[jimwillsher]

Hi all

We have a Windows 2003 server (SBS) that sits behind our Cisco 877 router. Within the DNS settings in Windows we have forwarders set up, using either OpenDNS (208.67.222.222) or the router (192.168.9.1).

If I run the DCDiag command in Windows to diagnose DNS issues (Dcdiag /test: DNS) I get a whole string of errors, e.g.

Code:

   Running enterprise tests on : SHF.local
      Starting test: DNS
         Test results for domain controllers:

            DC: meat.SHF.local
            Domain: SHF.local


               TEST: Forwarders/Root hints (Forw)
                  Error: Forwarders list has invalid forwarder: 192.168.9.1 (<na
me unavailable>)
                  Error: Forwarders list has invalid forwarder: 208.67.220.220 (
<name unavailable>)
                  Error: Forwarders list has invalid forwarder: 208.67.222.222 (
<name unavailable>)
                  Error: Root hints list has invalid root hint server: a.root-se
rvers.net. (198.41.0.4)
                  Error: Root hints list has invalid root hint server: b.root-se
rvers.net. (128.9.0.107)
                  Error: Root hints list has invalid root hint server: c.root-se
rvers.net. (192.33.4.12)
                  Error: Root hints list has invalid root hint server: d.root-se
rvers.net. (128.8.10.90)
                  Error: Root hints list has invalid root hint server: e.root-se
rvers.net. (192.203.230.10)
                  Error: Root hints list has invalid root hint server: f.root-se
rvers.net. (192.5.5.241)
                  Error: Root hints list has invalid root hint server: g.root-se
rvers.net. (192.112.36.4)
                  Error: Root hints list has invalid root hint server: h.root-se
rvers.net. (128.63.2.53)
                  Error: Root hints list has invalid root hint server: i.root-se
rvers.net. (192.36.148.17)
                  Error: Root hints list has invalid root hint server: j.root-se
rvers.net. (198.41.0.10)
                  Error: Root hints list has invalid root hint server: k.root-se
rvers.net. (193.0.14.129)
                  Error: Root hints list has invalid root hint server: l.root-se
rvers.net. (198.32.64.12)
                  Error: Root hints list has invalid root hint server: m.root-se
rvers.net. (202.12.27.33)

         Summary of test results for DNS servers used by the above domain contro
llers:

            DNS server: 208.67.222.222 (<name unavailable>)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 208.67.222.222

            DNS server: 208.67.220.220 (<name unavailable>)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 208.67.220.220

            DNS server: 202.12.27.33 (m.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 202.12.27.33

            DNS server: 198.41.0.4 (a.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 198.41.0.4

            DNS server: 198.41.0.10 (j.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 198.41.0.10

            DNS server: 198.32.64.12 (l.root-servers.net.)
               1 test failure on this DNS server
               This is not a valid DNS server. PTR record query for the 1.0.0.12
7.in-addr.arpa. failed on the DNS server 198.32.64.12

However if I replace the router with a cheap 'n' cheerful Netgear DG834, I do not get the DCDIAG errors. So it looks like some issue with my Cisco config. Could anyone please advise?

Many thanks,



Jim

Code:

Current configuration : 7094 bytes
!
! No configuration change since last restart
!
version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
service internal
no service dhcp
!
hostname Butchers877
!
boot-start-marker
boot system flash:c870-advipservicesk9-mz.124-24.T4.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 4096
logging rate-limit 100 except warnings
no logging console
no logging monitor
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
!
dot11 syslog
ip source-route
!
!
!
!
no ip cef
no ip domain lookup
ip domain name shf.local
ip inspect log drop-pkt
ip inspect name firewall tcp timeout 3600
ip inspect name firewall udp timeout 3600
login block-for 180 attempts 3 within 180
login on-failure log
login on-success log
no ipv6 cef
!
multilink bundle-name authenticated
!
!
object-group network og-L1-JimHome
 description Home IP
 host xx.xx.xx.xx
!
object-group network og-L1-MainServer
 description Main server
 host 192.168.9.2
!
object-group network og-L2-Allow-RDP
 description Allow Remote Desktop from these hosts
 group-object og-L1-JimHome
!
object-group network og-L2-Allow-SNMP
 description Allow SNMP from these hosts
 group-object og-L1-MainServer
 group-object og-L1-JimHome
!
object-group network og-L2-Allow-SSH
 description Allow SSH from these hosts
 group-object og-L1-JimHome
 group-object og-L1-MainServer
!
username root privilege 15 secret 5 xxxxxx
!
!
!
archive
 log config
  hidekeys
!
!
ip ssh version 2
!
!
interface ATM0
 description ADSL Connection
 no ip address
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl enable-training-log failure
 dsl bitswap both
 hold-queue 200 in
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description LAN
 ip address 192.168.9.1 255.255.255.0
 ip nat inside
 ip nat enable
 ip inspect firewall in
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 hold-queue 100 in
 hold-queue 100 out
!
interface Dialer0
 bandwidth inherit

