Dabowitt
asked on
Potential DNS Resolution Error; Page not found on selected web sites
We have run into an issue where I was browsing Hewlett Packards website for driver downloads and got a page not found.
I bounced e-mails with the webmaster and they indicated all was fine on their side.
I go to:
http://h20180.www2.hp.com/apps/Lookup?h_lang=en&h_cc=us&cc=us&h_page=hpcom&lang=en&h_client=S-A-R163-1&h_pagetype=s-002&h_query=DC5000&submit.x=1&submit.y=4
which is the query page for DC5000 workstation drivers. When I select any of the three selections on the list I get page not found.
The page it is being redirected to is:
http://h18007.www1.hp.com/support/files/hpcpqdt/us/family/model/6021.html?submit.y=4&submit.x=1&lang=en&cc=us
h20180.www2.hp.com resolves as 161.114.82.23
h18007.www1.hp.com resolves as 161.114.19.252
This problem started about 3 weeks ago, about 2 weeks ago patched up my server environment with all the MS patches currently available so I don't think that is the issue.
My enviroment is 1 Windows 2003 DC and 2 Windows 2000 DC's (1 acting as DNS). We are setup as Active Directory Integrated on DNS.
After HP said no problem I thought it might be our Firewall. I checked out the firewall and I was not dropping any packets when initiating the search.
I then plugged in a laptop between the router and firewall and configured an external address with an external DNS server and it worked.
I then went to my workstation and added an external DNS address. Thus, my workstation had my two internal DNS server addresses and the third external address of 4.2.2.1 and I was able to access the page.
The same day I was asked to do a Webex session and got the same problem w/o the external DNS address and using the external DNS address it worked.
The curious thing is that about 99.9% of websites are being resolved only a select few are not.
The reason it doesn't work is that the internal DNS server does not resolve that this name: http://h18007.www1.hp.com/
This was verified by doing an NSLOOKUP on the above address and it times out. External to our network it works.
Now all these pages worked approximately 3 weeks ago and now don't work. NO CHANGES have been made to my DNS server.
I even cleared the cache lookup on my two DNS servers. I also rebooted the DC with no luck.
My reverse DNS is setup as:
0.in-addr.arpa
10.in-addr.arpa
127.in-addr.arpa
255.in-addr.arpa
I'm not getting any relevant DNS event log errors when accessing the problem page.
OK, hopefully someone out there has some ideas.
Thanks
I bounced e-mails with the webmaster and they indicated all was fine on their side.
I go to:
http://h20180.www2.hp.com/apps/Lookup?h_lang=en&h_cc=us&cc=us&h_page=hpcom&lang=en&h_client=S-A-R163-1&h_pagetype=s-002&h_query=DC5000&submit.x=1&submit.y=4
which is the query page for DC5000 workstation drivers. When I select any of the three selections on the list I get page not found.
The page it is being redirected to is:
http://h18007.www1.hp.com/support/files/hpcpqdt/us/family/model/6021.html?submit.y=4&submit.x=1&lang=en&cc=us
h20180.www2.hp.com resolves as 161.114.82.23
h18007.www1.hp.com resolves as 161.114.19.252
This problem started about 3 weeks ago, about 2 weeks ago patched up my server environment with all the MS patches currently available so I don't think that is the issue.
My enviroment is 1 Windows 2003 DC and 2 Windows 2000 DC's (1 acting as DNS). We are setup as Active Directory Integrated on DNS.
After HP said no problem I thought it might be our Firewall. I checked out the firewall and I was not dropping any packets when initiating the search.
I then plugged in a laptop between the router and firewall and configured an external address with an external DNS server and it worked.
I then went to my workstation and added an external DNS address. Thus, my workstation had my two internal DNS server addresses and the third external address of 4.2.2.1 and I was able to access the page.
The same day I was asked to do a Webex session and got the same problem w/o the external DNS address and using the external DNS address it worked.
The curious thing is that about 99.9% of websites are being resolved only a select few are not.
The reason it doesn't work is that the internal DNS server does not resolve that this name: http://h18007.www1.hp.com/
This was verified by doing an NSLOOKUP on the above address and it times out. External to our network it works.
Now all these pages worked approximately 3 weeks ago and now don't work. NO CHANGES have been made to my DNS server.
I even cleared the cache lookup on my two DNS servers. I also rebooted the DC with no luck.
