DNS problem with firewall 1

[AceHigh1234]

We just got a gateway security 360 firewall for our windows 2000 domain. Running in to problems using the firewall as both the dns server and the default gateway, I have to refresh the page when loading some websites. Ran a packet sniffer on port 53 and all dns requests web duplicated. Ran NSlookup on the firewall address while my local machine's DNS server was set to the address of my firewall and came up with this:
(root) nameserver = I.ROOT-SERVERS.NET
(root) nameserver = J.ROOT-SERVERS.NET
(root) nameserver = K.ROOT-SERVERS.NET
(root) nameserver = L.ROOT-SERVERS.NET
(root) nameserver = M.ROOT-SERVERS.NET
(root) nameserver = A.ROOT-SERVERS.NET
(root) nameserver = B.ROOT-SERVERS.NET
(root) nameserver = C.ROOT-SERVERS.NET
(root) nameserver = D.ROOT-SERVERS.NET
(root) nameserver = E.ROOT-SERVERS.NET
(root) nameserver = F.ROOT-SERVERS.NET
(root) nameserver = G.ROOT-SERVERS.NET
(root) nameserver = H.ROOT-SERVERS.NET
Server: UnKnown
Address: 192.168.1.1

same results when changing the NSlookup address to the address of my internal DNS servers. When I changed the DNS server on my NIC to my networks internal DNS server, I came up with
"**** Uknownn, can't find 192.168.1.5: non-existant domain"

Please help this is killing me!

 

[Zen37]

Hey Ace

Don't despare. DNS is easy once you get the hang of it.

Most domains can be configured two ways, one is where the internal DNS queries the Internet. Therefore your internal DNS will query the root server list you mentionned directly. This means that you need to open the correct ports on your firewall for this to happen.

The second way is to have the firewall do all the DNS queries to the Internet. Now i like this one because i feel it's more secure. In this situation, your internal DNS queries the firewall which in turn queries the Internet.

From what you are describing above, you are getting different issues. The reason why your queries are duplicated is probably because you have both internal and firewall DNS query your sites. Only one of them should do it. When it says "**** Uknownn, can't find 192.168.1.5: non-existant domain", that means your server cannot find the reverse lookup zone 1.168.192.in-addr.arpa. That is a zone that should be in your internal DNS (Because 192.168.X.X is none existant on the Internet).

If you want help setting up your name resolution, i'll be happy to offer any assistance i can.

 

[AceHigh1234]

I would love some help! I figured out what you mentioned this morning. The problem we're running in to is that our internal domain name is registered to someone else on the internet, and the firewall sending packets across the internet for internal traffic. Because of this, I can't just set my client computers DNs server to the IP of the firewall and have it do the job, I need the client PCs to point to our internal DNS server and the internal DNS server to point to the firewall, in windows 2k server. How do I do that? I know how to set up DNS forwarding, but when I do that, that Content filtering in the firewall (which works via being the DNS server) does not work or show and logged activity for the blocked sites.

Anyway, any help would be much appreciated

 

[Zen37]

I'm afraid you really need to change your DNS domain if you truly want to fix this the right way.

If not, then you will need to do some fancy configurations to cover up your domain internally. Now i assume that your external domain is not the same as your internal domain, for if it is, then this will truly mix things up for both you and the actual owner of the domain.

You can always change the root suffix your use. If your domain is, lets say auto.com, you can always use auto.net, auto.org, auto.biz, etc.

The description you wrote about your situation is, i must admit, a little hard to understand. Could you supply me with more information?

Internal
domain name:

External
domain name:

Actual domain name that you say someone else has:

Does your firewall support dual interface DNS (meaning you can have two different domains on it, one for the internal interface and one for the external)?