Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DNS setup very slow browsing what did I do wrong?

Status
Not open for further replies.
nervous2

nervous2

IS-IT--Management
Feb 24, 2003
125
0
0
CA
2 companies / 2 seperate domains with a trust (2 way)
Company A has 3 servers
gateway 192.168.1.1
1 AD / DC (192.168.1.2)
2 DC / DC (192.168.1.3)
3 Citrix Server (192.168.1.4)

Company B has 2 servers
gateway 192.168.2.1
1 AD /DC (192.168.2.2)
2 AD /DC (192.168.2.12)
Company B logs into Company A Citrix using their windows domain login.

*************************************************************

Company A (DNS Setup)
On the 192.168.1.2 I have set the NIC DNS to 192.168.1.3 / 192.168.2.2
On the 192.168.1.3 I have set the NIC DNS to 192.168.1.2 / 192.168.2.12
On the 192.168.1.4 I have set the NIC DNS to 192.168.1.2 / 192.168.1.3 /192.168.2.2 /192.168.2.12
Gateway DNS set to 8.8.8.8 / 8.8.4.4
DHCP set on 192.168.1.2 the DNS setting for the scope is 192.168.1.2 /192.168.1.3

****************************************************************
Company B (DNS Setup)
On the 192.168.2.2 I have set the NIC DNS to 192.168.2.12 / 192.168.1.2
On the 192.168.2.12 I have set the NIC DNS to 192.168.2.2 / 192.168.1.3
Gateway DNS set to 8.8.8.8 / 8.8.4.4
DHCP set on 192.168.2.2 the DNS setting for the scope is 192.168.2.2 /192.168.2.12
******************************************************************
here is my problem
I have switched to (open DNS) to block certain websites.
in 192.168.1.2 I have set dns forwards to 1st 192.168.2.2 and (openDNS) 2nd 208.67.222.222
in 192.168.1.3 I have set dns forwards to 1st 192.168.2.12 and (openDNS) 2nd 208.67.222.222

with THIS setup my company B use accounts translate when logging into company A's Citrix and are authenticated.
but web browsing is so slow since it's going to 192.168.2.2 or 192.168.2.12 1st, if I put the open dns as first the browsing speeds up dramatically! but the my users in Company B can't use their accounts to log into citrix.
In Company B I have also switched to (open DNS) to block certain websites.
in 192.168.2.2 I have set dns forwards to 1st 192.168.1.2 and (openDNS) 2nd 208.67.222.222
in 192.168.2.12 I have set dns forwards to 1st 192.168.1.3 and (openDNS) 2nd 208.67.222.222
They have complained that browsing is slow too.

What have I done wrong? How can I still authenticate a trusted domain's accounts while still allowing the openDNS to do the blocking?
Thank You

 
Sort by date Sort by votes
Shoot the above is wrong here is the correct setup

2 companies / 2 seperate domains with a trust (2 way)
Company A has 3 servers
gateway 192.168.1.1
1 AD / DC (192.168.1.2)
2 AD / DC (192.168.1.3)
3 Citrix Server (192.168.1.4)

Company B has 2 servers
gateway 192.168.2.1
1 AD /DC (192.168.2.2)
2 AD /DC (192.168.2.12)
Company B logs into Company A Citrix using their windows domain login.

*************************************************************

Company A (DNS Setup)
On the 192.168.1.2 I have set the NIC DNS to 192.168.1.2 / 192.168.2.2
On the 192.168.1.3 I have set the NIC DNS to 192.168.1.3 / 192.168.2.12
On the 192.168.1.4 I have set the NIC DNS to 192.168.1.2 / 192.168.1.3 /192.168.2.2 /192.168.2.12
Gateway DNS set to 8.8.8.8 / 8.8.4.4
DHCP set on 192.168.1.2 the DNS setting for the scope is 192.168.1.2 /192.168.1.3