My reverse DNS is setup as:
0.in-addr.arpa
10.in-addr.arpa
127.in-addr.arpa
255.in-addr.arpa
I'm not getting any relevant DNS event log errors when accessing the problem page.
OK, hopefully someone out there has some ideas.
Thanks
ASKER
cleared cache manually and watched as rebuilt when trying to resolve name, no luck.
Forwarding looks fine and we have changed nothing in the past 2.5 years.
Need help. Not familiar with SET DB2 command. Please help with syntax didn't see syntax in list of NSLookup commands.
Forwarding looks fine and we have changed nothing in the past 2.5 years.
Need help. Not familiar with SET DB2 command. Please help with syntax didn't see syntax in list of NSLookup commands.
After your in NSLOOKUP, just type SET DB2
C:\Documents and Settings\poandjo>nslookup
Default Server: MyDNSServer
Address: 10.0.0.1
(now type SET DB2)
> set db2 <this puts NSLOOKUP in debugging mode
> h18007.www1.hp.com
Server: MyDNSServer
Address: 10.0.0.1
------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion,
questions = 1, answers = 0, authority records = 1,
QUESTIONS:
h18007.www1.hp.com.domain2
AUTHORITY RECORDS:
-> mydnsserver.domain.local
ttl = 86400 (1 day)
primary name server = mydnsserver.domain.local
responsible mail addr = root.mydnsserver.domain.lo
serial = 4141658
refresh = 10800 (3 hours)
retry = 3600 (1 hour)
expire = 604800 (7 days)
default TTL = 180 (3 mins)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 3, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion,
questions = 1, answers = 0, authority records = 1,
QUESTIONS:
h18007.www1.hp.com.domain.
AUTHORITY RECORDS:
-> domain.local
ttl = 3600 (1 hour)
primary name server = mydnsserver.domain.local
responsible mail addr = admin.domain.local
serial = 942404
refresh = 3600 (1 hour)
retry = 3600 (1 hour)
expire = 604800 (7 days)
default TTL = 3600 (1 hour)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 4, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion,
questions = 1, answers = 0, authority records = 1,
QUESTIONS:
h18007.www1.hp.com.ey.com,
AUTHORITY RECORDS:
-> domain.local
ttl = 3600 (1 hour)
primary name server = mydnsserver.domain.local
responsible mail addr = root.mydnsserver.domain.lo
serial = 2004012371
refresh = 1800 (30 mins)
retry = 3600 (1 hour)
expire = 604800 (7 days)
default TTL = 3600 (1 hour)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 6, rcode = NOERROR
header flags: response, want recursion, recursion ava
questions = 1, answers = 2, authority records = 2,
QUESTIONS:
h18007.www1.hp.com, type = A, class = IN
ANSWERS:
-> h18007.www1.hp.com
canonical name = www.compaq.com
ttl = 600 (10 mins)
-> www.compaq.com
internet address = 161.114.19.252
ttl = 975 (16 mins 15 secs)
AUTHORITY RECORDS:
-> www.compaq.com
nameserver = ddhou.compaq.com
ttl = 6375 (1 hour 46 mins 15 secs)
-> www.compaq.com
nameserver = ddtay.compaq.com
ttl = 6375 (1 hour 46 mins 15 secs)
ADDITIONAL RECORDS:
-> ddhou.compaq.com
internet address = 161.114.1.10
ttl = 82267 (22 hours 51 mins 7 secs)
-> ddtay.compaq.com
internet address = 161.114.64.47
ttl = 82267 (22 hours 51 mins 7 secs)
------------
Non-authoritative answer:
Name: www.compaq.com
Address: 161.114.19.252
Aliases: h18007.www1.hp.com
From here you can see detial of where your DNS was forwarded to to actually find a answer.
C:\Documents and Settings\poandjo>nslookup
Default Server: MyDNSServer
Address: 10.0.0.1
(now type SET DB2)
> set db2 <this puts NSLOOKUP in debugging mode
> h18007.www1.hp.com
Server: MyDNSServer
Address: 10.0.0.1
------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion,
questions = 1, answers = 0, authority records = 1,
QUESTIONS:
h18007.www1.hp.com.domain2
AUTHORITY RECORDS:
-> mydnsserver.domain.local
ttl = 86400 (1 day)
primary name server = mydnsserver.domain.local
responsible mail addr = root.mydnsserver.domain.lo
serial = 4141658
refresh = 10800 (3 hours)
retry = 3600 (1 hour)
expire = 604800 (7 days)
default TTL = 180 (3 mins)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 3, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion,
questions = 1, answers = 0, authority records = 1,
QUESTIONS:
h18007.www1.hp.com.domain.
