intermittent dns on windows

I'm using bind+debian linux for our internal dns. We have our own primary ns bind9+debian on a non-routable ip address being portforward through a firewall. Our secondary ns is bind9+debian on a routable ip address over a nat'd t1. Our users have laptops which they carry with them on the road. When they come in they have to configure static ip address'. Sometimes they will come in and everything is fine. But on occasion, they are only able to resolve the outside and have to put in the local ip address to the mail server to get mail.
I've inherited this network and the guy before me was much more creative than me. I don't understand why he has the root.cache file entry nor do I understand why his resolv.conf file doesn't have search localhost then nameserver our.name.servers. Well I'm hoping one of you might understand what is going on. Because when I change ANYTHING it goes crazy.

What domain do they type in to access their mail? mail.deepnines.com?

yes sir

Are their name servers correctly configured? They really shouldn't configure a static IP address. They should be using DHCP so that you can be sure that their gateway, name servers, and IP address are all kosher. It also helps prevent possible IP conflicts.

I wish that was possible. Things to make my life easy like dhcp, cold air in the telco room, and people willing to reboot even restart outlook, are not available to me. I would like to set up a wireless hub with DHCP and a VPN that comes in from the outside so they will be doing everything the same no matter where they are located. but...

Well, that's ok. My motto is to always find out what's wrong rather than simply "retry" or "try something else". Only reason I suggested that is cause this makes for a very hard to debug problem.

Give me more details on the problem. Like why/how is it intermittant. Do all laptop users sometimes can't/sometimes can use the domain to connect? Or is it just some users? Also, you need to get ahold of somebody who *can't* and see what their name servers are set to in:

ipconfig /all

at the DOS prompt. After all, there's no sense trying to fix a dns server that might not even being used.

Ya. Today is a 'every one can resolve' day. But, when I look at their settings they have everything set up correctly for their connection. When I run ipconfig it lists .4 as the DNS Server. When I ping mail.deepnines.com it resolves correctly. Outlook spits 'Unable to find the e-mail server' errors for the incoming e-mail server.

Ok, I think I found the problem. My whole gameplan was totally screwed up since I usually test people's configuration with DNS Crawler, but I got my act together and looked for the most common reason for intermittant problems - bad NS records. Sure enough, that's definately a problem your config has.

deepnines.com currently has this record:

@ IN NS localhost.

Since localhost resolves to 127.0.0.1 you're basically telling your clients that your dns server is located at that IP address. On operating systems that run a caching resolver (in Windows it's called "DNS Client" in the services list) it will cache that NS record and query it for all future resolution. Here's a diagram of one scenario where this would trip up:

"DNS Client" has nothing cached yet
"DNS Client" queries 10.8.200.x for www.deepnines.com's IP address.
"DNS Client" caches the IP for 604800 seconds
"DNS Client" caches the NS record 'localhost' for 604800 seconds
"DNS Client" queries 127.0.0.1 for mail.deepnines.com's IP
"DNS Client" gets no response and returns failure

So yeah, a number of circumstances have to add up just right for this to cause a failure, but it'll happen. To fix this remove this record:

@ IN NS localhost.

And add these records:

@ IN NS ns
ns IN A 10.8.200.x

I don't know your dns server's IP so I have an 'x' in there. Make sure to use the proper IP. I'm 90% sure this is your problem and your only problem relating to intermittant failures.

should @ IN NS ns have a trailing '.' ?
@ IN NS ns.

sorry forgot to ask
in /etc/resolv.conf should I replace localhost with 10.8.200.4?

I waited until everyone was gone and gave it a try. I didn't hear boom

this is dig from a client box:::::::
; <<>> DiG 9.2.1 <<>> deepnines.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41041
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;deepnines.com. IN A

;; ANSWER SECTION:
deepnines.com. 604800 IN A 10.8.200.4

;; AUTHORITY SECTION:
deepnines.com. 604800 IN NS ns.

;; Query time: 1 msec
;; SERVER: 10.8.200.4#53(10.8.200.4)
;; WHEN: Thu Aug 12 17:55:15 2004
;; MSG SIZE rcvd: 63

I held on to the closing "."

@ IN NS ns.
ns IN A 10.8.200.4
mail IN A 10.8.200.3
www IN A 10.8.200.4
dos IN A 10.8.200.100
ack IN A 66.226.193.132
syn IN A 64.178.40.130
deepnines.com. IN A 10.8.200.4

All very scary stuff.
Thanks for the help sir.

You completely missed my point! Look at this part of the dig response:

deepnines.com. 604800 IN NS ns.

That's getting cached by resolvers! "ns" doesn't resolve to anything and will cause the exact same errors you had before. Remove that trailing period you volunteered.

The only server that can have "localhost" in the resolv.conf is the dns server and that's purely optional if you've already got some other reference to the server in that file.

AH! I knew it was trying to send info outside but couldn't get myself to believe it. So it was that trailing dot! Thank you sir.

@ IN NS ns


Now I've confused myself again. What is the point of this line?

Now there's a question I like. Always ask for explanations for things you don't understand.

@ IN NS ns

@ is a symbol that represents the "origin". In this case the origin is "deepnines.com". IN (internet) is the class. NS (name server) is the record type. ns with no trailing period is appended with the "origin".

Explicit format of that record:

deepnines.com. IN NS ns.deepnines.com.

Which essentially means that "ns.deepnines.com" is an authoritative name server for "deepnines.com".

There is something I've never understood.
If my internal DNS is authoritive for deepnines.com how does it effect my primary DNS and secondary DNS. Or better yet, if it does then why?