Solved

Strange DNS/hosts file lookup problem

Posted on 2006-06-19
11
1,638 Views
Last Modified: 2012-06-27
Hi All,

We need to support third party server.

The server has a locally installed secure certificate that is mapped to an external ip address via hosts file so that external.name.local should resolve to the ip address and hence match the secure certificate (dont ask why they have done it like this, must be a security feature :)

The trouble is that on an external line using only the ISPs DNS server it works fine, on our internal network I get the feeling that it is conflicting with the internal DNS server, when tried we get the error message,

503 Service Unavailable
Failed to resolve the name of server m3gate.maytas.local to connect

We are using a proxy server but it is not set to cache/bypass https which the site is..

Annyone any ideas?

Any info much appreciated.


0
Comment
Question by:A4eIT
11 Comments
 
LVL 48

Assisted Solution

by:Jay_Jay70
Jay_Jay70 earned 50 total points
ID: 16933816
have you got your ISP dns servers as forwarders under DNS?
0
 

Author Comment

by:A4eIT
ID: 16933870
Yes we have,

Thanks
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16934245
What's your host file entry look like?

Jeff
TechSoEasy
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:A4eIT
ID: 16934439
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost
82.xxx.xxx.xx      server.fakedomain.local

Cheers (<--- this bit not in hosts file of course :) )

0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16934824
okay, and what happens when you ping server.fakedomain.local from that workstation?

Then, what happens when you tracert server.fakedomain.local?

Jeff
TechSoEasy
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 16934830
By the way, this IS a ludicrous method of handling this.

Jeff
TechSoEasy
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 50 total points
ID: 16937134
Seems bizarre this. As it is an https site, you are going to get an erroras the certificate name will not match but why not deal with it within your own local dns?
0
 

Author Comment

by:A4eIT
ID: 16940863
>okay, and what happens when you ping server.fakedomain.local from that workstation?
Resolves to correct IP address and times out

>Then, what happens when you tracert server.fakedomain.local?
Takes about 16 hops then untraceable

>By the way, this IS a ludicrous method of handling this.
No kidding, its unfathomable

>Seems bizarre this. As it is an https site, you are going to get an erroras the certificate name will not match but why not deal with it within your own local dns?
Was thinking of this but didnt want to particularly setup new lookup zones etc. seems a little complicated to acheive something that should be simple, in any case the resolution of the name appears???? to be working OK

Im sort of thinking that the traffic may somehow be being forced through the proxy server which isnt helping things, will investigate, let people know and share points to all useful helpers if this is the case, other ideas are still appreciated though

Points upped BTW
0
 

Author Comment

by:A4eIT
ID: 16940869
upped
0
 
LVL 74

Accepted Solution

by:
Jeffrey Kane - TechSoEasy earned 150 total points
ID: 16941426
Here's what I don't understand... if they generated the certificate themselves, they can change the paramaters of it quite easily.  For instance, when an SBS generates a self-signed certificate it actually creates 5 different container names that can be used against the certificate... as an example here's what my server's self signed cert has:

CN = sbs.soeasynetwork.com
CN = companyweb
CN = sbs
CN = localhost
CN = sbs.SoEasyNetwork.local

So, why don't they just edit the properties of the certificate to add the right container!?!?

Jeff
TechSoEasy
0
 

Author Comment

by:A4eIT
ID: 16950163
Thanks all,

Got to the bottom of the problem.

Our proxy server was trying to resolve the address, when it did not resolve it was going to isps and again failing as there was no record in either,

The solution was to bypass the proxy via a firewall request.

Cheers for the ideas, distributing points between contributors
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question