AUTHORITY RECORDS:
-> domain.local
ttl = 3600 (1 hour)
primary name server = mydnsserver.domain.local
responsible mail addr = admin.domain.local
serial = 942404
refresh = 3600 (1 hour)
retry = 3600 (1 hour)
expire = 604800 (7 days)
default TTL = 3600 (1 hour)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 4, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion,
questions = 1, answers = 0, authority records = 1,
QUESTIONS:
h18007.www1.hp.com.ey.com,
AUTHORITY RECORDS:
-> domain.local
ttl = 3600 (1 hour)
primary name server = mydnsserver.domain.local
responsible mail addr = root.mydnsserver.domain.lo
serial = 2004012371
refresh = 1800 (30 mins)
retry = 3600 (1 hour)
expire = 604800 (7 days)
default TTL = 3600 (1 hour)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 6, rcode = NOERROR
header flags: response, want recursion, recursion ava
questions = 1, answers = 2, authority records = 2,
QUESTIONS:
h18007.www1.hp.com, type = A, class = IN
ANSWERS:
-> h18007.www1.hp.com
canonical name = www.compaq.com
ttl = 600 (10 mins)
-> www.compaq.com
internet address = 161.114.19.252
ttl = 975 (16 mins 15 secs)
AUTHORITY RECORDS:
-> www.compaq.com
nameserver = ddhou.compaq.com
ttl = 6375 (1 hour 46 mins 15 secs)
-> www.compaq.com
nameserver = ddtay.compaq.com
ttl = 6375 (1 hour 46 mins 15 secs)
ADDITIONAL RECORDS:
-> ddhou.compaq.com
internet address = 161.114.1.10
ttl = 82267 (22 hours 51 mins 7 secs)
-> ddtay.compaq.com
internet address = 161.114.64.47
ttl = 82267 (22 hours 51 mins 7 secs)
------------
Non-authoritative answer:
Name: www.compaq.com
Address: 161.114.19.252
Aliases: h18007.www1.hp.com
From here you can see detial of where your DNS was forwarded to to actually find a answer.
ASKER
Here is the reply: Modified to remove names of my servers and network. Forwarding not working???
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
Z:\>nslookup
Default Server: abcserver.domain.local
Address: 10.0.0.40
> set db2
> h18007.www1.hp.com
Server: abcserver.domain.local
Address: 10.0.0.40
------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
h18007.www1.hp.com.domain.
AUTHORITY RECORDS:
-> domain.local
ttl = 3600 (1 hour)
primary name server = abcserver.domain.local
responsible mail addr = admin
serial = 7058
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
------------
DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
*** Request to abcserver.domain.local timed-out
>
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
Z:\>nslookup
Default Server: abcserver.domain.local
Address: 10.0.0.40
> set db2
> h18007.www1.hp.com
Server: abcserver.domain.local
Address: 10.0.0.40
------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
h18007.www1.hp.com.domain.
AUTHORITY RECORDS:
-> domain.local
ttl = 3600 (1 hour)
primary name server = abcserver.domain.local
responsible mail addr = admin
serial = 7058
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
------------
DNS request timed out.
timeout was 2 seconds.
timeout (2 secs)
*** Request to abcserver.domain.local timed-out
>
Can you do the same nslookup but for something that works....like Microsoft.com? and show the output?
( Check the Forwarders tab in your DNS Console...make sure that all of the ISP DNS servers listed here are working. Remove any that are not.)
( Check the Forwarders tab in your DNS Console...make sure that all of the ISP DNS servers listed here are working. Remove any that are not.)
ASKER
OK, so for h20180.www2.hp.com I get, (forwarders must be working if I can get to this site???)
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
Z:\>nslookup
Default Server: abcserver.domain.local
Address: 10.0.0.40
> set db2
> h20180.www2.hp.com
Server: abcserver.domain.local
Address: 10.0.0.40
------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
h20180.www2.hp.com.jfcnet.
