDNS / Google Public DNS.
    Yep that's going to cause issues.

    Let the DC lookup domains that are outside the organisation, just have the DC's as your DNS servers for the clients.

    Rob

  14. #14

    Join Date
    Aug 2013
    Posts
    10
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    So I've done some investigation into the clients that exhibit this issue. They still have the three DNS servers as above (it will be changed in the very near future). It appears that:
    • Running nslookup on the clients timeout, and do so even for things such as the DC
    • Running nslookup once DNS server is set as static to only the DC also timeout
    • Flush DNS results in same problems at the end.
    • Registering the DNS (when static) doesn't help the timeouts.
    • Pings to IPs do (even after a flush) lookup the domain, and get it right (even the VLE server).
    • The errors ONLY occur on Wireless Clients (but only a subset thereof).


    Before I jump into the DC and change the DNS - are all of these errors likely to be because of the extra two DNS servers - or does this imply there's yet something else going on somewhere? I just don't want to start changing the DC without fully understanding what is currently happening on the clients!!



SHARE:
+ Post New Thread

Similar Threads

  1. DNS - Issues
    By jreimer in forum Windows
    Replies: 3
    Last Post: 16th December 2008, 12:08 PM
  2. DNS issues
    By plexer in forum Windows
    Replies: 9
    Last Post: 17th September 2008, 11:19 AM
  3. DNS Issues
    By FN-GM in forum Windows
    Replies: 14
    Last Post: 18th January 2008, 07:01 PM
  4. Interesting DNS issues
    By mortstar in forum Wireless Networks
    Replies: 3
    Last Post: 23rd January 2007, 05:06 PM
  5. Strange DNS issue
    By edie209 in forum Windows
    Replies: 10
    Last Post: 3rd July 2006, 02:15 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •