Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1208
  • Last Modified:

DNS Problem - 1 website will not load

Thank you in advance.
I have 1 website (www.veer.com, IP 65.110.167.233) that will not load
at all. I run 2 internal windows 2003 dns servers (fully patched) that
use root hints for name resolution. Every other website works without
out a hitch. The only error i get on the dns side is a 5504:
The DNS server encountered an invalid domain name in a packet from
192.5.6.30. The packet will be rejected. The event data contains the
DNS packet.
0000: 4c a4 80 00 01 00 00 00   L¤¬.....
0008: 02 00 02 00 03 77 77 77   .....www
0010: 04 76 65 65 72 03 63 6f   .veer.co
0018: 6d 00 00 01 00 01 c0 10   m.....À.
0020: 00 02 00 01 00 02 a3 00   ......£.
0028: 00 0e 08 6e 73 31 2d 61   ...ns1-a
0030: 75 74 68 02 71 39 c0 15   uth.q9À.
0038: c0 10 00 02 00 01 00 02   À.......
0040: a3 00 00 0b 08 6e 73 32   £....ns2
0048: 2d 61 75 74 68 c0 33 c0   -authÀ3À
0050: 2a 00 01 00 01 00 02 a3   *......£
0058: 00 00 04 d8 dc 23 14 c0   ...ØÜ#.À
0060: 44 00 01 00 01 00 02 a3   D......£
0068: 00 00 04 d8 dc 24 14      ...ØÜ$.

If I add an external DNS from my ISP or Opendns to my computer it
resolves fine, but since we use internal resources i can't use that
DNS all the time. I also can't use forwarders for the same reason. If
I add veer.com and associated IP to the hosts file i am able to
resolve the website, but cant really navigate to much as there are
multiple sub domains that error out.

In my DNS MMC i have an entry in the cache lookup that resolve to ns1-
auth.q9.com and ns2-auth.q9.com.
The last time my users reported getting to this site was on 8-25-08.

I've run a netdiag.exe /fix on both DC's and they came back ok.

I have verified that both dns server have the 'secure cache against
pollution' box checked.
I have run wireshark and sniffed on port 53 and go the following. The
Server failure is puzzeling.

No.     Time        Source                Destination
Protocol Info
     15 45.825657   XXX.XXX.XXX.XXX(internal compy)
XXX.XXX.XXX.XXX(dns server)         DNS      Standard query A www.veer.com 


Frame 15 (72 bytes on wire, 72 bytes captured)
    Arrival Time: Sep 30, 2008 16:26:27.680674000
    [Time delta from previous captured frame: 0.993871000 seconds]
    [Time delta from previous displayed frame: 0.993871000 seconds]
    [Time since reference or first frame: 45.825657000 seconds]
    Frame Number: 15
    Frame Length: 72 bytes
    Capture Length: 72 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:udp:dns]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: Usi_da:b1:8a (00:1e:37:da:b1:8a), Dst: HewlettP_0c:
7e:f5 (00:13:21:0c:7e:f5)
    Destination: HewlettP_0c:7e:f5 (00:13:21:0c:7e:f5)
    Source: Usi_da:b1:8a (00:1e:37:da:b1:8a)
    Type: IP (0x0800)
Internet Protocol, Src: XXX compy IP (compy ip), Dst: XXX dns IP (XXXX
DNS IP)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
0x00)
    Total Length: 58
    Identification: 0x16de (5854)
    Flags: 0x00
    Fragment offset: 0
    Time to live: 128
    Protocol: UDP (0x11)
    Header checksum: 0xa00d [correct]
    Source: compy IP (compy IP)
    Destination: dns ip (dns IP)
User Datagram Protocol, Src Port: 57029 (57029), Dst Port: domain (53)
    Source port: 57029 (57029)
    Destination port: domain (53)
    Length: 38
    Checksum: 0x558d [correct]
Domain Name System (query)
    [Response In: 16]
    Transaction ID: 0x1f12
    Flags: 0x0100 (Standard query)
        0... .... .... .... = Response: Message is a query
        .000 0... .... .... = Opcode: Standard query (0)
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... .0.. .... = Z: reserved (0)
        .... .... ...0 .... = Non-authenticated data OK: Non-
authenticated data is unacceptable
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 0
    Queries


No.     Time        Source                Destination
Protocol Info
     16 46.573208   DNS IP             compy ip       DNS
Standard query response, Server failure