AUTHORITY RECORDS:
-> jfcnet.local
ttl = 3600 (1 hour)
primary name server = abcserver.domain.local
responsible mail addr = admin
serial = 7059
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 3, rcode = NOERROR
header flags: response, auth. answer
questions = 1, answers = 1, authority records = 2, additional = 0
QUESTIONS:
h20180.www2.hp.com, type = A, class = IN
ANSWERS:
-> h20180.www2.hp.com
internet address = 192.151.52.130
ttl = 10 (10 secs)
AUTHORITY RECORDS:
-> h20180.www2.hp.com
nameserver = atlns.americas.hp.net
ttl = 600 (10 mins)
-> h20180.www2.hp.com
nameserver = palns.americas.hp.net
ttl = 600 (10 mins)
------------
Name: h20180.www2.hp.com
Address: 192.151.52.130
>
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
Z:\>nslookup
Default Server: abcserver.domain.local
Address: 10.0.0.40
> set db2
> h20180.www2.hp.com
Server: abcserver.domain.local
Address: 10.0.0.40
------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
h20180.www2.hp.com.jfcnet.
AUTHORITY RECORDS:
-> jfcnet.local
ttl = 3600 (1 hour)
primary name server = abcserver.domain.local
responsible mail addr = admin
serial = 7059
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
------------
------------
Got answer:
HEADER:
opcode = QUERY, id = 3, rcode = NOERROR
header flags: response, auth. answer
questions = 1, answers = 1, authority records = 2, additional = 0
QUESTIONS:
h20180.www2.hp.com, type = A, class = IN
ANSWERS:
-> h20180.www2.hp.com
internet address = 192.151.52.130
ttl = 10 (10 secs)
AUTHORITY RECORDS:
-> h20180.www2.hp.com
nameserver = atlns.americas.hp.net
ttl = 600 (10 mins)
-> h20180.www2.hp.com
nameserver = palns.americas.hp.net
ttl = 600 (10 mins)
------------
Name: h20180.www2.hp.com
Address: 192.151.52.130
>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Found the problem; we actually weren't forwarding correctly. We where setup only to look at the root hint servers and not at any of our ISP servers. I'm not sure why this didn't show itself over the past 3 years of using W2K and W3K DNS servers but when I added the external ISP address to the forwarding list everything went fine. I'm just still confused why it worked for 3 years and all of a sudden didn't. NJ you did a great job of pushing me in the right direction - So a big thanks and here are the points.
I've heard of people using Root Hints and I have seen this setup; however, I don't understand the advantages of this type of setup (I guess you would use this if your ISP doesn't provide DNS servers to forward to). However, I think it is best to forward to your ISP servers.
I'm glad you got this figured out...
I'm glad you got this figured out...
ASKER
Ok gang, with all the responses and discussions we wanted to hear from the proverbial horses mouth, Microsoft, why our DNS server was working properly for 2.5 or so years with only root hints and all of a sudden didn’t.
First, Microsoft verbally stated that their recommendation is that DNS be setup with forwarding addresses. I asked for documentation to this extent and will forward it out to all of you when I receive it.
I then asked why we have worked for so long and all of sudden started having problems.
Microsoft pointed me to the following: http://techrepublic.com.com/5104-6242-5111588.html
Per this article, our Windows 2003 DNS server is compliant with RFC 2671 and as such was advertising its capabilities per RFC 2671 when trying to get resolution for this specific HP page. Microsoft felt that this specific page from HP was causing our DNS server to advertise its capabilities per RFC 2671 and it was being rejected by the remote firewall.
per the above information,
“New in Windows Server 2003 is support for Extension Mechanisms for DNS (EDNS) as defined in RFC 2671. The extensions allow the transfer of DNS packets in excess of 512 bytes, which was the restriction imposed by RFC 1035 (Windows Server 2000 DNS). When Windows Server 2003 contacts a remote DNS server, this capability is negotiated and enabled if both ends support it, resulting in DNS record sets of a size greater than 512 bytes. Unfortunately, some firewalls have trouble with this enhancement as they are configured to drop DNS packets in excess of 512 bytes. …. Disabling EDNS results in your server never advertising that it has the capability to handle DNS packets in excess of 512 bytes. It will drop back to using the RFC 1035 defined limits.”
The Microsoft rep confirmed this was an issue even though this document was not produced by Microsoft. The rep indicated that they have implemented the fix, discussed below, to resolve this issue in the past but no formal document has been advertised out by them.
