ipers
asked on
Can't hit some websites and do nslookup DNS 2008 issues
Hi,
Ever since I’ve upgraded my two DCs to w2008r2 last a couple of months ago I’m having some strange issues with my DNS. Right after the upgrade the computers in my domain were not able to go to the www.sec.gov web site and could not do the nslookup against it until I disabled IPv6 on the both DNS server’s NICs.
Out of these two DNS servers one is a physical machine, while another is a virtual box with a VMXNET3 adapter. On the physical machine I still cannot do nslookup against that address even after disabling the IPv6, while I’m able to go to that website from that server. On the virtual machine I can do both: nslookup and being able to hit that URL.
On my physical machine I get garbage in DNS cache even after I clear it and successfully navigate to the website:
Name Type Data Timestamp
crow Host (A) 162.138.183.11 static
falcon Host (A) 162.138.191.11 static
puffin Host (A) 162.138.191.23 static
(same as parent folder) Delegation Signer (DS) [54361][SHA-1][UNKNOWN ALGORITHM][6AAF9E00A1DCF81 18305030C9 0D96467EA6 7A0C8] static
(same as parent folder) Delegation Signer (DS) [54361][SHA-256][UNKNOWN ALGORITHM][18D03638CB721AD CFA74A28D5 BBA7D61208 DC6B398A01 6C1527AF8C FB240F2B6] static
(same as parent folder) Delegation Signer (DS) [61491][SHA-1][UNKNOWN ALGORITHM][4343321649D06D3 BAF5B041C1 529ED647BC 632DC] static
(same as parent folder) Delegation Signer (DS) [61491][SHA-256][UNKNOWN ALGORITHM][87CB8E3F406F49A C099BE1BC2 4C0998DC56 F0B9140BA8 DB87AE58EF F94096F83] static
(same as parent folder) RR Signature (RRSIG) [DS][Inception(UTC): ?8/?26/?2010 11:45:11 AM][Expiration(UTC): ?8/?31/?2010 11:45:11 AM][gov.][2][57970] static
(same as parent folder) Name Server (NS) crow.sec.gov. static
(same as parent folder) Name Server (NS) falcon.sec.gov. static
(same as parent folder) Name Server (NS) puffin.sec.gov. static
On the virtual server I just get this in the DNS cache:
Name Type Data Timestamp
(same as parent folder) Name Server (NS) falcon.sec.gov. static
(same as parent folder) Name Server (NS) puffin.sec.gov. static
(same as parent folder) Name Server (NS) crow.sec.gov. static
(same as parent folder) Name Server (NS) penguin.sec.gov. static
crow Host (A) 162.138.183.11 static
falcon Host (A) 162.138.191.11 static
penguin Host (A) 162.138.183.12 static
puffin Host (A) 162.138.191.23 static
www Host (A) 162.138.185.31 static
www Host (A) 162.138.185.32 static
www Host (A) 162.138.185.33 static
After disabling IPv6 I was able to get to the sec.gov website so I dropped the issue, but last Friday another site is unreachable from my domain -- http://www.icn.state.ia.us/
Once I changed my computer’s NIC’s card properties to point to the openDNS address for my DNS server I can get to the site without a problem, so I know the problem is not with the firewall, but with the DNS servers.
After I added openDNS address I can do nslookup against this site:
nslookup www.icn.state.ia.us
Server: resolver1.opendns.com
Address: 208.67.222.222
Non-authoritative answer:
Name: xxxxiavmu02.icn.state.ia.u s
Address: 165.206.53.104
Aliases: www.icn.state.ia.us
When I go to my DNS server and lookup the DNS cache this is what it shows for icn.state.ia.us
dns1 Host (A) 165.206.53.253 static
DNS2 Host (A) 165.206.53.248 static
Do you know what it should show in my DNS server’s cache? Do you have any idea what might be going on with my DNS?
Both of my DNS servers have static addresses, point to themselves first and then to each other in the adapter properties.
Thanks.