Frame 16 (72 bytes on wire, 72 bytes captured)
    Arrival Time: Sep 30, 2008 16:26:28.428225000
    [Time delta from previous captured frame: 0.747551000 seconds]
    [Time delta from previous displayed frame: 0.747551000 seconds]
    [Time since reference or first frame: 46.573208000 seconds]
    Frame Number: 16
    Frame Length: 72 bytes
    Capture Length: 72 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:udp:dns]
    [Coloring Rule Name: UDP]
    [Coloring Rule String: udp]
Ethernet II, Src: HewlettP_0c:7e:f4 (00:13:21:0c:7e:f4), Dst:
Usi_da:b1:8a (00:1e:37:da:b1:8a)
    Destination: Usi_da:b1:8a (00:1e:37:da:b1:8a)
    Source: HewlettP_0c:7e:f4 (00:13:21:0c:7e:f4)
    Type: IP (0x0800)
Internet Protocol, Src: DNS IP(), Dst: Host Compy
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN:
0x00)
    Total Length: 58
    Identification: 0x41e3 (16867)
    Flags: 0x00
    Fragment offset: 0
    Time to live: 128
    Protocol: UDP (0x11)
    Header checksum: 0x7508 [correct]
    Source: DNS IP
    Destination: Host Compy
User Datagram Protocol, Src Port: domain (53), Dst Port: 57029 (57029)
    Source port: domain (53)
    Destination port: 57029 (57029)
    Length: 38
    Checksum: 0xd50a [correct]
Domain Name System (response)
    [Request In: 15]
    [Time: 0.747551000 seconds]
    Transaction ID: 0x1f12
    Flags: 0x8182 (Standard query response, Server failure)
        1... .... .... .... = Response: Message is a response
        .000 0... .... .... = Opcode: Standard query (0)
        .... .0.. .... .... = Authoritative: Server is not an
authority for domain
        .... ..0. .... .... = Truncated: Message is not truncated
        .... ...1 .... .... = Recursion desired: Do query recursively
        .... .... 1... .... = Recursion available: Server can do
recursive queries
        .... .... .0.. .... = Z: reserved (0)
        .... .... ..0. .... = Answer authenticated: Answer/authority
portion was not authenticated by the server
        .... .... .... 0010 = Reply code: Server failure (2)
    Questions: 1
    Answer RRs: 0
    Authority RRs: 0
    Additional RRs: 0
    Queries

I'm completely stumped as to why this one particular website won't
open. If anyone has any thoughts let me know.


0
LP_Tech
Asked:
LP_Tech
  • 3
  • 3
1 Solution
 
ecsrdCommented:
Could you please post an NSLOOKUP from the DNS server for that address:

nslookup - localhost
>www.veer.com

Is veer.com your internal domain?
0
 
cyberseanCommented:
You probably should be using forwarders to your ISPs DNS server.  Your internal DNS servers will service any internal requests and only forward DNS requests to your ISP if they aren't able to be resolved internally (Provided that your clients are configured to hit your internal dns servers first).  If you still don't want to set it up that way, you can make a rule only to forward dns requests to veer.com to your ISPs DNS server.  
0
 
LP_TechAuthor Commented:
I cannot ping and nslookup fails. veer.com is not my internal domain rather a website.  How can i create a rule to forward dns if my internal dns is stopping the name resolution. I am running windows 2003 DNS server and roothints as the name servers.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
cyberseanCommented:
If your internal DNS servers are unable to resolve the name to an IP Address, they "forward" the request to your ISPs DNS Servers.  They don't "stop" name resolutions unless they are unable to resolve a name to an ip OR are not configured to forward the request to another dns server.  Your ISP's dns server then resolves it for you and returns the results to your internal dns server.
Open DNS, right-click the server and click properties
Click the forwarder tab.
Check enable forwarders
Enter the IP address your ISP's DNS server (add multiple ones if you know them) and click ok
If the forwarder options are greyed out, that means your DNS is configured as a root server.  This should not be the case because you mentioned that you had root hints.  
Also, your client machines should be configured to use your internal dns servers.  They need to be configured for the internal dns servers so they can resolve internal names and will only be forwarded if your internal dns server is unable to resolve the name, which won't be the case for any internal resources.

0
 
LP_TechAuthor Commented:
If I use forwarders won't that screw up internal name resolution to internal resources? The big kicker is that only 1 website is not resolving. Every other site works fine.
0
 
cyberseanCommented:
No, it will not screw up internal name resolution.  Here's how it works.
A client sends a query to your internal dns server.
Your internal dns server attempts to resolve the query by checking the zones that it is responsible for.
If your internal dns server is unable to resolve the query from it's own zones, only then does it forward the request to your ISP's dns server.  (As in the case for External resources, which are not in your internal zone).
The only time an internal resolution would fail, would be if that internal dns zone did not have the information needed to resolve the query.  If the dns server didn't already have the information to resolve the name, it would fail no matter if forwarders were configured or not.
0
 
LP_TechAuthor Commented:
Thank you. I had read some documentation that if you added forwarders that internal dns would not work correctly.
Thank you!
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now