DNS Issues - Can not resolve or find 2 web sites...

DNS Issues

For some reason, I cannot reach certain WEB Pages.  I am very comfortable that it is either in my routing or DNS, as I can successfully hit the site if I use someone else’s DNS Server.  The WEB pages I am trying to reach that cause problems are, www.mwwssb.com and www.myfloridalicense.com.  The browser will time out and indicates it cannot reach the page.  I have gone to hundreds of other web sites and have no problems.

Current configuration:
I have two DNS servers, (working on a third).  They are configured as ns1.ssainc.com, and ssa-nt.ssainc.com.  (A true ns2.ssainc.com is on the way.)

The ssa-nt box is a windows 2000 server and is operating as a caching / forwarding DNS Server only.  It is always listed first in my client configuration as it also contains zones that are for internal DNS only.  The ns1.ssainc.com box is a fedora box running the full dns/bind software and is listed as the alternate DNS server in the client configs.

I also NAT all internal servers, except for the SSA-NT box using NAT entries within my Cisco Router.  For example, ns1.ssainc.com is actually 70.150.152.33 public and 172.16.16.223 private.

The only other piece of information that I can give is problems running “nslookup” on a local machine.

****Session log of Nslookup***
C:>nslookup
*** Can’t find server name for address 172.16.0.100:  Non-existent domain
Default server:  ns1.ssainc.com
Address:  172.16.1.223
>
>
>www.cnn.com
Server ns1.ssainc.com
Address:  172.16.1.223

Non-autoritative answer”
Name:   cnn.com
Addresses:  64.236.24.20, 64.236324328, (etc)
Aliases:  www.cnn.com
>
www.mwwssb.com
Server:  ns1.ssainc.com
Address: 172.16.1.223

DNS request timed out.
     Timeout was 2 seconds.
DNS request timed out.
      Timeout was 2 seconds.
*** Request to ns1.ssainc.com timed-out
>
>server 205.152.36.23
www.mwwssb.com

> Server:  dns.asm.bellsouth.net
> Address 205.152.37.23
>
non-authoritative answer:
Name:   222.mwwssb.com
Address:  64.238.224.150
*** end of log ***


Ok, any ideas?  I really need to get this resolved as soon as possible.  Thanks for all the past and hopefully future help.

Kenny
houston_kAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arombergCommented:
I would make sure that your internal DNS server is set up to listen on the internal interface, or bind to all interfaces, after that, I would check to make sure that DNS forwarding is set up correctly...

Can you get to your site from that box itself?
0
wesly_chenCommented:
> For some reason, I cannot reach certain WEB Pages.
From which machines? Windows PC or FC3?
If from FC3, then what's in your /etc/resolv.conf in FC3?
   
0
houston_kAuthor Commented:
If I understand the comment, "Listen ont he internal interface or bind to all interfaces"... I think that it is.  Everything that I use is on the private or internal side.

With regards to "I would check to make sure that DNS forwarding is set up correctly..."
    Again, I think that this works fine.  I have deleted the cache records and watched the cache repopulate with sites that I visit.  I can disconnect NS1 and as long as a record exist in the NT box, things still work.

With regards to "Can you get to your site from that box itself?"    I can get to evey site that I know except for the two that I listed.  This includes any workstation, the Fedora box, and the NT box.

Thanks......Kenny
0
Cloud Class® Course: Ruby Fundamentals

This course will introduce you to Ruby, as well as teach you about classes, methods, variables, data structures, loops, enumerable methods, and finishing touches.

houston_kAuthor Commented:
> For some reason, I cannot reach certain WEB Pages.
> From which machines? Windows PC or FC3?
> If from FC3, then what's in your /etc/resolv.conf in FC3?

From any machine in my office.  Not from a Linux box (Fedora), or a PC or NT server.  The only I can get to these two web sites is to have the NT box forward request to a Bellsouth DNS box rather than to my DNS server.  Then they work correctly, but I can not leave the configuration that way for a long time.


0
wesly_chenCommented:
Could you flush out the DNS cache by either rebooting the DNS server or restarting the DNS service?
I suspect the DNS entery for those two websites are wrong.
0
houston_kAuthor Commented:
I have done that several times and get same results....

0
wesly_chenCommented:
What's the parent DNS server in those two DNS server?
do
nslookup
> server <parent DNS server's IP>
www.mwwssb.com
0
wesly_chenCommented:
Did you try
http://64.238.224.150
on the browser?
0
houston_kAuthor Commented:
I think I got this correct... Here is what I did....


--> nslookup
--> server 70.150.152.33
--> www.mwwssb.com

*** [70.150.152.22] can't find www.mwssb.com:  Non-existent domain.


0
houston_kAuthor Commented:
Oops......typo.... last line in last post should have been..

*** [70.150.152.33] can't find www.mwssb.com:  Non-existent domain.

sorry about that...
0
wesly_chenCommented:
Then it is something wrong with your parent DNS server, not on your side.
Change your parent DNS server to Bellsouth DNS server for testing.
0
houston_kAuthor Commented:
Let me make sure I understand what you are asking.  I know just enough to think I know something and still get it ALL wrong.

From a workstation, if I configure my DNS to be Bellsouth, then things work fine.  I can also configure my NT or 2000 server, which is a chche only server, to forward unknow requests to bellsouth rather to ns1.ssainc.com and things work great.

I have had long thought the Bellsouth configurations were not exactly correct, but I don't know enough to argue against them.  When I called to discuss this with tech support, I basically got..  "ours works, yours does not, so it's your problem".    

Could it be the way they subnetted my IP block?  I only have 32 IP numbers......