Ever since I’ve upgraded my two DCs to w2008r2 last a couple of months ago I’m having some strange issues with my DNS. Right after the upgrade the computers in my domain were not able to go to the www.sec.gov web site and could not do the nslookup against it until I disabled IPv6 on the both DNS server’s NICs.
Out of these two DNS servers one is a physical machine, while another is a virtual box with a VMXNET3 adapter. On the physical machine I still cannot do nslookup against that address even after disabling the IPv6, while I’m able to go to that website from that server. On the virtual machine I can do both: nslookup and being able to hit that URL.
On my physical machine I get garbage in DNS cache even after I clear it and successfully navigate to the website:
Name Type Data Timestamp
crow Host (A) 162.138.183.11 static
falcon Host (A) 162.138.191.11 static
puffin Host (A) 162.138.191.23 static
(same as parent folder) Delegation Signer (DS) [54361][SHA-1][UNKNOWN ALGORITHM][6AAF9E00A1DCF81
(same as parent folder) Delegation Signer (DS) [54361][SHA-256][UNKNOWN ALGORITHM][18D03638CB721AD
(same as parent folder) Delegation Signer (DS) [61491][SHA-1][UNKNOWN ALGORITHM][4343321649D06D3
(same as parent folder) Delegation Signer (DS) [61491][SHA-256][UNKNOWN ALGORITHM][87CB8E3F406F49A
(same as parent folder) RR Signature (RRSIG) [DS][Inception(UTC): ?8/?26/?2010 11:45:11 AM][Expiration(UTC): ?8/?31/?2010 11:45:11 AM][gov.][2][57970] static
(same as parent folder) Name Server (NS) crow.sec.gov. static
(same as parent folder) Name Server (NS) falcon.sec.gov. static
(same as parent folder) Name Server (NS) puffin.sec.gov. static
On the virtual server I just get this in the DNS cache:
Name Type Data Timestamp
(same as parent folder) Name Server (NS) falcon.sec.gov. static
(same as parent folder) Name Server (NS) puffin.sec.gov. static
(same as parent folder) Name Server (NS) crow.sec.gov. static
(same as parent folder) Name Server (NS) penguin.sec.gov. static
crow Host (A) 162.138.183.11 static
falcon Host (A) 162.138.191.11 static
penguin Host (A) 162.138.183.12 static
puffin Host (A) 162.138.191.23 static
www Host (A) 162.138.185.31 static
www Host (A) 162.138.185.32 static
www Host (A) 162.138.185.33 static
After disabling IPv6 I was able to get to the sec.gov website so I dropped the issue, but last Friday another site is unreachable from my domain -- http://www.icn.state.ia.us/
Once I changed my computer’s NIC’s card properties to point to the openDNS address for my DNS server I can get to the site without a problem, so I know the problem is not with the firewall, but with the DNS servers.
After I added openDNS address I can do nslookup against this site:
nslookup www.icn.state.ia.us
Server: resolver1.opendns.com
Address: 208.67.222.222
Non-authoritative answer:
Name: xxxxiavmu02.icn.state.ia.u
Address: 165.206.53.104
Aliases: www.icn.state.ia.us
When I go to my DNS server and lookup the DNS cache this is what it shows for icn.state.ia.us
dns1 Host (A) 165.206.53.253 static
DNS2 Host (A) 165.206.53.248 static
Do you know what it should show in my DNS server’s cache? Do you have any idea what might be going on with my DNS?
Both of my DNS servers have static addresses, point to themselves first and then to each other in the adapter properties.
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you disabled EDNS then 512b as a maximum length is fine. If you enable EDNS then you should set the maximum length nearer 4096b.
Flushing DNS should be sufficient to clear it out from there. Are you still configured to use Root Hints?
Are you able to see the outbound DNS request? I guess there's no sign of a reply either on your DNS server or on the Firewall?
Chris
ASKER
Chris,
Yes, I still see root hints listed. I also have BIND secondaries disabled on the DNS servers.
I'm not sure how to check for outbound DNS requests on my DNS server or on my firewall.
sergei
Yes, I still see root hints listed. I also have BIND secondaries disabled on the DNS servers.
