I have configured DNS in a manner that is causing problems. I would like to know how to best do it. Wingate is version 6.0.3 ,Build 1005. The Wingate server has two NICs. The networks on these connections are properly identified as Internal and External in Wingate. The NIC on the External network connects to DSL.
The DNS entries on the NIC on the External Network are the DNS servers at the ISP for DSL users: 203.146.237.237 and 203.146.237.222. These are also the only entries in the DNS/WINS Resolver in Wingate.
The network is a Windows NT network. (It will be upgraded to Windows 2003 sometime in the next two months.)
Originally, the sole DSL entry on the NIC on the Internal Network was the DNS server on the primary domain controller. That DNS was originally configured without forwarders. I found that NSLOOKUP on the Internet Server looked only at the DNS server on the PDC in that configuration. Therefore, I changed the DNS servers on the NIC on the Interneal to include both of the Network were changed to include servers at the ISP for DSL users followed by the DNS on the PDC. (That configuraton seemed to work better than configuring the DNS on the PDC with forwarders to the DNS servers at the ISP for DSL users.)
DHCP is configured so that client PCs have a single DNS - which is Wingate.
Even though there are no forwarders on the DNS on the PDC, that DNS seems to do most of the work. The DNS on the PDC seems to be doing most of the lookups for clients, and it makes a huge number of lookups via ENS during DNS-based blacklist checks for email.
Being that this is an NT network - which really uses WINS rather than DNS - I tried eliminating the DNS entry for the PDC on the NIC on the Internal network altogether. Wingate worked, but lots of redundant DNS calls appeared in client sessions. Worse, however, a nasty email problem immeadiately became a regular event that had appeared only sporadically previously: This is the "stuck" or orphaned message problem. Within an hour of having eliminated the DNS entry for the PDC on the NIC on the Internal network, some ten messages had become orphaned. Obviously, I had discovered how not to configure DNS in Wingate.
I previously found the use of forwarders in NT DNS to provide slow and sometimes unreliable DNS. I have the NT DNS configured without forwarders. Nonetheless, Wingate uses the NT DNS. And the NT DNS happily communicates with DNS servers on teh Internet. The NT DNS has cached entries to all sorts of DNS's in various domains and makes calls to these and other DNS servers as needed. When I delete this cache, the NT DNS server quickly and happily recreates it.
I think it is probably best to bite the bullet and enter the IP Internetal IP of the Wingate server as a forwarder in the NT DNS on the PDC. When I just tried this, I ended up creating a DNS lookup loop if I continued to include the PDC DNS entry on the NIC on the Internal Network, and I ended up with the orphaned message problem in spades as well as ineffective DNS if I eliminated that lookup.
Please point me in the right direction.
Thank you.
DNS Setup
Moderator: Qbik Staff
14 posts
• Page 1 of 1
by Bob Tucker » Nov 03 04 5:21 am
I assume from the fact you are not responding to this that it is answered elsewhere. If this is answered elsewhere, could you please indicate where? The information you provide in the knowledgebase area seems to suggest not to use local DNS. That did not well when I tried it. Obviously, that would not work with AD. Please point me in ther right direction. Thank you.
Kindest Regards,
Bob Tucker
Kindest Regards,
Bob Tucker
- Bob Tucker
- Posts: 94
- Joined: Oct 02 03 11:47 pm
by HenriLemmers » Nov 03 04 8:26 am
Hello Bob,
I'm not the real Wingate expert, the guys at Qbik will correct me when I'm wrong. By the time you will be running Server 2003 (as I do), you will have to switch to the windows DNS server.
Meanwhile I do think you should not have any DNS adresses on the internal adapter of your Wingate server. Your Wingate server machine should resolve DNS on its external adapter. Once you have removed the DNS entries on your internal adapter, you can point your PD to the Wingate machine (as you did) without the loop you discovered. I suppose your client then could resolve DNS at either Wingate or the PD.
One thing that may block your DNS lookup that comes to mind, is your adapter binding. Your internal and extrernal adapter are marked allright as you said. But what about the DNS service, is that one correctly bound to the internal adapter (and loop back). I only saw you mention the DNS resolver, in which I never put entries in the former versions of Wingate.
I hope this helps
I'm not the real Wingate expert, the guys at Qbik will correct me when I'm wrong. By the time you will be running Server 2003 (as I do), you will have to switch to the windows DNS server.
Meanwhile I do think you should not have any DNS adresses on the internal adapter of your Wingate server. Your Wingate server machine should resolve DNS on its external adapter. Once you have removed the DNS entries on your internal adapter, you can point your PD to the Wingate machine (as you did) without the loop you discovered. I suppose your client then could resolve DNS at either Wingate or the PD.
