(Msg. 1) Posted: Fri Feb 15, 2008 10:55 pm
Post subject: XP machines cannot resolve the names to IP Archived from groups: microsoft>public>win2000>dns (more info?)
HI;
Since i have setup my network i see that XP machines cannot resolve the name
to IP i.e google.com if internet access is blocked over the server win 2003
via PIX firewall.DNS works correctly and within the LAN it resolves the names
to IP but this issue is only for internet, those users who are allowed to
access the internet will not be able to access unless the server is not
allowed for internet also.Is this normal and there is solution to this
issue.Thanks
--
Essa
(Msg. 2) Posted: Sat Feb 16, 2008 7:02 am
Post subject: Re: XP machines cannot resolve the names to IP [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
Hello Muhammad,
You have to configure a forwarder to your ISP's DNS server on the DNS management
console from your DNS server. Go to forwarders Tab and fill in the ip address
from your ISP's DNS server.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> HI;
> Since i have setup my network i see that XP machines cannot resolve
> the name
> to IP i.e google.com if internet access is blocked over the server win
> 2003
> via PIX firewall.DNS works correctly and within the LAN it resolves
> the names
> to IP but this issue is only for internet, those users who are allowed
> to
> access the internet will not be able to access unless the server is
> not
> allowed for internet also.Is this normal and there is solution to this
> issue.Thanks
(Msg. 3) Posted: Sat Feb 16, 2008 9:55 am
Post subject: Re: XP machines cannot resolve the names to IP [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
Read inline please.
In news:84EA7376-EA5C-4409-8883-00968DFABC91@microsoft.com,
Muhammad Essa <MuhammadEssa.DeleteThis@discussions.microsoft.com> typed:
> HI;
> Since i have setup my network i see that XP machines cannot resolve
> the name to IP i.e google.com if internet access is blocked over the
> server win 2003 via PIX firewall.DNS works correctly and within the
> LAN it resolves the names to IP but this issue is only for internet,
> those users who are allowed to access the internet will not be able
> to access unless the server is not allowed for internet also.Is this
> normal and there is solution to this issue.Thanks
Your post is kind of confusing, but if your firewall is setup to block DNS
queries from the server to any IP address on the internet, your DNS
resolution for internet names could fail unless you set a forwarder and open
TCP/UDP on port 53 to the ISP DNS from the server. With this setting you
will also need to set "Do not use recursion for this domain" on the
forwarder. This forces DNS to use the forwarder only for all external
queries.
Also, if the Forwarder supports EDNS, you will need to allow UDP packets up
to the MTU size.
--
Best regards,
Kevin D. Goodknecht Sr. [MVP]
Hope This Helps
===================================
When responding to posts, please "Reply to Group"
via your newsreader so that others may learn and
benefit from your issue, to respond directly to
me remove the nospam. from my email address.
===================================
http://www.lonestaramerica.com/ http://support.wftx.us/ http://message.wftx.us/
===================================
Use Outlook Express?... Get OE_Quotefix:
It will strip signature out and more
http://home.in.tum.de/~jain/software/oe-quotefix/
===================================
Keep a back up of your OE settings and folders
with OEBackup:
http://www.oehelp.com/OEBackup/Default.aspx
===================================
(Msg. 4) Posted: Sat Feb 16, 2008 5:58 pm
Post subject: Re: XP machines cannot resolve the names to IP [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
In news:%233qzTRLcIHA.4312@TK2MSFTNGP03.phx.gbl,
Kevin D. Goodknecht Sr. [MVP] <admin.RemoveThis@nospam.WFTX.US> typed:
> Your post is kind of confusing, but if your firewall is setup to
> block DNS queries from the server to any IP address on the internet,
> your DNS resolution for internet names could fail unless you set a
> forwarder and open TCP/UDP on port 53 to the ISP DNS from the server.
> With this setting you will also need to set "Do not use recursion for
> this domain" on the forwarder. This forces DNS to use the forwarder
> only for all external queries.
> Also, if the Forwarder supports EDNS, you will need to allow UDP
> packets up to the MTU size.
>
> 323380 - HOW TO: Configure DNS for Internet Access in Windows Server
> 2003
> http://support.microsoft.com/default.aspx?scid=kb;en-us;323380&sd=RMVP >
> 828263 - DNS query responses do not travel through a firewall in
> Windows Server 2003:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;828263&sd=RMVP
For Muhammad,
To add about how to allow EDNS0 in the PIX, go into the PDM, Configuration
button, System Properties, Advanced, Fixup, DNS, check the checkbox "Enable
FIXUP DNS" and type in 1280 for the Maximum length.
Or
If familiar with the PIX command line, add this line:
fixup protocol dns maximum-length 1280
But as Kevin said, you still have to allow DNS traffic.
--
Regards,
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
(Msg. 5) Posted: Sat Feb 16, 2008 9:08 pm
Post subject: RE: XP machines cannot resolve the names to IP [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
Hi All;
Thanks for the replies.
