mtrx Posted July 29, 2008 Report Share Posted July 29, 2008 Hello,I have strange problem in my networkHere is the topologyRemote Office -----Internet VPN tunel -----Local OfficeWindows 2008 server -Linux router -----Internet VPN tunel---ISA Server ----Windows 2008 serverAt remote site3 different network card with 3 different Networks1. 192.168.30.0/24 routed to Local Office2.10.10.0.0/16 3.11.11.0.0/16The networks 10.10.0.0 and 11.11.0.0 has no routing enabled to other officeAt local site1 inside network1.10.7.12.0/24I have no problem pinging from 10.7.12.0 to 192.168.30.0 and back.I have correctly configured my DNS servers to Forward dns query to local networksBut whe I try to lookup some dns record from 10.7.12.0 the DNS server return address from network 10.10.0.0 to witch i do not have routingI can not delete HOST A records for 10.10.0.0 and 11.11.0.0 network because my domain controller will be unavailableI had tried to configure DNS to not use DNS mask ordering and force to lookup only in 24bit networks but i don't have any success The two servers are domain controllers from different forestAnyone to help? Quote Link to comment Share on other sites More sharing options...
homecomputeraid Posted July 29, 2008 Report Share Posted July 29, 2008 Troubleshooting IP issues when VPN'ed can become a bit convoluted.Are you sure routes to the tunnels are configured properly?But whe I try to lookup some dns record from 10.7.12.0 the DNS server return address from network 10.10.0.0 to witch i do not have routingWhat do you mean by this? Does the DNS server have an IP address on the 10.10.0.0 subnet? Quote Link to comment Share on other sites More sharing options...
mtrx Posted July 30, 2008 Author Report Share Posted July 30, 2008 Troubleshooting IP issues when VPN'ed can become a bit convoluted.Are you sure routes to the tunnels are configured properly?But whe I try to lookup some dns record from 10.7.12.0 the DNS server return address from network 10.10.0.0 to witch i do not have routingWhat do you mean by this? Does the DNS server have an IP address on the 10.10.0.0 subnet?DNS server has the record for 10.10.0.0 network but this network is only accessible from Remote site ,It has no tunneling to 10.7.12.0 (local office)here is some nslookup from both sidesRemote Site Server - Network 192.168.30.0Name: server.domain.extAddresses: 192.168.30.231, 11.11.11.231, 10.10.10.231 Local site Same nslookup record -Network 10.7.12.0Name: server.domain.extAddresses: 192.168.30.231, 11.11.11.231, 10.10.10.231So - DNS records are fine Local Site testing:ping 192.168.30.231Reply from 192.168.30.231: bytes=32 time=26ms TTL=127ping server.domain.extPinging server.domain.ext [10.10.10.231] with 32 bytes of data:Reply from Gateway: Destination host unreachable.So DNS server return to me the closest address to network 10.7.12.0/24 which is 10.10.10.231 and to which i do not have routing .I search google for some days and the only thing that i found is to use network mask ordering in Windows DNS server but after testing nothing happensA can't delete 10.10.0.0 records from DNS server because i am using it .Any ideas?Tunneling works fine .I do not want to tunnel 10.10.0.0 network because it is secured network for my storage serverHard to expain :D Quote Link to comment Share on other sites More sharing options...
mtrx Posted July 30, 2008 Author Report Share Posted July 30, 2008 Topology Quote Link to comment Share on other sites More sharing options...
homecomputeraid Posted July 30, 2008 Report Share Posted July 30, 2008 The message "Destination host unreachable" seems to indicate a routing problem, not a DNS problem. I believe you would get a different message like the following if it were a DNS problem:P:\>ping jsmithPing request could not find host jsmith. Please check the name and try again. Quote Link to comment Share on other sites More sharing options...
mtrx Posted July 30, 2008 Author Report Share Posted July 30, 2008 The message "Destination host unreachable" seems to indicate a routing problem, not a DNS problem. I believe you would get a different message like the following if it were a DNS problem:P:\>ping jsmithPing request could not find host jsmith. Please check the name and try again.Yes ,there is a routing probem because 10.10.0.0 network i Hidden .10.10.0.0 must be Visible only in VLAN2 Did you check topology ? Quote Link to comment Share on other sites More sharing options...