One thing that may block your DNS lookup that comes to mind, is your adapter binding. Your internal and extrernal adapter are marked allright as you said. But what about the DNS service, is that one correctly bound to the internal adapter (and loop back). I only saw you mention the DNS resolver, in which I never put entries in the former versions of Wingate.
I hope this helps
Henri Lemmers
- HenriLemmers
- Posts: 26
- Joined: Jun 08 04 9:32 pm
- Location: Netherlands
by Bob Tucker » Nov 03 04 1:18 pm
Dear Henri,
Thank you for your email. The DNS service is bound to the loopback adapter and internal adapter. This is a vanilla setup. The only thing that makes this at all unconventianl is that DSL setup is comprised of a real Cisco router and DSL device. None of that would have the slightlest impact on Wingate. In an AD environemnt, the Wingate box will need to be an AD-DNS client. If I make the Wingate box a DNS client on the PDC and set the Wingate box to be a forwarder, I generate a DNS loop.
As yo say, I would have thought I did not need any DNS on the Interneal NIC. That did not turn out to be so in testing.
Thank you for your email. The DNS service is bound to the loopback adapter and internal adapter. This is a vanilla setup. The only thing that makes this at all unconventianl is that DSL setup is comprised of a real Cisco router and DSL device. None of that would have the slightlest impact on Wingate. In an AD environemnt, the Wingate box will need to be an AD-DNS client. If I make the Wingate box a DNS client on the PDC and set the Wingate box to be a forwarder, I generate a DNS loop.
As yo say, I would have thought I did not need any DNS on the Interneal NIC. That did not turn out to be so in testing.
- Bob Tucker
- Posts: 94
- Joined: Oct 02 03 11:47 pm
by HenriLemmers » Nov 04 04 10:00 am
Hi Bob,
I think this may be to difficult for me. Your DSL setup may be unconventional, but I assume this is only the link on the external adapter. My external adapter is connected to ADSL, but the inernet connection is by a VPN to the service provider (not routed via an extra NAT?). This, however, should not be that much of a difference.
As for the DNS lookup, in my setup Wingate is running on the PDC, with AD enabled. Therefore the Wingate DHCP en DNS-server are disabled, as I use the Server 2003 versions. In the Knowledgebase Qbik does have a paper on running Wingate on a separate server linked to the PDC. I think they state that the PDC is forwarded to the internal adapter of the Wingate server (http://support.qbik.com/index.php?_a=kn ... v2=General Networking). Anyhow I hope the experts at Qbik can take over from now.
Good luck
I think this may be to difficult for me. Your DSL setup may be unconventional, but I assume this is only the link on the external adapter. My external adapter is connected to ADSL, but the inernet connection is by a VPN to the service provider (not routed via an extra NAT?). This, however, should not be that much of a difference.
As for the DNS lookup, in my setup Wingate is running on the PDC, with AD enabled. Therefore the Wingate DHCP en DNS-server are disabled, as I use the Server 2003 versions. In the Knowledgebase Qbik does have a paper on running Wingate on a separate server linked to the PDC. I think they state that the PDC is forwarded to the internal adapter of the Wingate server (http://support.qbik.com/index.php?_a=kn ... v2=General Networking). Anyhow I hope the experts at Qbik can take over from now.
Good luck
Henri Lemmers
- HenriLemmers
- Posts: 26
- Joined: Jun 08 04 9:32 pm
- Location: Netherlands
by Bob Tucker » Nov 04 04 12:17 pm
Dear Henri,
Thank yo very much for our reply. I think I am just doing this wrong. My overall setup should be rather conventional in that I have an internal network on one NIC and an external on another. The way that QBIK suggests one confgure Wingate clients in this sort of envirnonment under WIndows 2003 sounds like the best way: QBIK suggests that the AD-DNS be configured to use the WIngate DNS as a forwarder, and clients use the AD-DNS. My only question is on the Wingate box. In an AD environment, the Wingate box needs to be a member of the domain in our case and will, therefore, need to use the AD-DNS. If the AD-DNS uses the Wingate DNS as a forwarder, will that not cause a DNS lookup loop? It seems to cause a loop when I test it. As I said, I am pretty sure that I am doing this wrong, so any help is appreciated. I think my improper setup here is contributing to other problems, and I am hoping to get an answer on this as I suspect I have a fundamental problem with my configuration. The good folks at QBIK might be able to point me in the right direction.