Thanks again..
0
wesly_chenCommented:
> forward unknow requests to bellsouth rather to ns1.ssainc.com and things work great
What's the DNS server which forward those unknown requests to on Fedora DNS server?
Could you change to different DNS server for testing?
0
houston_kAuthor Commented:
If I understand you correctly, you are asking about the 2000 server box then here are the IP numbers for that box.  

My IP DNS configs for all machines are as follows:

primary 172.16.0.100                  {2000 Server - public nubmer is 70.150.152.35}
secondary 172.16.1.223              {Fedora - public number is 70.150.152.33}


If I setup the 2000 server to forward request to say Bellsouth, 205.152.37.23, then all the workstations resolve the web sites in question fine.

Is that what you meant by changing to a differnet DNS server for testing?
0
wesly_chenCommented:
Not the DHCP setting.
I mean the DNS server setting, not DNS client setting on DHCP server.
0
houston_kAuthor Commented:
OK, confused now.  We do not use DHCP.  Do you want to know how the LAN card is configured for the primary  and secondary numbers for ns1.ssainc.com {aka, 172.16.1.223} ?

0
wesly_chenCommented:
Ok. no DHCP server.
I mean only change on the DNS servers, not on the DNS clients.
PC still querry from your Fedora/W2003 server, but your Fedora forward those unknown requests to different DNS servers.
0
houston_kAuthor Commented:
OK, I hope I am doing this correctly.

If I change the primary and secondary DNS server of the Fedora box to say Bellsouth, [205.152.37.23], rather than to itself, from the Fedora box I can get to www.mwwssb.com, but the PC clients still can not.

I want to ask or make sure of what we are talking about here.  I want to make sure that I understand what's going on or what I think is going on.

A PC client makes a request.  Since its first DNS ip is the 2000 Box it ask the 2000 where is this place.  If the 2000 box does not know, it then forwards the request to the Fedora box.  If the Fedora box does not know, then the Fedora looks at its  "root.zone" file to find an IP of a root server and then makes a request.  Since the root servers are "ALL KNOWING" it returns the address back to the Fedora, which returns to the 2000 server, and then back to the PC client.

I just wanted to go over this to make sure that the Fedora box, while serving DNS request, is asking the right place if it does not know where something is.  I kind of think that this is what you are talking about and not the actual DNS primary and secondary settings on the lan interface inside the Fedora box.
0
wesly_chenCommented:
> If the 2000 box does not know, it then forwards the request to the Fedora box.
Windows DNS should forward the unknown reuqests to parent DNS server, not the Fedora box.
So change your Windows DNS server setting as well.
I don't have access to Windows server right now, but I know in te DNS server setting, you can change the forward request server, not the root
servers.

On Fedora DNS server, you should change /etc/named.conf (or /var/named/named.conf) for
-------
options {
      directory "/var/named";
      forwarders{
            205.152.37.23;   <=== Put SouthBell's DNS here
      };
------

Those are DNS server setting, not DNS client setting (in /etc/resolv.conf)

Wesly
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
fixnixCommented:
Okay...here's how I see this situation (this is an independant post from the other expert's responses...I'm making that statement so as to not add to confusion of comments to comments to comments since this thread is getting fairly long)

"(A true ns2.ssainc.com is on the way.)"

Looks like there already is:

wedgenix@mail5:~$ dig @ns2.ssainc.com www.myfloridalicense.com
<snip>
;; ANSWER SECTION:
www.myfloridalicense.com. 1786  IN      A       208.62.24.204

Your ssa-nt.ssainc.com is not resolvable publicly so I am unable to see what records work and what don't, but ns1.ssainc.com resolves the sites you've mentioned without any problems.  Nothing seems broken with it, as shown below:

wedgenix@mail5:~$ dig @ns1.ssainc.com www.myfloridalicense.com
<snip>
;; ANSWER SECTION:
www.myfloridalicense.com. 1200  IN      A       208.62.24.204

and:

wedgenix@mail5:~$ dig @ns1.ssainc.com www.mwwssb.com
<snip>
;; ANSWER SECTION:
www.mwwssb.com.         597     IN      A       64.238.224.150

To me, this shows either there is no problem with the Fedora box itself therefore the problem must be on the 2k server.  I'd hit the 2k server from a workstation on the LAN with a request for ns1.ssainc.com and see if it returns the public or private IP address.  If it gives you the public IP, then that's probably your problem...the DNS requests forwarded from ssa-nt to ns1 would be trying to go out the firewall and come right back in which typically doesn't work too good ;)  (just  as it isn't possible to hit a local but public webserver the LAN by using it's public address or a name that resolves to the public address)

From the Fedora box, do:

nslookup ns1.ssainc.com ssa-nt.ssainc.com
(to ask ssa-nt what it thinks ns1's address is)

and see if it returns the public or private address for ns1.  My guess is it's returning the public address and therein lies your problem.  Edit the 2k server to return the local address for ns1.ssainc.com and all should be fine.
0
houston_kAuthor Commented:
Actually wesly_chen  last post fixed the problem.  That is why ns1 now resolves the two web addresses.  I am still rather confused, in that why these two web sites.  Everything else is working and has been for some time now.  I also wonder is that the correct way to solve this problem.  None the less I am thankful that it is working.

With regards to fixnix and your comments.   Thank you for your comments as well.  You are right about  ssa-nt is returning the public address for ns1.  However, I'm not sure how that affects anything at the moment........


Kenny
0
wesly_chenCommented:
> why these two web sites.
It could be your previous DNS forwarder has wrong entry in their DNS database. So it gives the wrong information.
0
houston_kAuthor Commented:
I did not have a DNS forwarder..... anyway..thanks again....
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.