I'm not sure how to check for outbound DNS requests on my DNS server or on my firewall.
sergei
It can be as simple as this on the ASA, although it won't be detailed:
show log | grep IPOfServer
If you have SysLog enabled that might make life easier.
You can see the outbound traffic on the server either with MS Network Monitor or Wireshark, but I'd be surprised if you were getting the response.
Chris
ASKER
Chris,
The output of show log|grep IPOfServer does not show anything. I don't have syslog either.
I installed ms network mon on one of my dns server, ran a capture, but the output is so voluminous that I'm lost in trying to find my query. I'm also confused using filters during capture and post capture.
Thanks.
sergei
The output of show log|grep IPOfServer does not show anything. I don't have syslog either.
I installed ms network mon on one of my dns server, ran a capture, but the output is so voluminous that I'm lost in trying to find my query. I'm also confused using filters during capture and post capture.
Thanks.
sergei
I tend to prefer Wireshark for that, it's easier to work with. It would let us add a filter like this:
udp.port == 53
Which is sufficient to capture DNS traffic (I hope!).
We're trying to test for two possibilities:
1. The server does not send the request
2. The server does not receive a response
Chris
Check this blog out:
http://weblogs.asp.net/owscott/archive/2009/09/15/windows-server-2008-r2-dns-issues.aspx
Could be EDNS related.
http://weblogs.asp.net/owscott/archive/2009/09/15/windows-server-2008-r2-dns-issues.aspx
Could be EDNS related.
Can you try one experiment for me? I had a client with similar issues and speed problems. I changed his forwarders to 4.2.2.2 and 4.2.2.5 and everything works perfect.
ASKER
Rickgobbs,
I don't have any forwarders. There is a dimmed check box that makes it look into the root hints.
I don't have any forwarders. There is a dimmed check box that makes it look into the root hints.
ASKER
paulsolov,
Thanks for the link, but I have already disabled edns by running this command: dnscmd /config /enableednsprobes 0 and it didn't help.
Thanks for the link, but I have already disabled edns by running this command: dnscmd /config /enableednsprobes 0 and it didn't help.
ASKER
Chris,
I installed wireshark on my machine and tried capturing dns traffic while attempting to go to that website. It didn't capture anything related to http://www.icn.state.ia.us/ site. However, it captured some DNS packets sent to Evernote (an update)
1 0.000000 training21.ipers.local ipers09.ipers.local DNS Standard query A update.evernote.com
Then I tried capturing all traffic on host ipers09 (which is my dns server) while hitting that webpage. It didn't capture anything related to that url in wireshark.
I have also created a dword on my dns server to fully disable ipv6 per ms kb (http://support.microsoft.com/kb/929852). Still no joy.
I installed wireshark on my machine and tried capturing dns traffic while attempting to go to that website. It didn't capture anything related to http://www.icn.state.ia.us/ site. However, it captured some DNS packets sent to Evernote (an update)
1 0.000000 training21.ipers.local ipers09.ipers.local DNS Standard query A update.evernote.com
Then I tried capturing all traffic on host ipers09 (which is my dns server) while hitting that webpage. It didn't capture anything related to that url in wireshark.
I have also created a dword on my dns server to fully disable ipv6 per ms kb (http://support.microsoft.com/kb/929852). Still no joy.
Flush the DNS cache (dnscmd /ClearCache), then run nslookup for the website name and see what it captures?
Chris
ASKER
cleared cache and ran nslookup on the dns server:
C:\Windows\system32>nslook up www.icn.state.ia.us
Server: ipers09.ipers.local
Address: 10.XXX.0.XXX
*** ipers09.ipers.local can't find www.icn.state.ia.us: Non-existent domain
C:\Windows\system32>nslook
Server: ipers09.ipers.local
Address: 10.XXX.0.XXX
*** ipers09.ipers.local can't find www.icn.state.ia.us: Non-existent domain
Hmm you should be able to capture an NXDOMAIN response, it's a good response, we only get upset about timeouts.
