Windows 2008 DNS netmask problems

mtrx · July 29, 2008

Hello,

I have strange problem in my network

Here is the topology

Remote Office -----Internet VPN tunel -----Local Office

Windows 2008 server -Linux router -----Internet VPN tunel---ISA Server ----Windows 2008 server

At remote site

3 different network card with 3 different Networks

1. 192.168.30.0/24 routed to Local Office

2.10.10.0.0/16

3.11.11.0.0/16

The networks 10.10.0.0 and 11.11.0.0 has no routing enabled to other office

At local site

1 inside network

1.10.7.12.0/24

I have no problem pinging from 10.7.12.0 to 192.168.30.0 and back.

I have correctly configured my DNS servers to Forward dns query to local networks

But whe I try to lookup some dns record from 10.7.12.0 the DNS server return address from network 10.10.0.0 to witch i do not have routing

I can not delete HOST A records for 10.10.0.0 and 11.11.0.0 network because my domain controller will be unavailable

I had tried to configure DNS to not use DNS mask ordering and force to lookup only in 24bit networks but i don't have any success

The two servers are domain controllers from different forest

Anyone to help?

homecomputeraid · July 29, 2008

Troubleshooting IP issues when VPN'ed can become a bit convoluted.

Are you sure routes to the tunnels are configured properly?

But whe I try to lookup some dns record from 10.7.12.0 the DNS server return address from network 10.10.0.0 to witch i do not have routing

What do you mean by this? Does the DNS server have an IP address on the 10.10.0.0 subnet?

mtrx · July 30, 2008

Troubleshooting IP issues when VPN'ed can become a bit convoluted.
Are you sure routes to the tunnels are configured properly?
But whe I try to lookup some dns record from 10.7.12.0 the DNS server return address from network 10.10.0.0 to witch i do not have routing
What do you mean by this? Does the DNS server have an IP address on the 10.10.0.0 subnet?

DNS server has the record for 10.10.0.0 network but this network is only accessible from Remote site ,It has no tunneling to 10.7.12.0 (local office)

here is some nslookup from both sides

Remote Site Server - Network 192.168.30.0

Name:	server.domain.ext
Addresses:  192.168.30.231, 11.11.11.231, 10.10.10.231

Local site Same nslookup record -Network 10.7.12.0

Name:	server.domain.ext
Addresses:  192.168.30.231, 11.11.11.231, 10.10.10.231

So - DNS records are fine

Local Site testing:

ping 192.168.30.231
Reply from 192.168.30.231: bytes=32 time=26ms TTL=127

ping server.domain.ext

Pinging server.domain.ext [10.10.10.231] with 32 bytes of data:

Reply from Gateway: Destination host unreachable.

So DNS server return to me the closest address to network 10.7.12.0/24 which is 10.10.10.231 and to which i do not have routing .

I search google for some days and the only thing that i found is to use network mask ordering in Windows DNS server but after testing nothing happens

A can't delete 10.10.0.0 records from DNS server because i am using it .Any ideas?

Tunneling works fine .I do not want to tunnel 10.10.0.0 network because it is secured network for my storage server

Hard to expain :D

mtrx · July 30, 2008

Topology

homecomputeraid · July 30, 2008

The message "Destination host unreachable" seems to indicate a routing problem, not a DNS problem.

I believe you would get a different message like the following if it were a DNS problem:

P:\>ping jsmith
Ping request could not find host jsmith. Please check the name and try again.

mtrx · July 30, 2008

The message "Destination host unreachable" seems to indicate a routing problem, not a DNS problem.
I believe you would get a different message like the following if it were a DNS problem:
P:\>ping jsmith
Ping request could not find host jsmith. Please check the name and try again.

Yes ,there is a routing probem because 10.10.0.0 network i Hidden .10.10.0.0 must be Visible only in VLAN2

Did you check topology ?

homecomputeraid · July 30, 2008

Yes, your topology is a bit confusing. Each VLAN should consist of a separate subnet, but you have VLAN1 containing 192.168.30.0/24, and 10.10.0.0/16, and VLAN2 containing 10.10.0.0/16.

If you're not routing from the 10.10.0.0/16 network, traffic including DNS resolution will not cross the routers.

mtrx · July 31, 2008

Yes, your topology is a bit confusing. Each VLAN should consist of a separate subnet, but you have VLAN1 containing 192.168.30.0/24, and 10.10.0.0/16, and VLAN2 containing 10.10.0.0/16.
If you're not routing from the 10.10.0.0/16 network, traffic including DNS resolution will not cross the routers.

My fault

10.10.0.0 network is at VLAN 2 not VLAN1 ,so VLAN 1 contains only 192.168.30.0 (sorry )

homecomputeraid · August 1, 2008

It sounds like the problem is not DNS or netmask related, but routing related.

I'm not clear on how you can 'hide' the 10.10.0.0/16 and/or 11.11.0.0/16 subnets by not having them in your routing tables and still resolve names to those subnets (or pass any other traffic to those subnets). 11.11.0.0/16 is not in the private address space by the way. You may want to change that subnet to 10.11.0.0/16 or some other reserved IP subnet.

10.7.12.0/24 and 10.10.0.0/16 are separate address spaces, so there should be no confilct there.

mtrx · August 1, 2008

It sounds like the problem is not DNS or netmask related, but routing related.
I'm not clear on how you can 'hide' the 10.10.0.0/16 and/or 11.11.0.0/16 subnets by not having them in your routing tables and still resolve names to those subnets (or pass any other traffic to those subnets). 11.11.0.0/16 is not in the private address space by the way. You may want to change that subnet to 10.11.0.0/16 or some other reserved IP subnet.
10.7.12.0/24 and 10.10.0.0/16 are separate address spaces, so there should be no confilct there.

:)

There is not routing problem

The networks are hidden because they do not have access to other VLAN's and router does not have these addresses to route them to somewhere

Servers had 3 separate Ethernet network cards for each one of the networks .

Two of our DNS servers has 3 separate intefraces in the three networks so i can not delete HOST A records from DNS server.

10.10.0.0 and 11.11.0.0 must be hidden networks and only few computers will have access to them .

10.10.0.0 network is behind my Storage server and 11.11.0.0 (two only addresses) are for my Cluster HeartBeat

I think i found a solution .I will create Secondary DNS zone at my Local DNS server and replicate all the data from remote DNS server,then i will delete the records for networks 10.10.0.0/16 and 11.11.0.0/16 and everything would works fine .The only problem is that when the remote DNS server update his records i have to do manualy at my server becaise replication will mess the secondary zone.

homecomputeraid · August 1, 2008

Good luck with it mtrx.

Please let us know how it goes.

Molya

mtrx · August 7, 2008

Good luck with it mtrx.
Please let us know how it goes.
Molya

We found some solution.

After unsuccessfull creation ot Secondary DNS zone we've tried to change priority of network adapters but still no success

Finaly we changed IP addresses of the two networks 10.10.0.0 and 11.11.0.0 to 192.168.50.0 /25 and now DNS returns the closest IP address from network 192.168.30.0

We found that netmask ordering is still working after it's disable from DNS servers so our only solution was to change the networks.

Blagodaria ;)

homecomputeraid · August 7, 2008

Thanks for posting the solution mtrx!

Saprugata mi e Bulgarka.

Sign In

Windows 2008 DNS netmask problems

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information