 ip address negotiated
 ip access-group acl-EXT-IN in
 ip access-group acl-EXT-OUT out
 ip nat outside
 ip inspect firewall out
 ip virtual-reassembly
 encapsulation ppp
 ip tcp header-compression iphc-format
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap chap callin
 ppp chap hostname xx@xx.xx.xx
 ppp chap password 7 xxxxx
 ppp ipcp dns request
 ppp ipcp wins request
 ip rtp header-compression iphc-format
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
!
ip dns server
no ip nat service sip udp port 5060
ip nat inside source static tcp 192.168.9.2 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.9.2 25 interface Dialer0 25
ip nat inside source static tcp 192.168.9.2 443 interface Dialer0 443
ip nat inside source static tcp 192.168.9.2 1723 interface Dialer0 1723
ip nat inside source list acl-NAT-Ranges interface Dialer0 overload
ip nat inside source static tcp 192.168.9.2 110 interface Dialer0 110
ip nat inside source static tcp 192.168.9.2 4125 interface Dialer0 4125
ip nat inside source static tcp 192.168.9.4 33890 interface Dialer0 33890

ip access-list standard acl-NAT-Ranges
 remark Define NAT internal ranges
 permit 192.168.9.0 0.0.0.255
!
ip access-list extended acl-EXT-IN
 remark Inbound external interface
 remark The below set the rfc1918 private exclusions
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip any any fragments
 remark Allow established sessions back in
 permit tcp any any established
 remark Any new ports opened in the IP NAT INSIDE SOURCE STATIC lines should also be added here
 permit tcp object-group og-L2-Allow-SSH any eq 22 log
 permit tcp any any eq smtp
 permit tcp any any eq 443
 permit tcp any any eq 1723
 permit udp object-group og-L2-Allow-SNMP any eq snmp
 permit tcp object-group og-L2-Allow-RDP any eq 3389
 permit tcp object-group og-L2-Allow-RDP any eq 33890
 permit tcp any any eq 4125
 permit gre any any
 permit udp any eq domain any
 remark Standard acceptable icmp rules
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any source-quench
 permit icmp any any packet-too-big
 permit icmp any any time-exceeded
 deny   ip any any

ip access-list extended acl-EXT-OUT
 remark Allow all outbound IP
 permit ip any any

ip access-list logging interval 10
logging 192.168.9.2
dialer-list 1 protocol ip permit
!
!
!
!
snmp-server community Butchers RO
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 no modem enable
 transport output all
line aux 0
 transport output all
line vty 0 4
 exec-timeout 0 0
 privilege level 15
 length 40
 width 160
 transport input ssh
 transport output all
!
scheduler max-task-time 5000
ntp master
ntp server 129.6.15.28
!
end

[auglan]

I noticed you have ip dns server enabled on the router but you also have:

no ip domain-lookup


If you want to use your router as a proxy dns server then you need to enable it


ip domain-lookup

You would also need to specify some dns servers

ip name-server X.X.X.X (could be your internal dns server or external dns servers)

[jimwillsher]

Oh my goodness Thank you...that's all it was! How did I overlook that????

Thank you!!!! That works a treat



Jim

PS I seem to remember setting the no ip domain lookup to prevent mistyped commands from going out to DNS. Could be mistaken though....

[auglan]

Correct that command is usually disabled to prevent you from typing an invalid command in the parser and then have the router try and resolve it via dns.