I have configured the ISP DNS address in forwarder list.But when internet is
blocked over the win 2003 server all the clients who are allowed to access
net from their PCs and specifically allowed in pix firewall will not be able
to resolve name to IP. Also the required ports are allowed over the
firewall.Any idea
Kind Regards
"Muhammad Essa" wrote:
> HI;
> Since i have setup my network i see that XP machines cannot resolve the name
> to IP i.e google.com if internet access is blocked over the server win 2003
> via PIX firewall.DNS works correctly and within the LAN it resolves the names
> to IP but this issue is only for internet, those users who are allowed to
> access the internet will not be able to access unless the server is not
> allowed for internet also.Is this normal and there is solution to this
> issue.Thanks
> --
> Essa
(Msg. 6) Posted: Sun Feb 17, 2008 1:38 am
Post subject: Re: XP machines cannot resolve the names to IP [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
In news:2A6228A5-D424-4137-B8A0-8057CB8909D4@microsoft.com,
Muhammad Essa <Muhammad Essa.RemoveThis@discussions.microsoft.com> typed:
> Hi All;
> Thanks for the replies.
> I have configured the ISP DNS address in forwarder list.But when
> internet is blocked over the win 2003 server all the clients who are
> allowed to access net from their PCs and specifically allowed in pix
> firewall will not be able to resolve name to IP. Also the required
> ports are allowed over the firewall.Any idea
>
> Kind Regards
If your new problem is they cannot access by computer name, then you will
need to install WINS and specify in DHCP properties Option 46 = 0x8 and
option 44 = WINS server IP address. This will allow resolution by name.
(Msg. 7) Posted: Sun Feb 17, 2008 1:38 am
Post subject: Re: XP machines cannot resolve the names to IP [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
HI;
The problem is not with name resolution within the LAN at all. Users can
work and access resources over different subnets , initiate the remote
terminal connection. Only i want to know if the server is not allowed to
access the internet and the workstation is allowed to access the net behind
the pix firewall the name to IP problem happens.following are some more
details.
DNS server is working perfectly and can resolve name to IP locally.
PIX firewall the configured to allow the required traffic.
DNS server is blocked to access the internet.
Specific workstations are allowed to access the net.
Thanks
"Ace Fekay [MVP]" wrote:
> In news:2A6228A5-D424-4137-B8A0-8057CB8909D4@microsoft.com,
> Muhammad Essa <Muhammad Essa.TakeThisOut@discussions.microsoft.com> typed:
> > Hi All;
> > Thanks for the replies.
> > I have configured the ISP DNS address in forwarder list.But when
> > internet is blocked over the win 2003 server all the clients who are
> > allowed to access net from their PCs and specifically allowed in pix
> > firewall will not be able to resolve name to IP. Also the required
> > ports are allowed over the firewall.Any idea
> >
> > Kind Regards
>
> If your new problem is they cannot access by computer name, then you will
> need to install WINS and specify in DHCP properties Option 46 = 0x8 and
> option 44 = WINS server IP address. This will allow resolution by name.
>
> Ace
>
>
>
>
>
(Msg. 8) Posted: Sun Feb 17, 2008 3:35 pm
Post subject: Re: XP machines cannot resolve the names to IP [Login to view extended thread Info.] Archived from groups: per prev. post (more info?)
In news:362571FC-24DC-4759-8BFF-9824177FC77B@microsoft.com,
Muhammad Essa <MuhammadEssa.DeleteThis@discussions.microsoft.com> typed:
> HI;
> The problem is not with name resolution within the LAN at all. Users
> can work and access resources over different subnets , initiate the
> remote terminal connection. Only i want to know if the server is not
> allowed to access the internet and the workstation is allowed to
> access the net behind the pix firewall the name to IP problem
> happens.following are some more details.
>
> DNS server is working perfectly and can resolve name to IP locally.
> PIX firewall the configured to allow the required traffic.
> DNS server is blocked to access the internet.
> Specific workstations are allowed to access the net.
>
> Thanks
I'm not sure what users are using as names to access resources over the VPN.
Are they accessing by FQDN? If so, it should work. If by single name, then
no, because we need to resolve the NetBIOS names. When you run an ipconfig
/all on a connected VPN client, what DNS addresses are being given? Do you
also have split tunneling defined in the access lists for the VPN group?
Accessing resources across a router by NetBIOS names is blocked by default,
firewall or not. Therefore I'm assuming that users are accessing resources
between your current internal subnets by FQDN and not single name if not
using WINS. Network neighborhood (based on the Browser service) will only
broadcaset and work on the local subnet and they will not be able to find
things in that manner in other subnets. Same goes with printer browsing.
I bet that if you are not using WINS, and you have Exchange in place, and
they are using meeting requests, that calendar Free/Busy info is not working
for everyone other than the folks on the same subnet as the Exchange server.
In any scenario where there are multiple subnets, or even one subnet and we
install a PIX or any other VPN appliance, we immediately install WINS to
allow single name resolution across the subnet. This is standard proc
especially if we want to allow resource access by using NetBIOS names.
All times are: Eastern Time (US & Canada) (change) Goto page 1, 2, 3
Page 1 of 3
You can post new topics in this forum You can reply to topics in this forum You can edit your posts in this forum You can delete your posts in this forum You can vote in polls in this forum
Home
Forums
Home
FAQ
Profile
Private Messages
Log in
Windows Other