• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 215
  • Last Modified:

DNS problem -- ISP or My System?

20 points here, 300 points at


Please see the post referenced for original post and other posted referenced within it. Summarizing all the posts, I am trying to determine:
(1) WHERE the problem lies
(2) actions required to resolve it

New Problem Description: Originally I believed that domain name to IP address translation problems 30-35% of the time was limited to only secure (https) sites. This is because ONLY https sites were NOT Proxy -- thus, I experienced the problem only for them. However, if I turn off PROXY entirely even for http sites, they (no specific one) will fail about the same 30% of the time.

Failures occur with or wwithout the ATGUARD firewall. However, using ATGUARD, I could capture the traffic types OUTBOUND and INBOUND. When things are successful, UDP "domain" go out to one or more of my DNSs, a UDP returns (most likely with the IP address), then a TCP "http" or "https" goes out and establiches the TCP session. When it fails, I see ONLY the UDPs out and one UDP in. I am unable to look at the packet returning to see its reponse (wish I could), but NO TCP goes out to establish the session and I receive either"Cannot Find Server" with "This Pagee Cannot Be Displayed" if application is IE 6.0 SP1 OR "UNKNOWN HOST" is the application is ping.

I contend that the problem lies with the ISP (DirecWay satellite 2-way system) and it seems that the translation cannot be done within some time period. I have no clue what the process is, thus, I am seeking help on:
-- what the flow is
-- is there some time limit, and if so, where is the time limit that is killing the lookup
-- other potential reasons why the lookup does not work consistently (it can fail seconds after resolving it the time before, or vice versa)

Additional background: have already reinstalled Win98 SE on top of previous copy, have already reinstalled IE 6.0 SP1 and all security patches, have already properly uninstalled DUN and reinstalled to correct any protocol modules.

My bypass is to now use a HOSTS file to get to the sites that are critical to me. Thus, the problem is no longer high priority.

Sounds like a lot for 20 points, but there is another 300 at previous reference too, leaving me a dime for a phone call -- oops that went up didn't it?
  • 3
  • 2
1 Solution
I am not sure what else I could add to this, except that one of my clients HAD Directway.  The problem however was setting up a vpn not dns. The vpn did work with directway, they switched for other reasons.

Anyways, it looks like you get ping/replies and https intermittently using the fqdn, and a hosts file always works.  Logic says thats dns.  You also mentioned trying someone elses dns and that didnt work either.  I may have a couple of ideas.  As a test, how about setting up a caching only dns server, and use forwarding first to directway's dns and then try these dns servers.  You could also max the TTL.

Im not familiar with atguard, you cant by chance configure that to dial a modem like MS Proxy Server?  Or could you set up another pc as a router/ICS on the outside of atguard to connect using a dial up account.  What Im getting at is to eliminate directway by dialing a modem to connect, but keep the rest of the network (using atguard)the same.  This should prove where the problem is.  You would have to get a temporary dial up modem account.

Hope that helps
tpanc13Author Commented:
I have never played with a server, only host here, so guide me a little. I assume I should set up my machine as a server, configuring ICS? And when configuring it (windows 98) I would have options to define how it should be used for DNS and method of resolution (forwarding first), plus option to set TTL?

Mr. Cheapo threw out the 2nd phone line and ISP, so, yes I would have to get ISP account again. However, I did do testing of this problem when I had a dialup account, and no problems. Don't know if this eliminates my system as the cause, or just different code and paths taken for dialup vs. satellite.

I'll look into how to do the server things you suggested. Thanks.
I think it would be different code/paths for dialup vs satellite.  If a second ISP is valid as a temporary solution (1 month is about $20US), here is what I would do to verify where the problem is.  Skip the DNS cache and isolate the problem with the ISP
Setup a pc with win98se, or ideally win2k/winxp.  This can be any pc that can handle the above OS, it will also need a modem and nic.  Sign up for another dialup ISP.  If you no anyone that has dialup, make sure they can hit those websites listed, and then sign up for there isp. Otherwise, use a reliable one for your area.
Setup the isp thru DUN, first, try it without the network cable plugged in.  If everything works, set up internet connection sharing on the pc and plug a network cable into the pc and into your firewall wan port, and yes the directway will be unavailable during your test.  Configure the network settings of the firewall wan port as you would another pc using an ics connection.  Connect to the internet using the ics pc, and maintain the connection.  Then go to a pc on the lan side of your firewall, and browse the internet.  In this scenario, directway is not used, your firewall and all settings are the same (except for the wan ip and gateway which wont matter).  The firewall and all the rules, mtu/packets, dns, are all exactly the same  If the problem goes away, it is directway, if the problem stays, I would try the dns servers mentioned in my previous post on all computers and the firewall(if available).  If the problem now goes away, the problem would be a combination of directway and the directway dns.  If the problem stays, it is somewhere on your lan.  Then we would start looking at your firewall and/or your dns.  Good luck, and let me know whats going on/ and if there are any more questions.
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

BTW, if you need help with ics, try this site.


Thanks to wyliecoyoteuk for that link from a different post
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
Post your closing recommendations!  No comment means you don't care.
tpanc13Author Commented:
Thanks for the help. The problem was indeed Direcway's servers and PROXY machine. Problems still exist there, but adding a non-Direcway proxy helped get around my critical site problems.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now