Thank you again,
Bob Tucker
Thank yo very much for our reply. I think I am just doing this wrong. My overall setup should be rather conventional in that I have an internal network on one NIC and an external on another. The way that QBIK suggests one confgure Wingate clients in this sort of envirnonment under WIndows 2003 sounds like the best way: QBIK suggests that the AD-DNS be configured to use the WIngate DNS as a forwarder, and clients use the AD-DNS. My only question is on the Wingate box. In an AD environment, the Wingate box needs to be a member of the domain in our case and will, therefore, need to use the AD-DNS. If the AD-DNS uses the Wingate DNS as a forwarder, will that not cause a DNS lookup loop? It seems to cause a loop when I test it. As I said, I am pretty sure that I am doing this wrong, so any help is appreciated. I think my improper setup here is contributing to other problems, and I am hoping to get an answer on this as I suspect I have a fundamental problem with my configuration. The good folks at QBIK might be able to point me in the right direction.
Thank you again,
Bob Tucker
- Bob Tucker
- Posts: 94
- Joined: Oct 02 03 11:47 pm
by Pascal » Nov 04 04 12:35 pm
Sounds like you're heading in the right direction there. I'm far from our DNS / setup related expert here, but will give it a shot.
If you look on your start menu, there is a program called "Advanced Options" . Generally, you should not need to tweak anything there - but - the last tab - "DNS Servers" allows you to specify DNS Servers that WinGate will NOT use. (Normally, your AD Server, so you cannot create a loop)
If you look on your start menu, there is a program called "Advanced Options" . Generally, you should not need to tweak anything there - but - the last tab - "DNS Servers" allows you to specify DNS Servers that WinGate will NOT use. (Normally, your AD Server, so you cannot create a loop)
- Pascal
- Qbik Staff
- Posts: 2623
- Joined: Sep 08 03 8:19 pm
- Location: Auckland, New Zealand
by Bob Tucker » Nov 04 04 10:39 pm
Dear Pascal,
Ah! I understand. Thank you! You say you are not expert here. You are wrong about that, sir!
With Kindest Regards,
Bob Tucker
Ah! I understand. Thank you! You say you are not expert here. You are wrong about that, sir!
With Kindest Regards,
Bob Tucker
- Bob Tucker
- Posts: 94
- Joined: Oct 02 03 11:47 pm
by Bob Tucker » Nov 05 04 6:41 pm
Dear Pascal,
I have reconfigured DNS. I had never looked in the advanced options program. I have a completely conventinal setup now. I have the network DNS on the Internet adapter and have used the advanced option program to stop Wingate from using it. The ISP DNS's on the DNS's on the External adapter, and these the ae DNS's listed int DNS/WINS Resolver in Wingtae. The network DNS has a forwarder to the Wingate DNS, and all clients use the network DNS. This seems to work very well.
I reset this configuration yesterday. It is too early to tell for sure, but I believe my previous configuration was causing a problem with some email not being moved. I am using a number of DNS-based RBLs to control SPAM and viruses. Some eamil messages were not being moved to dead properly. Becuase I am using multiple RBL lookups, I thought DNS might be an issue. Since I have chaged configuration, no message has failed to be moved properly. Previously, I have always had a problem within a few hours.
It was very good of you to point me to the DNS switch in the advanced options program. I apprreciate it very much. You have been a great help.
Kindest Regards,
Bob Tucker
I have reconfigured DNS. I had never looked in the advanced options program. I have a completely conventinal setup now. I have the network DNS on the Internet adapter and have used the advanced option program to stop Wingate from using it. The ISP DNS's on the DNS's on the External adapter, and these the ae DNS's listed int DNS/WINS Resolver in Wingtae. The network DNS has a forwarder to the Wingate DNS, and all clients use the network DNS. This seems to work very well.
I reset this configuration yesterday. It is too early to tell for sure, but I believe my previous configuration was causing a problem with some email not being moved. I am using a number of DNS-based RBLs to control SPAM and viruses. Some eamil messages were not being moved to dead properly. Becuase I am using multiple RBL lookups, I thought DNS might be an issue. Since I have chaged configuration, no message has failed to be moved properly. Previously, I have always had a problem within a few hours.
It was very good of you to point me to the DNS switch in the advanced options program. I apprreciate it very much. You have been a great help.
Kindest Regards,
Bob Tucker
- Bob Tucker
- Posts: 94
- Joined: Oct 02 03 11:47 pm
by jiandc » Nov 07 04 8:28 pm
I am currently using Wingate DNS. During Win2003 Installation, I did not include DNS Server thinking that I will use Wingate's DNS. We do not hav AD since we are using Netware 5. I have another DNS Server in our network but it is on another WinNT4 machine. I added the DNS Server IP Address of our ISP and our WinNT4 DNS Server in the DNS/WINS Resolver->DNS: Name Server.
Is this the proper setting? Suggestions for a better setup is very much welcome.
How do I know that there is a DNS loop in my network?
jian
Is this the proper setting? Suggestions for a better setup is very much welcome.
How do I know that there is a DNS loop in my network?
jian
- jiandc
- Posts: 85
- Joined: May 11 04 12:47 am
by Bob Tucker » Nov 07 04 9:44 pm
Dear Jian,
Perhaps Pascal or Kevin Goodknecht can speak to this with authority. Your network uses Novell NDS. The DNS issue is different than if you were using a Windows 2003-based network.
If the workstations on your network use the WIngate DNS, which I would assume they do, then your Wingate DNS needs to look to the DNS servers on your external network. In this case, you want to list only the external DNSs in your NDS/WINS resolver.
I had a setup very similar to yours. Although I had not included our interneal MS DNS in the DNS/WINS resolver, and I had listed it as the DNS on the internal NIC on the Wingate machine. And I found I had some problems that I should not have expected. (One of the problems is BSODs quite similar to yours, but I do not know that these were related to DNS.) When I looked at current client activity in Wingate, I could see the DNS server making many DNS calls via ENS on port 53 (the port DNS uses). My network - Wingate included - was using the MS DNS internally. I read through what I could find in the Wingate help file and in the Wingate knowledge base. Basically, the information that I found indicates that the Wingate machine needs only to reference the external DNS's. If the Wingate server does not need to reference a DNS on your local network, the Wingate documentation indicates you should not reference any DNS on the internal network card or in the DNS/WINS Resolver - so you should reference only external DNS's on the external network card and in the DNS/WINS resolver.
Windows 2003 networking relies on an Active Directory DNS. The Wingate server in a Windows-2000 or Windows-2003 based netgwork needs to reference an Active Directory DNS on that network. We are still using Windows NT - similar to you - but will be ugrading to Windows 2003 in a few weeks. There is a setting in the "Advanced Options" prgram that you will find in the Wingate group in Program Files that lets you enter a DNS on a NIC and will prevent Wingate from using that DNS. I configured this setting to cause Wingate to ignore the internal MS DNS and entered that DNS on the internal NIC. I then configured the network to use the Wingate DNS as the Whitepaper for Windows 2003 on the QBIK website suggests: I configured the NT DNS with a forwarder to the Wingate DNS and I configured DHCP so that workstations on the network use only the MS DNS- which now has the Wingate DNS as a forwarder. Wingate now uses only external DNS's. Wingate problems substantially diminished in freqeuncy. The Wingate Server uses the internal DNS, but the setting in the Advanced Options program prevents a DHCP lookup loop from occuring. This setup appears to work well.
You may suspect DHCP lookups loops if you experience very high processor usage on your Wingate machine that resolves itself for time when you start and stop Wingate. I suspected that I had such a loop[ when I tested referencing thwe Wingate DNS via a forwarder on the MS DNS as logically it seemed I would have such a loop. I did not find how to test for it in Wingate, so I used SNIFFER. I am very sure that someone can point to a better way of doing it.
Kindest Regards,
Bob Tucker
Perhaps Pascal or Kevin Goodknecht can speak to this with authority. Your network uses Novell NDS. The DNS issue is different than if you were using a Windows 2003-based network.
If the workstations on your network use the WIngate DNS, which I would assume they do, then your Wingate DNS needs to look to the DNS servers on your external network. In this case, you want to list only the external DNSs in your NDS/WINS resolver.
I had a setup very similar to yours. Although I had not included our interneal MS DNS in the DNS/WINS resolver, and I had listed it as the DNS on the internal NIC on the Wingate machine. And I found I had some problems that I should not have expected. (One of the problems is BSODs quite similar to yours, but I do not know that these were related to DNS.) When I looked at current client activity in Wingate, I could see the DNS server making many DNS calls via ENS on port 53 (the port DNS uses). My network - Wingate included - was using the MS DNS internally. I read through what I could find in the Wingate help file and in the Wingate knowledge base. Basically, the information that I found indicates that the Wingate machine needs only to reference the external DNS's. If the Wingate server does not need to reference a DNS on your local network, the Wingate documentation indicates you should not reference any DNS on the internal network card or in the DNS/WINS Resolver - so you should reference only external DNS's on the external network card and in the DNS/WINS resolver.