Can you run these three please?
nslookup -q=a www.icn.state.ia.us ns.state.ia.us
nslookup -q=a www.icn.state.ia.us ns-1.iastate.edu
nslookup -q=a www.icn.state.ia.us dns1.icn.state.ia.us
In each case we're directing the query at their servers. Unless something really odd is going on each should give you the same answer.
Chris
ASKER
Hi Chris,
Here are the responses:
>nslookup -q=a www.icn.state.ia.us ns.state.ia.us
Server: ns.state.ia.us
Address: 165.206.254.254
Name: xxxxiavmu02.icn.state.ia.u s
Address: 165.206.53.104
Aliases: www.icn.state.ia.us
>nslookup -q=a www.icn.state.ia.us ns-1.iastate.edu
Server: ns-1.iastate.edu
Address: 129.186.1.200
Non-authoritative answer:
Name: xxxxiavmu02.icn.state.ia.u s
Address: 165.206.53.104
Aliases: www.icn.state.ia.us
>nslookup -q=a www.icn.state.ia.us dns1.icn.state.ia.us
*** Can't find server address for 'dns1.icn.state.ia.us':
Server: ipers09.ipers.local
Address: 10.XXX.0.XXX
*** ipers09.ipers.local can't find www.icn.state.ia.us: Non-existent domain
Here are the responses:
>nslookup -q=a www.icn.state.ia.us ns.state.ia.us
Server: ns.state.ia.us
Address: 165.206.254.254
Name: xxxxiavmu02.icn.state.ia.u
Address: 165.206.53.104
Aliases: www.icn.state.ia.us
>nslookup -q=a www.icn.state.ia.us ns-1.iastate.edu
Server: ns-1.iastate.edu
Address: 129.186.1.200
Non-authoritative answer:
Name: xxxxiavmu02.icn.state.ia.u
Address: 165.206.53.104
Aliases: www.icn.state.ia.us
>nslookup -q=a www.icn.state.ia.us dns1.icn.state.ia.us
*** Can't find server address for 'dns1.icn.state.ia.us':
Server: ipers09.ipers.local
Address: 10.XXX.0.XXX
*** ipers09.ipers.local can't find www.icn.state.ia.us: Non-existent domain
How odd. This one?
nslookup -q=a dns1.icn.state.ia.us
See if it still fails?
I'm not sure why it's picking up an NXDOMAIN response, it shouldn't be doing that unless something explicitly hands it that response.
Chris
ASKER
Can't find it:
>nslookup -q=a dns1.icn.state.ia.us
*** ipers09.ipers.local can't find dns1.icn.state.ia.us: Non-existent domain
sergei
>nslookup -q=a dns1.icn.state.ia.us
*** ipers09.ipers.local can't find dns1.icn.state.ia.us: Non-existent domain
sergei
Well that's just a bit wrong really.
I can't find out where you're getting NXDOMAIN from. Lets see, can we try:
nslookup -q=a -d2 dns1.icn.state.ia.us.
Please note that the trailing dot is intentional and should be included when you run this command. You're going to get a lot of stuff back from this, it would help to see everything that appears after the "Server" and "Address" line.
Chris
ASKER
Here it is, Chris:
C:\Users\sborise>nslookup -q=a -d2 dns1.icn.state.ia.us.
------------
SendRequest(), len 43
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
173.0.111.10.in-addr.arpa, type = PTR, class = IN
------------
------------
Got answer (76 bytes):
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
173.0.111.10.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 173.0.111.10.in-addr.arpa
type = PTR, class = IN, dlen = 21
name = ipers09.ipers.local
ttl = 1200 (20 mins)
------------
Server: ipers09.ipers.local
Address: 10.111.0.173
------------
SendRequest(), len 38
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
dns1.icn.state.ia.us, type = A, class = IN
------------
------------
Got answer (119 bytes):
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
dns1.icn.state.ia.us, type = A, class = IN
AUTHORITY RECORDS:
-> icn.state.ia.us
type = SOA, class = IN, dlen = 54
ttl = 3600 (1 hour)
primary name server = ipers09.ipers.local
responsible mail addr = hostmaster.ipers.local
serial = 5
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
------------
*** ipers09.ipers.local can't find dns1.icn.state.ia.us.: Non-existent domain
C:\Users\sborise>nslookup -q=a -d2 dns1.icn.state.ia.us.
