• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 586
  • Last Modified:

Unable to access mydomain.com from inside SBS2003 domain mydomain.local

I have what I think is a DNS issue, but it has me stumped.  Server is running Small Business Server 2003.  The domain is named mydomain.local (not really mydomain, but you get the idea).  The website mydomain.com is hosted externally, not tied to this network at all.

Domain users are unable to access mydomain.com from inside the network, but it works fine from anywhere outside the network.  The server is also unable to access the site.  You can access any other website without problems.

NSLOOKUP returns the correct IP address without error.  TRACERT successfully connects to the remote host.  I have tried putting the IP address in IE, but it returns "unable to locate".  The hosts file doesn't have any related records.  It only has the 127.0.0.0 record.

The system connects to the internet using a DSL modem with static IP.  The DNS servers being utilized are the Qwest servers at 205.171.3.65 and 205.171.2.65.
0
AzIT1
Asked:
AzIT1
  • 14
  • 12
  • 3
  • +1
2 Solutions
 
marine7275Commented:
You need to look what you set in your local DNS settings. Something is set incorrectly for your mydomain.com entry I am assuming.
0
 
Darius GhassemCommented:
Check in your DNS console and make sure you don't have a record there. You should be able to access if your internal domain is different then your external.
0
 
AzIT1Author Commented:
There is no entry for mydomain.com in the DNS server.  The only zones are _msdcs.mydomain.local and mydomain.local.

It should forward to another (external) DNS server for resolution on mydomain.com, correct?
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
Darius GhassemCommented:
Is there any reason why you have delegated the msdcs folder? Having the msdcs zone delegated can cause issues unless you update the zone manually.

TO fix the delegation delete both the msdcs zone and the domain.com.

Once you have them deleted re-create the domain.com.
0
 
AzIT1Author Commented:
Not sure why _msdcs was delegated.  Unfortunately I inherited this setup and there isn't much documentation as to how and why it was configured like it is.

I deleted both the _msdcs and mydomain.local domains, then recreated mydomain.local.  No change.  Can still get to all websites, except mydomain.com

I attached a screen shot of the DNS console for reference.


DNS.jpg
0
 
Darius GhassemCommented:
Make sure you do the same on the other DNS server.
0
 
AzIT1Author Commented:
I don't have control of any other DNS servers.  The website is hosted on a third party server.  I can access the website from other systems and networks so I think the host DNS is correct.
0
 
Chris DentPowerShell DeveloperCommented:

If you can run this:

nslookup mydomain.com

And get a valid reply then the problem does not lie within the DNS system.

Does running this:

nslookup www.mydomain.com

Give you the same IP Address? Just want to check that both are going to the same web server.

And does "http://mydomain.com" work from outside of your network?

Chris
0
 
Chris DentPowerShell DeveloperCommented:

> Not sure why _msdcs was delegated.  

It is by default on 2003 builds.

For reference, you did not need to delete mydomain.local to remove the delegation. All you really needed to do was delete the _msdcs zone, and the grey _msdcs folder from mydomain.local. Restarting the netlogon service on the SBS server would have re-created _msdcs beneath the main domain.

Chris
0
 
AzIT1Author Commented:
I agree it doesn't really look like a DNS problem since nslookup is working.  I'll start looking at the firewall and see if it is catching traffic for some strange reason.

Tried nslookup www.mydomain.com, nslookup mydomain.com, nslookup http://mydomain.com and nslookup http://www.mydomain.com.

Same result from both inside and outside the network.  They all worked, except nslookup http://mydomain.com.  It responds non-existent domain from both inside and outside the network.
0
 
Chris DentPowerShell DeveloperCommented:

Did you run this:

nslookup http://....

Or this?

nslookup mydomain.com

The first won't work, http isn't part of a valid name. But I'd expect the latter to work. If it did then the failure for the http version is nothing to be troubled by.

It would be worth testing this as well:

telnet www.mydomain.com 80
telnet mydomain.com 80

That creates a connection to the web service in each case. Success is indicated by a blank screen rather than a timeout message. In the blank screen if you type GET and return it'll drop a pile of HTML back to the screen. That indicates you're talking to the web server.

If the telnet test works then the problem lies in how the web server is dealing with your request. I don't much expect that to fail if it works from the public side though.

Chris
0
 
Chris DentPowerShell DeveloperCommented:

One more quick question, because it wouldn't be the first time I've got this far only to discover it was the reason :)

You don't use a Proxy Server / Web Filter do you? If you do you may notice a discrepancy between the behaviour we're testing above and what's seen in the Browser. It's just something to consider if the networking layer looks healthy.

Chris
0
 
AzIT1Author Commented:
No proxy involved.  The server has Trend Micro Worry Free installed.  I'm starting to think it might be the problem.  It has caused problems with filtering email in the past.  I'll try uninstalling it to see if I get another answer.
0
 
Chris DentPowerShell DeveloperCommented:

It's certainly worth a try :)

Chris
0
 
AzIT1Author Commented:
TrendMicro is completely gone, no change.  