homecomputeraid Posted July 30, 2008 Report Share Posted July 30, 2008 Yes, your topology is a bit confusing. Each VLAN should consist of a separate subnet, but you have VLAN1 containing 192.168.30.0/24, and 10.10.0.0/16, and VLAN2 containing 10.10.0.0/16. If you're not routing from the 10.10.0.0/16 network, traffic including DNS resolution will not cross the routers. Quote Link to comment Share on other sites More sharing options...
mtrx Posted July 31, 2008 Author Report Share Posted July 31, 2008 Yes, your topology is a bit confusing. Each VLAN should consist of a separate subnet, but you have VLAN1 containing 192.168.30.0/24, and 10.10.0.0/16, and VLAN2 containing 10.10.0.0/16. If you're not routing from the 10.10.0.0/16 network, traffic including DNS resolution will not cross the routers.My fault 10.10.0.0 network is at VLAN 2 not VLAN1 ,so VLAN 1 contains only 192.168.30.0 (sorry ) Quote Link to comment Share on other sites More sharing options...
homecomputeraid Posted August 1, 2008 Report Share Posted August 1, 2008 It sounds like the problem is not DNS or netmask related, but routing related.I'm not clear on how you can 'hide' the 10.10.0.0/16 and/or 11.11.0.0/16 subnets by not having them in your routing tables and still resolve names to those subnets (or pass any other traffic to those subnets). 11.11.0.0/16 is not in the private address space by the way. You may want to change that subnet to 10.11.0.0/16 or some other reserved IP subnet.10.7.12.0/24 and 10.10.0.0/16 are separate address spaces, so there should be no confilct there. Quote Link to comment Share on other sites More sharing options...
mtrx Posted August 1, 2008 Author Report Share Posted August 1, 2008 It sounds like the problem is not DNS or netmask related, but routing related.I'm not clear on how you can 'hide' the 10.10.0.0/16 and/or 11.11.0.0/16 subnets by not having them in your routing tables and still resolve names to those subnets (or pass any other traffic to those subnets). 11.11.0.0/16 is not in the private address space by the way. You may want to change that subnet to 10.11.0.0/16 or some other reserved IP subnet.10.7.12.0/24 and 10.10.0.0/16 are separate address spaces, so there should be no confilct there.:)There is not routing problemThe networks are hidden because they do not have access to other VLAN's and router does not have these addresses to route them to somewhereServers had 3 separate Ethernet network cards for each one of the networks .Two of our DNS servers has 3 separate intefraces in the three networks so i can not delete HOST A records from DNS server.10.10.0.0 and 11.11.0.0 must be hidden networks and only few computers will have access to them .10.10.0.0 network is behind my Storage server and 11.11.0.0 (two only addresses) are for my Cluster HeartBeat I think i found a solution .I will create Secondary DNS zone at my Local DNS server and replicate all the data from remote DNS server,then i will delete the records for networks 10.10.0.0/16 and 11.11.0.0/16 and everything would works fine .The only problem is that when the remote DNS server update his records i have to do manualy at my server becaise replication will mess the secondary zone. Quote Link to comment Share on other sites More sharing options...
homecomputeraid Posted August 1, 2008 Report Share Posted August 1, 2008 Good luck with it mtrx.Please let us know how it goes.Molya Quote Link to comment Share on other sites More sharing options...
mtrx Posted August 7, 2008 Author Report Share Posted August 7, 2008 Good luck with it mtrx.Please let us know how it goes.MolyaWe found some solution.After unsuccessfull creation ot Secondary DNS zone we've tried to change priority of network adapters but still no successFinaly we changed IP addresses of the two networks 10.10.0.0 and 11.11.0.0 to 192.168.50.0 /25 and now DNS returns the closest IP address from network 192.168.30.0We found that netmask ordering is still working after it's disable from DNS servers so our only solution was to change the networks.Blagodaria ;) Quote Link to comment Share on other sites More sharing options...
homecomputeraid Posted August 7, 2008 Report Share Posted August 7, 2008 Thanks for posting the solution mtrx!Saprugata mi e Bulgarka. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.