DNS resolution fails in web browser but nslookup succeeds

We are a small, 300-seat organization with a mixed BYOD and Active Directory environment (Windows Server 2012 Standard, Windows 7 Enterprise) and we are having a very strange problem involving very specific-scope failures to resolve our organization's domain name on our domain-joined, company-controlled machines. For the purpose of this discussion, I'll use company.com instead of our domain name.

Background:

  • Active Directory Domain Controller is located at 172.16.1.3
  • The AD/DC machine is also running DHCP, DNS, and HTTP (IIS)
  • Our organizations websites at company.com and subdomain.company.com are hosted by IIS on the AD/DC machine
  • We have a split-DNS scenario in which the AD/DC server is used for internal DNS resolution but a different, off-site server provides DNS resolution for public queries
  • The IP address corresponding to company.com and subdomain.company.com is the public IP address used by a firewall at the edge of our network (both on the AD/DC DNS server and the off-site DNS server)
  • The firewall is correctly configured for NAT to pass HTTP and HTTPS requests it receives on its public IP address to the internal IP of the AD/DC server and reflects

Scenario 1:

  • A user on a domain-joined Windows 7 Enterprise machine is connected directly to our local network with local address 172.16.6.100 /16, issued by the DHCP server.
  • The DNS server entry is provided by DHCP (172.16.1.3)
  • This user is able to access the websites hosted at company.com and subdomain.company.com
  • Edit: nslookup has been run in this scenario and correctly returns the proper DNS record from the internal DNS server (172.16.1.3)

Scenario 2:

  • The same user on the same domain-joined Windows 7 Enterprise machine goes home and connects to the Internet using their residential ISP
  • The IP and DNS server entries for the client machine are provided by DHCP
  • This user can access any internet resources, such as google.com
  • This user cannot access the website at company.com or subdomain.company.com (a "host not resolved" error is returned)
  • When this user runs nslookup on company.com they DO receive the correct public IP address provided by DNS
  • HTTP/HTTPS requests to the IP address succeed and a webpage is returned properly by the server
  • This issue prevails across all web browsers
  • Using tracert company.com returns "unable to resolve target system name"
  • Using ping company.com returns "could not find host company.com"
  • When running Wireshark on the client before/during a failed request, no packets are sent by the client machine (either for DNS resolution or for an initial HTTP/ping/tracert request)
  • Restarting the DNS Client service does not resolve the problem
  • Stopping the DNS Client service does not resolve the problem
  • Using ipconfig /flushdns does not resolve this issue
  • Using route /f does not resolve this issue
  • Resetting the network connections using netsh int ip reset does not resolve this issue
  • Edit: nslookup has been run in this scenario and correctly returns the proper DNS record from the DNS server specified by the DHCP settings of the network used by the user

Scenario 3:

  • This same user on a personal (not domain-joined) Windows 7 Professional computer is able to access the websites at company.com and subdomain.company.com when connected to our local network
  • Edit: nslookup has been run in this scenario and correctly returns the proper DNS record from the internal DNS server (172.16.1.3)

Scenario 4:

  • This same user on a personal (not domain-joined) Windows 7 Professional computer is able to access the websites at company.com and subdomain.company.com when connected their home network
  • Edit: nslookup has been run in this scenario and correctly returns the proper DNS record from the DNS server specified by the DHCP settings of the network used by the user

Final Notes:

This issue seems to be generalized to affect all company-owned computers. We are using a common system image for all company-owned computers, which was just loaded in August. I have been scouring the internet in search of possible solutions and have come up empty handed so far -- I really appreciate any suggestions or advice you may have.


Solution 1:

The domain joined computers are going to be looking for their DC, not just doing a DNS based lookup. Since the domain is the same as the public website, they're going to be searching for an SRV record to tell them how to get to the DC and get domain info. Since there's no DC in the remote network, they cannot resolve this name using normal AD aware windows parts.

When you use ping or (almost) any Windows application, it uses the full Windows IP stack, including the parts that talk to AD. Whereas NSLookup actually just does a DNS query. You've verified this with your Wireshark traces, no lookups are performed by Windows when trying to get to company.com but nslookup shows a proper DNS lookup. This is why you're unable to resolve the domain via ping or web browser, but nslookup is fine.

The solution for the first part of this is to use www.company.com to get to the website both internally and externally so that clients completely ignore looking for a DC.

The solution for the second part is trickier depending on what subdomain.company.com refers to internally as well as externally. Does the DC have a DNS record for subdomain, or are those requests just sent to the external DNS server? If it does have a DNS record, where does that record point?