Confused DNS

[Oso]

Hello. New to the forum and hoping someone can help me figure what's going on with my network. We've been encountering internet connectivity problems where if we set our primary DNS on client computers as our router (example: 192.168.12.1) or obtain IP address & DNS automatically we would not be able to get online. However, if we change the primary DNS to 8.8.8.8 and left the IP address as to obtain automatically, we would be able to go online with out a problem. Other computers in the network also works fine with everything set as obtain automatically and when I check through ipconfig it uses the 192.168.12.1 DNS without a problem. I have a server running Server 2003 but it hand DHCP duties to the router (Cisco RV082 v3) and it doesn't matter if the computer is on the domain or as a workgroup. Please help! It seems like something is getting confused but I don't know where to begin to check. Any info would be greatly appreciated! Thanks!

 

[coxhaus]

I ran DHCP and DNS on Server 2003 for many years. I always had small active directory issues when trying DHCP on the router. I would use DNS and DHCP off Server 2003. For DNS point all the devices to DNS on Server 2003 by using DHCP on Server 2003. Set Server 2003 to point to your router or directly to your internet DNS. You set forwarding to the next DNS stop on Server 2003. If you need to set static entries create a "A" record on Server 2003 DNS. Microsoft's DHCP and DNS work great. Try it you will probably like it.

 

[System Error Message]

You need to enable allow external DNS requests.

 

[Cloud200]

Make sure there is a DNS forwarder set on the router.

 

[YeOldeStonecat]

If you're running active directory...you NEED TO have your domain controller(s) be the only DNS servers for themselves..and for all client workstations. It is better to run DHCP from the server also...as it allows better registration and updates within active directory, basically keeps active directory running tighter. Microsofts domain..active directory...is built on the foundation of DNS. Without having DNS run properly for your network..,.active directory will be broken. Things may "appear" to work OK on the surface for basic things..you might have browsing network shares working..but it's only appearing to work on the surface. Try to do more advanced things within AD...and you'll find they don't work. Or you may find workstations lose their computer account every now and then.

If your server is, for example, 192.168.10.11, it should run DHCP..and it should have out 192.168.10.11 as the one and only DNS for all workstation. Client workstations should only have 192.168.10.11 for their primary DNS...nothing else. Secondary DNS would be a second domain controller if there was one. ISPs DNS or the routers IP has no business being anywhere in TCP/IP settings DNS settings anywhere on the network.

Server looks at itself for DNS.
You set the DNS forwarders in DNSMGMT.MSC...I like to use the safe DNS services like OpenDNS...to add another layer in malware protection for the network.

Some people say.."but what if my server goes down...I need workstations to still browse the internet! So I put a second DNS in there like my ISP, or Google". Well..if your experience is that servers go down all that much..perhaps consider a career change. Servers should be built on proper server grade hardware so they don't go down. And if you're building servers...you should have the mental capacity to come up with a plan..."Gee..server is down, will be down for a few hours or until tomorrow...let me take 30 or 45 seconds..I can log into the router and enable DHCP there...to fill in for a few hours....give the people the day to surf facebook or whatever..and then when the server is fixed..simply disable DHCP on the router again".

 

[sfx2000]

If you're running active directory...you NEED TO have your domain controller(s) be the only DNS servers for themselves..and for all client workstations. It is better to run DHCP from the server also

Exactly...

 

[coxhaus]

While you are switching over DNS and DHCP you might want to lock down your router to only allow your chosen DNS to pass out to the internet. This will force people to use your DNS provided by your DHCP. All other DNS will be blocked. This will help stop bad things coming into your network through another bad DNS.

Just block the protocol 53 UDP DNS on the router except for your chosen outside DNS server, OpenDNS etc. If you want to be complete you can also block port 53 TCP in case.