My thought is that the root hint server firewalls where modified to drop packets in excess of 512 bytes to prevent potential hacks but I can’t confirm this. I remember seeing about a month ago something about the root hint servers where attacked. I suspect that the firewall design was changed to prevent this and subsequently we started seeing this because our DNS design was done with root hints only.
At the direction of the Microsoft rep we implemented RFC 1035 by turning off the EDNS capability of Windows 2003 server. See above article for instructions on how this is done. Per Microsoft, there is absolutely no potential harm to DNS or AD in doing this. The above document explains how to do this and was confirmed with the Microsoft rep.
Thus, I disabled EDNS, removed the forwarding address, rebooted the server and cleared the DNS cache. I then tried to get to the HP page we have had troubles with and it worked perfectly.
I would enjoy your thoughts on this subject.
First, Microsoft verbally stated that their recommendation is that DNS be setup with forwarding addresses. I asked for documentation to this extent and will forward it out to all of you when I receive it.
I then asked why we have worked for so long and all of sudden started having problems.
Microsoft pointed me to the following: http://techrepublic.com.com/5104-6242-5111588.html
Per this article, our Windows 2003 DNS server is compliant with RFC 2671 and as such was advertising its capabilities per RFC 2671 when trying to get resolution for this specific HP page. Microsoft felt that this specific page from HP was causing our DNS server to advertise its capabilities per RFC 2671 and it was being rejected by the remote firewall.
per the above information,
“New in Windows Server 2003 is support for Extension Mechanisms for DNS (EDNS) as defined in RFC 2671. The extensions allow the transfer of DNS packets in excess of 512 bytes, which was the restriction imposed by RFC 1035 (Windows Server 2000 DNS). When Windows Server 2003 contacts a remote DNS server, this capability is negotiated and enabled if both ends support it, resulting in DNS record sets of a size greater than 512 bytes. Unfortunately, some firewalls have trouble with this enhancement as they are configured to drop DNS packets in excess of 512 bytes. …. Disabling EDNS results in your server never advertising that it has the capability to handle DNS packets in excess of 512 bytes. It will drop back to using the RFC 1035 defined limits.”
The Microsoft rep confirmed this was an issue even though this document was not produced by Microsoft. The rep indicated that they have implemented the fix, discussed below, to resolve this issue in the past but no formal document has been advertised out by them.
My thought is that the root hint server firewalls where modified to drop packets in excess of 512 bytes to prevent potential hacks but I can’t confirm this. I remember seeing about a month ago something about the root hint servers where attacked. I suspect that the firewall design was changed to prevent this and subsequently we started seeing this because our DNS design was done with root hints only.
At the direction of the Microsoft rep we implemented RFC 1035 by turning off the EDNS capability of Windows 2003 server. See above article for instructions on how this is done. Per Microsoft, there is absolutely no potential harm to DNS or AD in doing this. The above document explains how to do this and was confirmed with the Microsoft rep.
Thus, I disabled EDNS, removed the forwarding address, rebooted the server and cleared the DNS cache. I then tried to get to the HP page we have had troubles with and it worked perfectly.
I would enjoy your thoughts on this subject.
First, I think it is best if you have all of your clients and member servers in your domain point to your Internal Windows DNs servers. Then have your DNS Servers forward requests to your ISP DNS servers.
- Judging from what you wrote, I think you already have this in place.
I was also curious to learn that when you put your ISP DNS address in on your client machine, you were able to resolve this HP web site.
** Because of this, I would go into the DNS console on all of your DNs servers. Check the Forwarders tab...make sure that all of the DNS servers listed here are working. Remove any that are not.
** It sounds like you have already cleared your cache on your DNs server...but I would manually go in and look for this HP.com cache. Delete it if you find it...
** I would also use NSLOOKUP from a command prompt to further trouble shoot this issue. IT sounds like the remote server and Internet DNS servers are working just fine. In fact, I tested my resolution for this and found it to be OK. Threrefore, there is probably some kind of forwarding problem on your DNs server or your ISP Dns servers.
Use NSLOOKUP and try to resolve h18007.www1.hp.com.
If you don't succeed the first time...try multiple times...
Now increase the debugging level of NSLOOKUP --
SET DB2
Now...search again....check the output for problems...
-Hope some of this helps...