General discussion

Locked

DNS not resolving from external network

By jkeltg1 ·
HELP!

I have setup a Win2003 Active Directory server inside my network. The server's internal IP address is 19.168.1.150, and the external address of the firewall is 208.186.145.251. The server is up and running correctly, and I can use the IP address from outside the network to connect to it's website. When I try and use my domain name "mncgp.com" it can not be resolved. However, internally DNS resolves the name just fine. I have mapped both UDP and TCP port 53 to the server to allow for DNS queries.

What setting am I missing? Should I have a Forwarder of my ISP's DNS server?

Any help would be greatly appreciated!
Thank you in advance,
Jim Keltgen

This conversation is currently closed to new comments.

19 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by jarrettc In reply to DNS not resolving from ex ...

Is the IP address you assigned the external port on the firewall new? If so it takes time to register with your ISP's DNS servers and to replicate out to the internet. You can call your ISP to have them manually update their DNS for you.

When pinging your external firewall IP I get this response:

C>ping 208.186.145.251

Pinging 208.186.145.251 with 32 bytes of data:

Reply from 162.37.20.14: Destination port unreachable.
Reply from 162.37.20.14: Destination port unreachable.
Reply from 162.37.20.14: Destination port unreachable.
Reply from 162.37.20.14: Destination port unreachable.

Ping statistics for 208.186.145.251:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

Is this 162.37.20.14 address the interal firewall port? If so there may be some issues with your NAT table. I'd go over it just to be sure.

Collapse -

by jkeltg1 In reply to

No... the external IP is available but just not via PING (blocked on firewall). You can open a web page and browse to the page (port 80 enabled).

And no... the IP is not new. Been in place for quite a few weeks now.

Collapse -

by jarrettc In reply to

Disregard the ping information, I'm at a new client site and found they aren't forwarding ICMP and that address is some internal address at this site. Makes me seem smart now don't it .

Anyhow, has the website been up and running before or is this the first time you've had it set up?

Collapse -

by jarrettc In reply to DNS not resolving from ex ...

Don't reject the answer yet, there should be a way for you to add comments without closing the answer.

Have you ever had a website running on this IP address successfully?

When I did a WHOIS on your domain the name servers are listed as your name servers. Usually you have your ISP's name servers listed. Have you contacted your ISP to have them forward your domain name to the external IP address that you have?

Collapse -

by jarrettc In reply to

Scratch that I did a few more checks and found the name server you have listed are valid. For using a forwarder this only forces request coming from your internal network to external (or other internal) DNS servers. Since the external DNS servers apparently do not have the DNS name mapped to the IP this won't solve anything.

I'm pretty sure this has to do with your ISP and their name servers not being updated. Since your website is accessible via the IP address (I've hit it) then it has to do with external DNS servers. Have you contacted them yet?

You can attempt to see if their name servers have your domain name mapped to your IP by using nslookup or digfe. digfe can be found here: http://www.concoctedlogic.com/digfe/

Collapse -

by jkeltg1 In reply to
Collapse -

by ChrisDent In reply to DNS not resolving from ex ...

This is easy to explain, difficult to fix.

You're answering public queries with private addresses.

Forward lookup provides an Internal IP address, 192.168.1.150. No routing exists to that so the DNS is uncontactable.

Direct queries to your DNS server provide internal addressing for services like www.

Indirect queries to your DNS fail because reverse lookup can't possibly work.

Now the hard part.

1. The DNS server must have an entry for itself on the public IP address. Without this reverse lookup fails. That is it must see itself as a public server.

2. Each service must have an entry for itself on the public IP address. Without this forward lookup is meaningless in that it provides an internal IP address.

3. Using a public domain name as an internal active directory domain name is a bad plan. Switching the internal domain name to mncgp.local would allow you greater control over the mncgp.com domain - this would have also allowed the port mapping to work.

At this point I would make the following recommendations - this will create the least work for you, or the fastest results.

Create a second DNS server. This server is to sit in a DMZ area outside your normal production LAN.

Leave your internal DNS server as it is, leave the DNS entries you have there.

On the External DNS server create another entry for mncgp.com and set up the correct entries, pointing to the public IP address.

This system is a bit of a pain since you now have two servers, but you can't answer queries with both the internal and external addresses with your current server without significant changes to your internal DNS records.

Collapse -

by ChrisDent In reply to

Please note that your server server.mncgp.com is reporting itself as the nameserver for the domain, which is what you intended.

From your DNS server:

NSLookup mncgp.com produces:

Server: 208-186-145-251.nrp3.brv.mn.frontiernet.net
Address: 208.186.145.251

mncgp.com internet address = 192.168.1.150
mncgp.com nameserver = server.mncgp.com
mncgp.com
primary name server = server.mncgp.com
responsible mail addr = hostmaster
serial = 77
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
server.mncgp.com internet address = 192.168.1.150

NSLookup on server.mncgp.com reports:

Server: 208-186-145-251.nrp3.brv.mn.frontiernet.net
Address: 208.186.145.251

server.mncgp.com internet address = 192.168.1.150

From my server:

NSLookup mncgp.com produces:

Server: pmsidc03.pmsi
Address: 192.168.42.13

Non-authoritative answer:
mncgp.com internet address = 192.168.1.150
mncgp.com nameserver = server.mncgp.com
mncgp.com
primary name server = server.mncgp.com
responsible mail addr = hostmaster
serial = 77
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)

server.mncgp.com internet address = 192.168.1.150

NSLookup on server.mncgp.com produces:

Server: pmsidc03.pmsi
Address: 192.168.42.13

Non-authoritative answer:
server.mncgp.com internet address = 192.168.1.150

Deeper requests fail because of the information your server is giving out.

Collapse -

by ChrisDent In reply to

wow still not fixed...

ping www.mncgp.com

Pinging mncgp.com [192.168.1.150] with 32 bytes of data:

Request timed out
...

Collapse -

by jkeltg1 In reply to
Back to Networks Forum
19 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums