Our Win2k DNS servers are on our internal network. I have a rule allowing 53 tcp and 53 udp outbound to the Internet. I don't have any other rules for DNS. Why do I need to create an inbound rule? Aren't the DNS servers doing all the lookups outbound? What would initiate a connection inbound to our DNS servers from the outside?
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Tuesday, November 16, 2004 11:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] DNS Issues TCP shouldn't be an issue - since most firewalls will do some sort of state management for those connects. My money's on the fact there ISN'T an an inbound firewall rule allowing UDP/53 to his DNS servers and tangental to that the fact that there is no static NAT enabled for the DNS servers internally. In other words, create a static NAT rule for the DNS servers with root hints enabled, and enable UDP/53 inbound to those hosts. DNS starts working again - this time consistently. The reason for inconsistency is most likely caused by the fact some resolutions will fall over to TCP, due to response size and some less regular occurances. -------- Roger Seielstad E-mail Geek & MS-MVP > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al > Sent: Tuesday, November 16, 2004 7:41 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] DNS Issues > > TCP or UDP through the firewall? > > What have you done to troubleshoot? Logs? ?? > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, > Russ > Sent: Tuesday, November 16, 2004 8:58 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] DNS Issues > > Yes, all DNS is working fine except for some rare instances of > hostnames we've run into. Last week we couldn't get to ftp.nai.com > but now we can. > All our workstations are pointed to our child DCs for DNS. > They are set to forward to our empty root DCs, and the empty root DCs > have the root-hints, and the firewall allows them out port 53. > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Robert > Rutherford > Sent: Tuesday, November 16, 2004 7:53 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] DNS Issues > > > > I'd advise using forwarding for the functions you require. > > > > It may seem stupid... but I take it the DNS server/s have appropriate > rules in your firewall/s? > > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, > Russ > Sent: 16 November 2004 13:48 > To: [EMAIL PROTECTED] > Subject: [ActiveDir] DNS Issues > > > > Since changing our DNS design from forwarding to our old firewall > which had root-hints built into it, to forwarding our DNS to our empty > forest root domain controllers with the root-hints on them, we are not > getting all our DNS lookups. > > > > For example, http://www.volksbanksalzburg.at right now is not > resolving for us. Yet if we RDP into one of our home PCs, it resolves > fine. So my question is, is there anything weird about Windows 2000 > root-hints or DNS servers that would cause us to not be able to look > up some hostnames properly in DNS? > Or what would cause this issue? > > > ============================================================== > ========= > Scanned for virus infection by Messagelabs > ============================================================== > ========= > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > This e-mail is confidential, may contain proprietary information of > the Cooper Cameron Corporation and its operating Divisions and may be > confidential or privileged. > > This e-mail should be read, copied, disseminated and/or used only by > the addressee. If you have received this message in error please > delete it, together with any attachments, from your system. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > This e-mail is confidential, may contain proprietary information of > the Cooper Cameron Corporation and its operating Divisions and may be > confidential or privileged. > > This e-mail should be read, copied, disseminated and/or used only by > the addressee. If you have received this message in error please > delete it, together with any attachments, from your system. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
