Configure DNS for Internet-Access
Created 2001-04-01 Rainer
If a Windows 2000 server with Active Directory is installed using the
standard setup, often no DNS resolution for Internet addresses will fail. This
ultimately results in lost Internet connectivity. The reason are some defaults
in the Active Directory wizards.
Active Directory absolutely needs a working DNS to function correctly
(background information can be found at our article "Active
Directory and DNS").
Because of this, the Active Directory installation wizard (dcpromo.exe) installs
not only Active Directory but also a DNS server if none is already installed on
the machine dcpromo is running on. During this process, a very basic but
extremely important questions is asked: "Do you would like to make this
server a DNS root server?". The default answer is "Yes".
If that default is accepted, this newly installed DNS server assumes it is a
"real" Internet root server and as such responsible for DNS resolution
in the whole Internet. Being a root server, it assumes that it is able to
resolve all valid names - an assumption that of course is not correct. Why this
assumption? A real DNS root server is a server that indeed is responsible for
the top level domains, that is the .COM, .NET, .ORG and country specific domains
like .US, .UK or . DE. If your own machine deems itself as a root server, it
will never ask any other DNS server for help with name resolutions, as it
assumes it itself is at the top of that hierarchy. However, it does not have the
actual data for all of this top level domains. So it effectively is no longer
able to resolve any real Internet name. Any machine using this DNS server will
not be able to resolve Internet names. If someone tries to access e.g. a web
site from such a machine, the browser will simply display an "host not
found" error message.
How to diagnose this problem?
As we said, this problem does not occur under all circumstances - but it
happens often. To detect it, we need a small bit more DNS theory: when we think
of domain names, things like "windows-expert.net" or
"microsoft.com" come to our mind. However, there must be a way to
indicate the root of the DNS system (did you ever wonder how .com can be
resolved). In DNS, the root is called "." - a single period. Each DNS
server serving the "." Zone, is behaving like a root server.
Armed with that knowledge, diagnosis is simple: just call up the Windows DNS
manager, select your server and switch to its forward looking zones. The
hardcopy below has a typical scenario that is experiencing the misconfiguration
(root domain indicated in red):
DNS-Server mit Root-Domäne
If your DNS manager looks similiar (and has the "."
zone), you have just found the cause of the problem.
How to Fix it?
Good news: this situation is extremely easy to fix! Just delete the root zone
(the "." entry). To do so, select the dot under forward looking zones
and delete it (either by pressing delete or right clicking it and selecting
"delete"). As deleting a zone is an important and potentially disastrous
action, the DNS manager requires a confirmation before committing the deletion:
Click OK. Now the root zone is removed from the server and it knows that it
is now only able to resolve names from zones it is configured for (pkl.adiscon.com
in the above sample).
Internet Name Resolution
Remains the question how we can have our DNS to correctly resolve real
Internet names. There are two ways to do it: either the server itself connects
to the real Internet DNS root servers or it uses a so-called
"forwarder". Windows DNS' server can use both methods - it needs to be
configured to use one of them.
To view or modify the configuration, right click the server in DNS manager.
Then, select "Properties" from the context menu. A new dialog appears.
There, select "Forwarder":
If "Enable Forwarders" is checked, your DNS server will use the
forwarders specified to resolve names it cannot resolve itself. Forwarder
addresses are specified in the big listbox. In the above sample, there is a
single forwarder with IP 172.16.0.1. Please note that forwarders need to be
specified by IP address and not DNS name, as most probably your DNS server would
not be able to resolve the IP address without using the forwarder - what would
yield us to an endless loop.
In a typical setup, the DNS forwarders should be provided by your local
Internet access provider. As DNS queries are cached, this will result in optimal
performance. We recommend having at least two forwarders. If - as in the example
- only a single forwarder is available, this is a single point of failure. If it
goes down, no name resolution and thus Internet access is possible - even if the
connection and all other servers are working perfectly well. Most ISPs provide
at least two servers for their customers. If in doubt, ask!
In short: use a forwarder whenever possible. The ISP's DNS server is
typically very well connected to the Internet. This, together with a large
amount of already cached DNS queries, will typically ensure best performance for
name resolution. Keep in mind that even root server queries are typically faster
when done from the provider's server because it has typically a much broader
connection to the Internet (and thus the root servers) than your server has. If
you experience difficulties with DNS resolution, however, it might be a good
idea to temporarily disable the forwarders and use direct root server
resolution. If that solves the problems, it is time to seriously talk to your
Using Internet Root Servers
If - for whatever reason - you decide not to use forwarders,
you need to uncheck "Enable Forwarders". In this case, your DNS server
itself will contact the Internet root servers to resolve the DNS request. To do
so, it must know the root servers' IP addresses. Once again, these can not be
obtained via DNS because this would force it to an endless loop. So how does it
know these addresses? It's no mistery at all: they are devlivered by Microsoft
(and any other vendor of DNS servers)! Please have a look at the "Root
Hints" tab in the DNS server's properties:
These are the actual root server IP addresses - really hardcoded! These
entries can be changed - you can add and delete root servers. This is most often
done to integrate into an alternative DNS. HOWEVER: if you modify the root
server settings, make sure you exactly know what you do. This is not
the place for experiments. Wrong root server entries can cause very serious
problems and result in total loss of DNS resolution and de facto Internet
My strong recommendation: do not change anything here if you do not
absolutely need to do this. If you do, be sure to fully understand the DNS
- WinSyslog -
the enhanced syslog server for Windows. If your router is syslog enabled,
WinSyslog can receive the router events, so you know when the router dials
- MonitorWare Agent -
does all WinSyslog does, plus more. Great for intrusion detection.