Newbie Q - Can't resolve external queries

Wed Jan 19 03:29:39 UTC 2000

If you have no direct access to the Internet from your nameserver, then in
order to resolve Internet names, you'll need that access opened up on the
firewall, or you'll need to use a forwarder to resolve those names for you.
I don't think your nslookup test necessarily proved that you can query the root
nameservers directly, since from your description it sounds like you just set
your server to a.root-servers.net and then immediately switched to an internal
server by its IP address -- this wouldn't have necessarily sent a query to
a.root-servers.net. For a better test, try bouncing a few different NS queries
off of a root server and see if you get answers. Even if you have access to the
root servers, however, unless you have full access to the Internet DNS, your
nameserver won't be able to follow the referrals it gets back from the roots.
The suggestion that you add the company.com nameservers to your hints file
fails for the same reason, assuming they return the same kinds of referrals.

It's also not clear what you mean when you say you can't nslookup to the
company.com servers. Do the queries time out (possibly an internal
firewall-rule or routing problem)? Do you get referrals, i.e.
non-authoritative, 0-answer responses to your queries (apparently recursion is
turned off or not permitted to you on those servers)? Are the queries refused
(ACL problem on the server)? Or do the servers just claim that the names don't
exist (maybe they don't have Internet visibility, only visibility to an
internal root, or maybe nslookup is obscuring the real error, try debug mode or
appending a dot to the lookup)? The type of failure is important here. If you
can't resolve external names from those servers via nslookup, then chances are
your nameserver won't be able to use them as forwarders either.

Are you absolutely sure that you need to resolve Internet names, and that
facilities exist within your company to do so? If your firewalls are proxying
(or, in the case of SMTP, relaying) all permitted protocols, then it is quite
possible that your clients don't need the ability to resolve Internet names,
and if that is the case, there may be no facility to do so. Just thought I'd
ask.

Lastly, there still seems to be some intermingling between the 2 goals here:
1) establishing your subdomain on your intranet, and 2) gaining the ability to
resolve Internet names. The suggestion that you add NS'es for the company.com
servers to your db files, for instance, is relevant to (1) (assuming that they
will act as slaves to your zone), but not to (2).

- Kevin

Phil Elia wrote:

> Barry,
>
> Thanks for responding and sorry for being vague about this problem.
>
> This is a firewall situation where our parent site (company.com) provides
> firewall protection for most of the subdomains.  Furthermore, most
> subdomains have no internal DNS servers running.  WinNT lans use the WINS
> facility and Host files.  All external queries have to pass through the two
> company.com name servers. Our site is one of the few sites that have
> internal DNS running.  We're the only site with an WinNT Bind DNS
> implementation.
>
> When I run nslookup all external queries (yahoo.com, cisco.com) fail.  Also,
> I cannot nslookup to the two company.com nameservers either.  I can nslookup
> to the root servers in db.cache.  By first setting the server to
> a.root-servers.net then setting server to the company.com name server (if
> found it only using IP address) I was able to set type=ns and see the
> delegation for oursite.company.com.
>
> First, the company.com DNS admins told me to make two entries in db.cache
> for the two company.com nameservers.  I did this and nothing improved.  Now
> they are telling me that I need two IN NS entries for the two company.com
> nameservers in the db files.
>
> They said nothing about opening up port 53 and setting forwarders up.
>
> Can you tell me if forwarders are still the way to go?
>
> Thanks Much,
>
> Phil Elia
>
> Barry Margolin <barmar at bbnplanet.com> wrote in message
> news:ExRf4.93$%%2.872 at burlma1-snr2...
> > In article <387fb629.1152122437 at news.slip.net>,
> > Phil Elia <pelia at slip.net> wrote:
> > >This is probably BIND 101 stuff but I'm hoping someone can help me.
> > >Can't seem to resolve any external queries.
> > >
> > >Been running Bind 4.9.7 of WinNT network internally for some time.
> > >Got a couple of name servers running locally and all internal DNS
> > >works  fine.
> > >
> > >I'm now attempting to connect our sub domain to our parent domain for
> > >Internet access.  Our parent has delegated two name servers at their
> > >end for our domain.  Ex. oursite.company.com = parentNS1.company.com
> > >                           oursite.company.com = parentNS2.company.com
> >
> > If you already have servers running locally for your site, why did they
> > delegate your subdomain to those other nameservers?
> >
> > >The db.cache file at our site is current and is being queried by our
> > >nameservers at startup.
> > >
> > >There are no references to the parent name servers in any of our db
> > >files.  Should there be? Where should these entries be located and
> > >what is the syntax?
> > >
> > >Is there anything else that could be causing this problem?
> >
> > I'm having trouble understanding the problem you're trying to solve.  You
> > start out saying that you can't look up *external* named, by which I
> assume
> > you mean things like www.yahoo.com.  But then you said "I'm now attempting
> > to connect our sub domain to our parent domain".  Which names are you
> > having trouble looking up -- names in company.com or names outside of
> > company.com?
> >
> > To look up external names, you just need to be able to communicate with
> the
> > Internet.  The db.cache file tells you where the root servers are, and
> > they'll tell you where the servers for yahoo.com are, and your server will
> > query them.  If this doesn't work, a common reason is that your company
> has
> > a firewall that's blocking the queries or the responses -- they need to
> > allow port 53 back in to your nameservers.  If they only want to allow DNS
> > in to the main corporate nameservers, you could configure your local
> > nameservers to use them as "forwarders".
>