1

Yet another post about this nslookup works but ping does not. I’ve read a handful of forum posts but could not find anything relevant to my setup and problem, of resolving external domain names on an internal only network.

My Lab:

  • VMWare Workstation 11

  • Windows 2012 R2 Datacenter Edition servers

    1. DC1.ad.example.com - AD and DNS, INT NIC
    2. DC2.ad.example.com - AD and DNS, INT NIC
    3. DNS1.ad.axample.com - DNS only, not a member of AD. INT, EXT NICs.

The network is internal only for AD members. Server DNS1 is not a member of AD and contains two NICs, one internal to the AD network and the other external to the internet. DNS1 only serves as a DNS caching server, for the purpose of allowing the internal network (AD) computers to be able to resolve external IP’s. Purpose of the lab relating to this question is to learn best practices in AD deployment which includes network design, and DNS.

DNS configuration:

DC1 and DC2 both have a forwarder setup to DNS1. Queries outside of AD go there and get cached upon request from internal network computers. Nslookup confirms that using these two name servers, DC1 and DC2, we can resolve external domain names (I can see them being cached on DNS1 after requests from DC1/2).

Problem:

However, when I ping, it fails without showing the IP. Why is that? I would expect at least an IP printed and failure to reach host or some similar error. The domain name is visible in the local cache on DC1/2, but ping won’t resolve or show it.

I ended up adding an external NIC to DC2 and was able to ping no problem. Which also led me to wonder [why I’m actually trying to accomplish this external name resolution.] I would expect that there would be a "no route", or some other error from ping, but I also would expect it to resolve (or show the resolved IP) and then choke trying to find the host. However, it just fails. Can anyone explain why? Does ping just give up if it can't reach the network?

Below is a series of commands demonstrating all of this:

PS C:\Users\Administrator> ipconfig /flushdns

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.
PS C:\Users\Administrator> ipconfig /displaydns

Windows IP Configuration

    dc1.ad.polishpaul.net
    ----------------------------------------
    Record Name . . . . . : dc1.ad.polishpaul.net
    Record Type . . . . . : 1
    Time To Live  . . . . : 1197
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 192.168.55.11


PS C:\Users\Administrator> ping google.com
Ping request could not find host google.com. Please check the name and try again.
PS C:\Users\Administrator> ipconfig /displaydns

Windows IP Configuration

    dc1.ad.polishpaul.net
    ----------------------------------------
    Record Name . . . . . : dc1.ad.polishpaul.net
    Record Type . . . . . : 1
    Time To Live  . . . . : 1186
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 192.168.55.11

    google.com
    ----------------------------------------
    Record Name . . . . . : google.com
    Record Type . . . . . : 1
    Time To Live  . . . . : 293
    Data Length . . . . . : 4
    Section . . . . . . . : Answer
    A (Host) Record . . . : 216.58.217.142

PS C:\Users\Administrator> nslookup
Default Server:  dc1.ad.polishpaul.net
Address:  192.168.55.11

> google.com
Server:  dc1.ad.polishpaul.net
Address:  192.168.55.11

Non-authoritative answer:
Name:    google.com
Addresses:  2607:f8b0:4006:806::1005
          216.58.217.142

PS C:\Users\Administrator>
PS C:\Users\Administrator> # external NIC now added
PS C:\Users\Administrator> ping google.com
Pinging google.com [74.125.226.14] with 32 bytes of data:
Reply from 74.125.226.14: bytes=32 time=11ms TTL=128

Thanks, Paul

Community
  • 1
Paweł Czopowik
  • 199
  • 1
  • 9
  • 1
    `Purpose of the lab relating to this question is to learn best practices in AD deployment which includes network design, and DNS` - Nobody does this the way you're trying to do it, so you're definitely not following `best practice` in your design. – joeqwerty May 12 '15 at 00:20
  • If could you elaborate, it will be a lesson learned :) I'm exploring what's possible and attempting to run AD on an isolated internal network. As I read through books and guides I'm trying things out. – Paweł Czopowik May 12 '15 at 00:37
  • Since the primary purposes of being connected to the Internet are to use smtp and http, I would test those instead of ping. As for why ping doesn't use cached records, I don't know, but it makes sense if you think about it. – Tony Hinkle May 12 '15 at 00:37
  • 1
    While may organizations may use a dedicated DNS resolver for resolving external domains in order to "shield" their AD DNS servers from direct internet access, they don't use a multi-homed DNS server to do so. Remove the multi-homing from the equation and see what you get. – joeqwerty May 12 '15 at 00:59
  • And I think this may have bee the root question I'm not sure how to ask yet. So how would i do this? Is the answer simply to route the traffic instead of relying on two NIC's? I think i've been over engineering here... – Paweł Czopowik May 12 '15 at 01:20
  • @joeqwerty, I changed my setup based on your hints. Now I have a router/firewall (pfSense on VM) for the network and the DNS caching server is outside of it. Thanks! :) – Paweł Czopowik May 14 '15 at 05:16

1 Answers1

0

I have found that although the name resolution works with nslookup or the domain name resolution is cached locally, if one does not have a route to the destination ping will fail and never show the IP.

I encountered this issue in another lab without multi-homing. Removing the default gateway would cause ping to fail with "cauld not find host" when pinging a domain name and when pinging the IP, it would show a "transmit failed" error:

C:\Users\pawel>ping google.com
Ping request could not find host google.com. Please check the name and try again

C:\Users\pawel>ping 173.194.123.101

Pinging 173.194.123.101 with 32 bytes of data:
PING: transmit failed. General failure.
Paweł Czopowik
  • 199
  • 1
  • 9
  • This is absolutely strange! Ping does two *distinct* things: resolves the name to IP address and then sends ICMP packets. Name resolution and actual "pinging" are not connected in any way. You don't show your DNS client configuration? – iPath May 21 '15 at 13:49