****************************************************************
Company B (DNS Setup)
On the 192.168.2.2 I have set the NIC DNS to 192.168.2.2 / 192.168.1.2
On the 192.168.2.12 I have set the NIC DNS to 192.168.2.12 / 192.168.1.3
Gateway DNS set to 8.8.8.8 / 8.8.4.4
DHCP set on 192.168.2.2 the DNS setting for the scope is 192.168.2.2 /192.168.2.12
******************************************************************
here is my problem
I have switched to (open DNS) to block certain websites.
in 192.168.1.2 I have set dns forwards to 1st 192.168.2.2 and (openDNS) 2nd 208.67.222.222
in 192.168.1.3 I have set dns forwards to 1st 192.168.2.12 and (openDNS) 2nd 208.67.222.222

with THIS setup my company B use accounts translate when logging into company A's Citrix and are authenticated.
but web browsing is so slow since it's going to 192.168.2.2 or 192.168.2.12 1st, if I put the open dns as first the browsing speeds up dramatically! but the my users in Company B can't use their accounts to log into citrix.
In Company B I have also switched to (open DNS) to block certain websites.
in 192.168.2.2 I have set dns forwards to 1st 192.168.1.2 and (openDNS) 2nd 208.67.222.222
in 192.168.2.12 I have set dns forwards to 1st 192.168.1.3 and (openDNS) 2nd 208.67.222.222
They have complained that browsing is slow too.

What have I done wrong? How can I still authenticate a trusted domain's accounts while still allowing the openDNS to do the blocking?
Thank You

 
Upvote 0 Downvote
Sounds like .2 and .12 are timing out before it gets to OpenDNS.

You may want to set .2 and/or .12 as DNS servers as well, and have them get their feed from your OpenDNS IP.

Not sure why you're using OpenDNS to block sites; you could block those sites using regular Windows DNS by just making static entries badsite.com 127.0.0.1 and so forth so it gives a "wrong" answer for DNS lookups.



Just my 2¢

"What the captain doesn't realize is that we've secretly replaced his Dilithium Crystals with new Folger's Crystals."

--Greg
 
Upvote 0 Downvote
Thanks for the info, the reason why I'm using open DNS is it's an easy way to block HTTPS sites. Facbook being one of them which also has 100's of variable IP addresses.

What I did to resolve the issue was to set my DNS forwarders on my 192.168.1.2 network to 8.8.8.8 and 8.8.4.4

my DHCP server sends out DNS of 192.168.1.2 and 192.168.1.3 and open dns servers

This has increased the speed dramatically and the blocking still works while also having domain 2 accounts being able to authenticate.

trial and error,

 
Upvote 0 Downvote
The ideal would look like this:

- Each DC would point at itself as the primary DNS and at the other DC in the same site as secondary
- In your forwarders on each server you would configure unique forwarding entries for any query to the cross-trust domain to use the remote DC/DNS servers
- You would also set up a general forwarder to use the OpenDNS IPs: 208.67.222.222 and 208.67.220.220

That way you aren't asking the wrong servers for answers. In the config that you describe, if the primary DNS server was rebooted, the clients would switch to the secondary and not switch back, and they'd be doing cross-WAN queries to an inappropriate server. Better to only forward the queries that you want that remote server to handle (the cross-trust queries) and keep all local queries within the original site. And then your "last resort" DNS is handled by OpenDNS.

The key with forwarders is how you define their scope. On Windows 2003 there was something called "Conditional Forwarders" that you had to configure. On later versions all the forwarders are configured in the same place, and the default type is a wildcard forwarder, which you would use for OpenDNS entries. At CompanyA you are going to want to create a forwarder entry for CompanyB.Local that points to the remote DC's IP address, and for CompanyB, create a CompanyA.Local forwarder entry that points to the CompanyA DC's IP address.

Dave Shackelford
ThirdTier.net
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

mangentle
  • Locked
  • Question
What could be the potential causes if a Microsoft Windows Server is experiencing slow network!
Replies
1
Views
135
gbaughma
gbaughma
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
141
suncit
suncit
mangentle
  • Locked
  • Question
What are the key advantages of using Microsoft Windows Servers for businesses?
Replies
1
Views
129
gbaughma
gbaughma
fredmartinmaine
  • Locked
  • Question
Domain Controller without DNS Server
Replies
4
Views
162
fredmartinmaine
fredmartinmaine
bechna
  • Locked
  • Question
Windows Server and VPN Setup
Replies
1
Views
62
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top