------------
SendRequest(), len 43
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
173.0.111.10.in-addr.arpa,
------------
------------
Got answer (76 bytes):
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
173.0.111.10.in-addr.arpa,
ANSWERS:
-> 173.0.111.10.in-addr.arpa
type = PTR, class = IN, dlen = 21
name = ipers09.ipers.local
ttl = 1200 (20 mins)
------------
Server: ipers09.ipers.local
Address: 10.111.0.173
------------
SendRequest(), len 38
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
dns1.icn.state.ia.us, type = A, class = IN
------------
------------
Got answer (119 bytes):
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
dns1.icn.state.ia.us, type = A, class = IN
AUTHORITY RECORDS:
-> icn.state.ia.us
type = SOA, class = IN, dlen = 54
ttl = 3600 (1 hour)
primary name server = ipers09.ipers.local
responsible mail addr = hostmaster.ipers.local
serial = 5
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
------------
*** ipers09.ipers.local can't find dns1.icn.state.ia.us.: Non-existent domain
Thank you :)
I'm a bit troubled that we've gone down the wrong track. It's www.sec.gov that you can't get to isn't it? Not www.icn.state.ia.us?
The data above does explain why we can't get a response for www.icn.state.ia.us, it's because your local system seems to believe that it is responsible for some or all of the DNS tree for icn.state.ia.us (likely to be configured as a Forward Lookup Zone).
Chris
ASKER
Chris,
No, we are on the right track. Originally, as soon as I have upgraded my DNS to w2008r2 I was not able to get to the sec.gov, but as soon as I have disabled the ipv6 everything started working fine for that particular site. However, last Friday my boss informed that he could not get to the ICN's web site. ICN is the State of Iowa internet and networking provider and of course we never had any issues going to their web site prior to the DNS upgrade. After you mentioned that ICN.STATE could be configured in the forward lookup zone I checked and indeed it was listed there. My coworker put it in there without telling me yesterday thinking that it would fix the problem. As soon as I have removed the FLZ for ICN everything started to work. Since I don't know when that guy added the FLZ to the DNS server I don't know what fixed the problem, which sucks.
Chris, thank you very much for all the help you've given. I'm sure that your suggestion to disable EDNS or your suggestion to set DNS packet inspects in my firewall has fixed the problem.
Thanks!
sergei
No, we are on the right track. Originally, as soon as I have upgraded my DNS to w2008r2 I was not able to get to the sec.gov, but as soon as I have disabled the ipv6 everything started working fine for that particular site. However, last Friday my boss informed that he could not get to the ICN's web site. ICN is the State of Iowa internet and networking provider and of course we never had any issues going to their web site prior to the DNS upgrade. After you mentioned that ICN.STATE could be configured in the forward lookup zone I checked and indeed it was listed there. My coworker put it in there without telling me yesterday thinking that it would fix the problem. As soon as I have removed the FLZ for ICN everything started to work. Since I don't know when that guy added the FLZ to the DNS server I don't know what fixed the problem, which sucks.
Chris, thank you very much for all the help you've given. I'm sure that your suggestion to disable EDNS or your suggestion to set DNS packet inspects in my firewall has fixed the problem.
Thanks!
sergei
No worries, yell if the problem comes back and we can look again :)
Chris
ASKER
Thank you for your reply. I have disabled EDNS on my DNS servers by running this command:
dnscmd /config /enableednsprobes 0
After that I restarted the DNS servers, but was still unable to navigate to the web site.
Then I went to my ASA (7.2) and added these two commands:
IPERS-ASA01(config-pmap-p)
IPERS-ASA01(config-pmap-p)
per an article I found on CISCO's site, but that didn't make a difference even after I flushed DNS on my comptuer.
Is there anything else you think I should try?
Thanks!