timetracer
asked on
Can't access certain websites / DNS issue?
Greetings experts.
We have a frustrating issue in that we have one particular website that we cannot access - www.firebirdsql.org. As far as I know this is the only site we cannot reach. When trying to connect we get the standard page cannot be displayed error. Have tried the site from various PCs in the office using various browsers, all get the same error. It's also unreachable from our server.
Some background information; we have a single Windows 2003 SBS running a single Windows domain. We have RRAS on and as far as I can tell with its config it is just managing the VPN with no rules for anything else. This server sits behind a D-Link DFL-210 router which has a pretty basic config on it. The server also has to NICs, one "external" which goes direct to the D-Link and another "internal" which hits the switch and then out to other PCs.
I have tried an NS lookup to firebirdsql.org and get an error saying request to "our sever" timed out.
I have little knowledge of all things DNS and appreciate any help!
We have a frustrating issue in that we have one particular website that we cannot access - www.firebirdsql.org. As far as I know this is the only site we cannot reach. When trying to connect we get the standard page cannot be displayed error. Have tried the site from various PCs in the office using various browsers, all get the same error. It's also unreachable from our server.
Some background information; we have a single Windows 2003 SBS running a single Windows domain. We have RRAS on and as far as I can tell with its config it is just managing the VPN with no rules for anything else. This server sits behind a D-Link DFL-210 router which has a pretty basic config on it. The server also has to NICs, one "external" which goes direct to the D-Link and another "internal" which hits the switch and then out to other PCs.
I have tried an NS lookup to firebirdsql.org and get an error saying request to "our sever" timed out.
I have little knowledge of all things DNS and appreciate any help!
Raymond Jansen
Can you run a traceroute from a dos box? (tracert www.firebirdsql.org) and post the contents here?
ASKER
I ran tracert www.firebirdsql.org on the server and got the following:
"Unable to resolve target system name www.firebirdsql.org"
Cheers.
"Unable to resolve target system name www.firebirdsql.org"
Cheers.
what DNS servers are you using - yours or your providers? if your providers, ask them to check the resolution of the same name on their network. if they can't resolve it, then they should look at their DNS server.
ASKER
Forgive my ignorance, how do I check what DNS servers we are using? Looking at the DNS management console on the server, in the forward lookup zones there are 3 folders that relate to our domain and nothing relating to our ISP. An ipconfig /all (on our server) shows our server as the DNS.
There could be a negative cache entry on the server.
Try flushing the DNS cache on the client and on the server.
- client: start -> run -> CMD (enter) -> ipconfig /flushdns
- server: Open the DNS console -> right click server -> clear cache
Try flushing the DNS cache on the client and on the server.
- client: start -> run -> CMD (enter) -> ipconfig /flushdns
- server: Open the DNS console -> right click server -> clear cache
.....To open the DNS console you need to logon to your DNS server.....open control panel -> administrative tools -> DNS
HOW TO TROUBLESHOOT DNS QUERIES: Follow the query time line->>
The client sends out a DNS query:
The client has a couple records that it will try to resolve the query by itself:
1) The first place a client looks for is a cached entry. (To determine if this is the case, go to the command prompt of the client and type IPconfig /flushdns.)
3) Then if your client doesn't have the cached entry, it will look at the client's C:\windows\system32\dirver
After the client can't determine its own DNS query it will look at the prefered DNS server: (To determine the prefered DNS server, it will be the first on on the list in an IPconfig /all of the client).
1) The first place the server looks for DNS records is its own DNS cache. (You can flush the cash by again going to the command prompt and typing ipconfig /flushdns)
2) Then the server will look at its own C:\windows\system32\dirver
2)Then, the DNS server will have a list of Host A records. (For internal queries, it looks and sounds like you have a list of Host A records).
3) If the DNS server can't find the Host A, it will make an attempt to contact an outisde server. There are two types of contacts. One is a recursive and the other is an iteration query. There are also two types of server lists for outside servers. One is called a forwarder and the other is called roothints.
HERE IS A BRIEF EXPLANATION OF EACH:
---Recursive lookup: A recursive lookup is handled by the server. It will go out to a distant server and try to resolve DNS queries that it can't do on for the client. In other words, if the DNS server can't find an internal address, it will go out to other servers and ask them to look for it. If a resolution is provided. The resolution will be passed down to the client from the server. It is recommended to turn off recursive lookups for security reasons and performance reasons.
--Iteration: Iteration is done when the server can't resolve the query and tells the client, "I can't do it, ask another DNS server." The resolution comes from the remote server, not the local server. So, this is basically passing the buck.
---forwarders: forwarders are manually configured DNS servers that your server will forward queries to if your server can't make the resolution. (most folks configure the ISP's DNS server as the forwarders). Also, forwarders use recursive lookups.
---Root Hints: Root Hints are a list of public DNS servers that your server points the client computer to if your server can't resolve the DNS query. So, Root hints uses iterative lookups.
__________________________
So, with that knowledge, here is how to troubleshoot DNS:
For problems with a single servers or client:
Is your client the only one with the problem: (your answer is no, so it is not the client's DNS cache or the clients HOST record)>
For the entire domain:
Are you seeing problems with all clients and servers: (your answer is YES, so it is either the server or the outside server)
---If the answer is yes, let's add to that: Are they having problems with ALL websites? (Your answer is NO, so you are not having problems with getting to an outside server for DNS resolution except on that one site.)
This leads me to four possibilities:
Conclusion:
There are four possibilities this can be, (three of them you can fix):
1) You have a DNS cached record for that outside web site that is wrong, (AS MINVIS was saying)
2) You have a DNS record in the server's C:\windows\system32\dirver
3) You have an incorrect, (manually configured), Host A DNS record in the forward lookup zone for that web site that needs to be deleted.
Outside servers:
4) Your ISP's servers can't resolve this and give you a DNS resolution.
__________________________
If your ISP can't resolve the lookup, you could elect an alternative. You could use root hint servers. All you have to do is Right click the DNS snaping and go to properties. Then, go to the forwarders tab and deselect recursive lookups. Disabling recursion is more secure and provides better DNS performance. You can leave your list of outside servers in forwarders if you disable recursion.
I don't like being credited for someone elses answer. So:
If flushing DNS cache is the correct answer, please credit NIMVIS.
If your providers can't make the query, I think cnjuguna was your person.
DNS-query.gif
The client sends out a DNS query:
The client has a couple records that it will try to resolve the query by itself:
1) The first place a client looks for is a cached entry. (To determine if this is the case, go to the command prompt of the client and type IPconfig /flushdns.)
3) Then if your client doesn't have the cached entry, it will look at the client's C:\windows\system32\dirver
After the client can't determine its own DNS query it will look at the prefered DNS server: (To determine the prefered DNS server, it will be the first on on the list in an IPconfig /all of the client).
1) The first place the server looks for DNS records is its own DNS cache. (You can flush the cash by again going to the command prompt and typing ipconfig /flushdns)
2) Then the server will look at its own C:\windows\system32\dirver
2)Then, the DNS server will have a list of Host A records. (For internal queries, it looks and sounds like you have a list of Host A records).
3) If the DNS server can't find the Host A, it will make an attempt to contact an outisde server. There are two types of contacts. One is a recursive and the other is an iteration query. There are also two types of server lists for outside servers. One is called a forwarder and the other is called roothints.
HERE IS A BRIEF EXPLANATION OF EACH:
---Recursive lookup: A recursive lookup is handled by the server. It will go out to a distant server and try to resolve DNS queries that it can't do on for the client. In other words, if the DNS server can't find an internal address, it will go out to other servers and ask them to look for it. If a resolution is provided. The resolution will be passed down to the client from the server. It is recommended to turn off recursive lookups for security reasons and performance reasons.
--Iteration: Iteration is done when the server can't resolve the query and tells the client, "I can't do it, ask another DNS server." The resolution comes from the remote server, not the local server. So, this is basically passing the buck.
---forwarders: forwarders are manually configured DNS servers that your server will forward queries to if your server can't make the resolution. (most folks configure the ISP's DNS server as the forwarders). Also, forwarders use recursive lookups.
---Root Hints: Root Hints are a list of public DNS servers that your server points the client computer to if your server can't resolve the DNS query. So, Root hints uses iterative lookups.
__________________________
So, with that knowledge, here is how to troubleshoot DNS:
For problems with a single servers or client:
Is your client the only one with the problem: (your answer is no, so it is not the client's DNS cache or the clients HOST record)>
For the entire domain:
Are you seeing problems with all clients and servers: (your answer is YES, so it is either the server or the outside server)
---If the answer is yes, let's add to that: Are they having problems with ALL websites? (Your answer is NO, so you are not having problems with getting to an outside server for DNS resolution except on that one site.)