Windows 2003 networking relies on an Active Directory DNS. The Wingate server in a Windows-2000 or Windows-2003 based netgwork needs to reference an Active Directory DNS on that network. We are still using Windows NT - similar to you - but will be ugrading to Windows 2003 in a few weeks. There is a setting in the "Advanced Options" prgram that you will find in the Wingate group in Program Files that lets you enter a DNS on a NIC and will prevent Wingate from using that DNS. I configured this setting to cause Wingate to ignore the internal MS DNS and entered that DNS on the internal NIC. I then configured the network to use the Wingate DNS as the Whitepaper for Windows 2003 on the QBIK website suggests: I configured the NT DNS with a forwarder to the Wingate DNS and I configured DHCP so that workstations on the network use only the MS DNS- which now has the Wingate DNS as a forwarder. Wingate now uses only external DNS's. Wingate problems substantially diminished in freqeuncy. The Wingate Server uses the internal DNS, but the setting in the Advanced Options program prevents a DHCP lookup loop from occuring. This setup appears to work well.
You may suspect DHCP lookups loops if you experience very high processor usage on your Wingate machine that resolves itself for time when you start and stop Wingate. I suspected that I had such a loop[ when I tested referencing thwe Wingate DNS via a forwarder on the MS DNS as logically it seemed I would have such a loop. I did not find how to test for it in Wingate, so I used SNIFFER. I am very sure that someone can point to a better way of doing it.
Kindest Regards,
Bob Tucker
- Bob Tucker
- Posts: 94
- Joined: Oct 02 03 11:47 pm
by jiandc » Nov 07 04 10:49 pm
Hi Bob,
Thank you for you reply and suggestions.
Due to my other post regarding Server Hang up/Restart (which you have made some replies also), I will have to wait if those problems will still occur (after replacing qbikhkxp.sys), then I will make the changes that you suggested.
Yes, all workstations are using Wingate as a DNS Server and as a Default ROUTER.
Sometimes, I see a lot of Port 53 request going out to the internet including our Netware servers.
I don't see any high CPU or Memory utilization in any of our Servers including Wingate, so I would assume that their is no DNS Lookup Loop.
This Server is also our DHCP & WINS Server (using Windows 2003 DHCP & WINS "NOT Wingate's"). So it has become a critical component to our LAN since Workstations get their IP Address from this computer. And if problems occur on the machine (especially if it HANGS), users will not be able to access our Lotus Notes Domino Server due to the invalid (Windows default) IP Address assigned to the workstation.
As a normal practice, I have scheduled the Wingate Server machine to reboot/restart every night. I dont know if this is a right but it seems to reduce the possibility of Wingate giving problems.
jian
Thank you for you reply and suggestions.
Due to my other post regarding Server Hang up/Restart (which you have made some replies also), I will have to wait if those problems will still occur (after replacing qbikhkxp.sys), then I will make the changes that you suggested.
Yes, all workstations are using Wingate as a DNS Server and as a Default ROUTER.
Sometimes, I see a lot of Port 53 request going out to the internet including our Netware servers.
I don't see any high CPU or Memory utilization in any of our Servers including Wingate, so I would assume that their is no DNS Lookup Loop.
This Server is also our DHCP & WINS Server (using Windows 2003 DHCP & WINS "NOT Wingate's"). So it has become a critical component to our LAN since Workstations get their IP Address from this computer. And if problems occur on the machine (especially if it HANGS), users will not be able to access our Lotus Notes Domino Server due to the invalid (Windows default) IP Address assigned to the workstation.
As a normal practice, I have scheduled the Wingate Server machine to reboot/restart every night. I dont know if this is a right but it seems to reduce the possibility of Wingate giving problems.
jian
- jiandc
- Posts: 85
- Joined: May 11 04 12:47 am
by Bob Tucker » Nov 07 04 11:20 pm
Dear Jian,
I think you are very wise to deal with one problem at a time - particulary the 0x02c problem. I believe I may have a similar problem. I do not know how your Novell is configured. I should think you have both DHCP and DNS on NetWare 5. The DHCP and DNS server for NetWare 5.x use NDS to store information and resource records, and I would expect that it is the NetWare DNS that you are see communicating on port 53 from your NetWare servers.
Kindest Regards,
Bob Tucker
I think you are very wise to deal with one problem at a time - particulary the 0x02c problem. I believe I may have a similar problem. I do not know how your Novell is configured. I should think you have both DHCP and DNS on NetWare 5. The DHCP and DNS server for NetWare 5.x use NDS to store information and resource records, and I would expect that it is the NetWare DNS that you are see communicating on port 53 from your NetWare servers.
Kindest Regards,
Bob Tucker
- Bob Tucker
- Posts: 94
- Joined: Oct 02 03 11:47 pm
14 posts
• Page 1 of 1
Who is online
Users browsing this forum: Google [Bot] and 4 guests