I did make a new discovery...http://mydomain.com gets nothing, however https://mydomain.com gets an invalid security cert/not issued by a trusted certificate authority warning.  If I accept it I get a very simple page that says Testing LVS web.  
0
 
Chris DentPowerShell DeveloperCommented:

Just make sure of something for me if you can. Run "ping mydomain.com" rather than the nslookup we've been using up to now.

Do you know if your site runs on a shared server?

HTTPS can't be shared (needs unique IP Addresses or unique Ports), so you could well be accessing a secure site belonging to someone else. Take a look at the name in the certificate, that might give you a clue about that.

Chris
0
 
AzIT1Author Commented:
ping works as expected.

I don't know if it is a shared server or not.  I'll have to check with the hosting company in the morning.

The certificate shows it was issued to LVS-Director.  I have no idea what that is.
0
 
Chris DentPowerShell DeveloperCommented:

Re ping. Good, just wanted to make sure. Ping will use the local DNS Client service where NsLookup bypasses that. You can occasionally get different results between the two tools.

I imagine it is a shared server, it's a very common scenario, depending on how much you're paying for it of course :)

If that is the case, for it to answer on both mydomain.com and www.mydomain.com it must include a Host Header for each name. That it works from the rest of the world indicates that it does have one which is why it's a little odd.

You could potentially pop a packet sniffer like WireShark (http://www.wireshark.org/) onto a system and see if it gets a response from the web server when trying to access by that name?

Chris
0
 
AzIT1Author Commented:
I hadn't thought of WireShark.  I'll give that a shot and see what it shows.

One other detail that probably doesn't mean any, but I'll mention it anyway.  When I put the domain name into IE it takes a long time (several minutes) to eventually give up.  If I put the actual IP address it gets a 404 error immediately.
0
 
Chris DentPowerShell DeveloperCommented:

See that would suggest proxying again, which is odd.

Did the telnet command above connect right away?

Chris
0
 
AzIT1Author Commented:
Wireshark shows traffic coming and going to the IP address of the website.  I'm not terribly familiar with Wireshark to really get into deciphering the output.  It also shows the site in question if I view the Destinations statistic.
0
 
Chris DentPowerShell DeveloperCommented:

But the reply it gets is something like HTTP 404 (Page not found)?

Chris
0
 
marine7275Commented:
Do you have ISA enabled? If so, try checking those settings.
0
 
AzIT1Author Commented:
ISA is not installed on the server.

The response shown in Wireshark isn't a 404 error, it is showing checksum errors.  I've attached a file showing the captured packets related to the website in question.
capture.txt
0
 
marine7275Commented:
I did see a TCP Checksum offload error in your log. Try this link:
http://wiki.wireshark.org/TCP_checksum_offload
0
 
AzIT1Author Commented:
I ran a couple of other tests.  I added a new zone to the DNS server for the .com site specifying the ip address.  Still doesn't work.

I also tried to access the site through a proxy site. It works this way.  

It acts like there is something filtering this one site, or perhaps on the other side blocking my public IP.
0
 
Chris DentPowerShell DeveloperCommented:

Both are possible... can you see any traffic with HTTP as the protocol in WireShark? You may be able to use Follow TCP Stream on that and take a look at the response you're getting.

Chris
0
 
AzIT1Author Commented:
There is only one line with the HTTP protocal.  It say "GET / HTTP/1.1"  Follow TCP Stream returns:

GET / HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/x-shockwave-flash, application/x-silverlight, */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: www.solarconceptsaz.com
Connection: Keep-Alive
0
 
Chris DentPowerShell DeveloperCommented:

Okay, so if all you have is the GET it looks like your system sends the request but gets no response from the web server.

Any of these could be true:

 - The request never makes it to the web server (Routing or Firewall)
 - The response never makes it back to the client (Routing or Firewall)
 - The web server ignores the request (Firewall)

Are you able to ping the web server at all? Tracert would be interesting as well.

And are you able to watch the traffic on your Firewall? The last place you're responsible for it before it passes onto the Internet.

Chris
0
 
AzIT1Author Commented:
Ping responds normally, 137ms average

Tracert also responds normally, 18 hops to get there, but it does get there.

I will have to check watching the traffic on the firewall.  It is a Watchguard box...most of my experience has been with Cisco equipment.

I also talked to the hosting company.  They said they made some DNS and SSL changes recently.  They had me try to access two other sites on their servers....I can't get to either of those sites either.  It may be on their end.
0
 
Chris DentPowerShell DeveloperCommented:

I wouldn't be surprised to find that is the case, nothing on your end seems to be broken. I was hoping that we'd find something that definitely ruled out your network. The requests leaving your network, but no response coming back in would have been good enough for me :)

Chris
0
 
AzIT1Author Commented:
I'm back to thinking the problem is on my end.  I tried to access experts-exchange.com from the server (I've been using my laptop on an air card) to update this post.  Can't access it.  A co-worker heard me comment about it and told me she hasn't been able to get to Yahoo.com.  This makes me think there is some type of filtering going on, probably in the firewall.  I'll get into it to see what I can find.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

  • 14
  • 12
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now