This leads me to four possibilities:
Conclusion:
There are four possibilities this can be, (three of them you can fix):
1) You have a DNS cached record for that outside web site that is wrong, (AS MINVIS was saying)
2) You have a DNS record in the server's C:\windows\system32\dirver
3) You have an incorrect, (manually configured), Host A DNS record in the forward lookup zone for that web site that needs to be deleted.
Outside servers:
4) Your ISP's servers can't resolve this and give you a DNS resolution.
__________________________
If your ISP can't resolve the lookup, you could elect an alternative. You could use root hint servers. All you have to do is Right click the DNS snaping and go to properties. Then, go to the forwarders tab and deselect recursive lookups. Disabling recursion is more secure and provides better DNS performance. You can leave your list of outside servers in forwarders if you disable recursion.
I don't like being credited for someone elses answer. So:
If flushing DNS cache is the correct answer, please credit NIMVIS.
If your providers can't make the query, I think cnjuguna was your person.
DNS-query.gif
in the dns management console check the properties of your server and look at forwarders - see if any DNS servers are listed there. alternatively run nslookup from the command prompt - it should list an IP address before giving you a prompt. from there you can type the fully qualified domain name (FQDN) and see if it resolves to an IP. if you can resolve say www.google.com and not www.firebirdsgl.com, i would say your provider is the place to check.
You can try to use the dns servers from opendns.com. First try on a single pc. Change under network settings, tcp/ip the dns servers to:
208.67.222.222 primary
208.67.220.220 secondary
That should solve it immediately for this pc. You can go from there.
208.67.222.222 primary
208.67.220.220 secondary
That should solve it immediately for this pc. You can go from there.
@ R-jansen:
Using a public DNS on the clients is not recommended in a domain.....the client will not authenticate anymore if you do that.......
Using a public DNS on the clients is not recommended in a domain.....the client will not authenticate anymore if you do that.......
@Minvis:
I ment for testing and eliminating dns issues. If you can connect using opendns then your provider has a dns issue which they should be able to solve shortly.
I ment for testing and eliminating dns issues. If you can connect using opendns then your provider has a dns issue which they should be able to solve shortly.
ASKER
Thank you for the informative responses thus far. I have tried several things as suggested:
1. Cleared the DNS cache on the server and flush dns on pc - no joy
2. Checked the host record on the server, it was blank bar the loopback record
3. Checked the forward lookup zones and so far as I could tell nothing for the site in question. However I am confused as to what should be there in the first place? The 3 zones in there are all active directory-integrated primary and there is nothing relating to our ISP (should there be?).
4. I think I can eliminate our isp as the problem. I changed the dns settings on my pc to those on the D-Link router (from our isp) and was able to get to the site. I then changed the DNS settings on another PC to have our server as primary then our isp as secondary and had no issue getting to the site.
From this I am assuming something is incorrect on the server. From what I can tell on the server there is no record for our ISP as a DNS. The DNS addresses (our ISPs) are on our router but there is nothing on the server and I am unsure as to why.
What should I be adding/checking on the server so as I can rely on the servers settings and not need to have a manual DNS config on the users PCs?
1. Cleared the DNS cache on the server and flush dns on pc - no joy
2. Checked the host record on the server, it was blank bar the loopback record
3. Checked the forward lookup zones and so far as I could tell nothing for the site in question. However I am confused as to what should be there in the first place? The 3 zones in there are all active directory-integrated primary and there is nothing relating to our ISP (should there be?).
4. I think I can eliminate our isp as the problem. I changed the dns settings on my pc to those on the D-Link router (from our isp) and was able to get to the site. I then changed the DNS settings on another PC to have our server as primary then our isp as secondary and had no issue getting to the site.
From this I am assuming something is incorrect on the server. From what I can tell on the server there is no record for our ISP as a DNS. The DNS addresses (our ISPs) are on our router but there is nothing on the server and I am unsure as to why.
What should I be adding/checking on the server so as I can rely on the servers settings and not need to have a manual DNS config on the users PCs?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Sorry....the roothints option was allready mentioned by ChiefIT.... :-)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thankyou for all your help, I went with adding our isp's DNS servers to the forwarders list.