0

Experts, i have some problem in DNS servers configuration, network diagram is shown in figure:

enter image description here

The problem is manifesting as follows:

  1. There're 2 DNS servers servicing both internal and external requests; the first one is the domain controller, another one is mail and web server;

  2. The server servicing external requests is located in LAN and has the address 192.168.1.11; to serve extranet, the router provides static NAT address-to-address;

  3. Clients in LAN use domain controller as DNS server, and it has corresponding zone (it is authoritative for the zone) where names are resolved into local addresses;

  4. The server for extranet requests resolves names to external addresses, it has been tested ok from the outside. If one runs a query from home, e.g.

    dig @8.8.8.8 mail.company com.

    then it produces the correct answer:

    ;; ANSWER SECTION:
mail.company.com.           0       IN      A       111.111.111.111

However, when in LAN, there appears to be a strange anomaly:

dig @8.8.8.8 mail.company.com.

;; ANSWER SECTION:
mail.company.com.           0       IN      A       192.168.1.11

Such a response for nslookup:

nslookup -type=A -class=IN mail.company.com. 8.8.8.8

Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative:

Name:    mail.company.com
Address:  192.168.1.11

Regardless of the external server designated to serve DNS requests (Google DNS, Open DNS, ISP DNS), each of them return LAN addresses.

This looks OK for 192.168.1.101 (domain controller), but not for external servers. Clearing resolver's cache, changing DNS servers at the client PC doesn't help: external DNS servers are sending back local addresses, that's not feasible. The same DNS servers when requested from outside (from home or another office) return correct external addresses.

Remarkably, when sending direct request to my the server servicing external requests, I'm getting correct reply:

Server:  ns.company.com.
Address:  192.168.1.11

Name:    mail.company.com.
Address:  111.111.111.111

Actually, I'm asking for assistance to help me solve the problem.

Matteo
  • 457
  • 3
  • 14
ITD27M01
  • 1

1 Answers1

0

So, first of all, when you're querying external DNS servers, don't forget that they are caching results. One of the values in your zone's SOA is how long to cache a result. A better way to test is to query your DNS server directly.

Second, remember that 8.8.8.8 is an anycast address, so you can never be quite sure which actual DNS server you're reaching.

What happens when, from your LAN, you do dig @192.168.1.11 -tA mail.company.com

If you get the correct response, then I suspect all you need to do is wait for the external DNS servers you've been testing with to expire their cache.

Good Luck

etherfish
  • 1,747
  • 10
  • 12
  • Thanks etherfish, but I found a clever functionality in a static NAT on my router. https://supportforums.cisco.com/docs/DOC-5229 my router replace ip address inside dns answer, I didn't know about it. – ITD27M01 Feb 24 '14 at 08:54
  • I'd be surprised if the nat payload translation was modifying the queries you described, but I'm not an expert. I'm glad you got it resolved. – etherfish Feb 24 '14 at 10:20