Can't resolve certain web sites (global)

I'm having an issue where my office cannot hit certain web sites.  I've spent countless hours with my ISP trying to resovle this issue but more and more sites are creeping up.

This issue has been ongoing since 10/05/2010 and is only getting worse.  

Below are the list of web sites that I cannot hit.

1. www.paypal.com
2. www.dol.gov
3. www.noaa.gov

-We have a windows 2008 network that has our domain controllers/DNS Servers configured to forward all external DNS requests to my ISP's DNS servers.
-All users clients run Windows XP or Windows 7 that DNS1 & DNS2 point to internal DNS servers
-I have contacted my ISP to troubleshoot these issues wtih no resolution.  
-I have verified that I do not have any access control lists preventing my users hitting these web sites on my firewall and router
-My ISP has added a reverse DNS entry for my IP block
-My ISP has entered a SWIP (I have no idea what this is) for my account.

None of these recommendations has provided a solution.
Is it possible that my IP block has been placed on blacklists?  How would I verify this information?

-Here are example traceroutes that were performed:

WMA-R1#traceroute www.dol.gov 
Translating "www.dol.gov"...domain server (65.106.1.196) [OK]

Type escape sequence to abort.
Tracing the route to e1617.b.akamaiedge.net (184.51.182.185)

  1 ip65-47-181-113.z181-47-65.customer.algx.net (65.47.181.113) 4 msec 4 msec 4 msec
  2 ge11-1-4d0.mcr1.chicago-il.us.xo.net (207.88.172.5) 4 msec 4 msec 8 msec
  3 vb1700.rar3.chicago-il.us.xo.net (216.156.0.161) 4 msec 4 msec 4 msec
  4 ae0d1.cir1.chicago2-il.us.xo.net (207.88.13.5) 4 msec 4 msec 4 msec
  5 216.156.72.78.ptr.us.xo.net (216.156.72.78) 4 msec 12 msec 4 msec
  6  *  *  *
  7  *  *  *

WMA-R1#traceroute nhc.noaa.gov
Translating "nhc.noaa.gov"...domain server (65.106.1.196) [OK]

Type escape sequence to abort.
Tracing the route to nhc.noaa.gov (140.90.176.165)

  1 ip65-47-181-113.z181-47-65.customer.algx.net (65.47.181.113) 4 msec 4 msec 4 msec
  2 ge11-1-4d0.mcr2.chicago-il.us.xo.net (207.88.172.13) 32 msec 4 msec 4 msec
  3 ae1d0.mcr1.chicago-il.us.xo.net (216.156.1.81) 4 msec 4 msec 4 msec
  4 vb1700.rar3.chicago-il.us.xo.net (216.156.0.161) 8 msec 4 msec 4 msec
  5 ae0d1.cir1.chicago2-il.us.xo.net (207.88.13.5) 4 msec 4 msec 4 msec
  6 206.111.2.86.ptr.us.xo.net (206.111.2.86) 4 msec 4 msec 4 msec
  7 dca-edge-21.inet.qwest.net (67.14.6.66) 24 msec 24 msec 24 msec
  8 65.123.192.198 24 msec 24 msec 24 msec
  9 140.90.111.46 28 msec 28 msec 20 msec
10 140.90.76.74 24 msec 24 msec 24 msec
11 140.90.60.6 28 msec 24 msec 24 msec
12 140.90.60.1 28 msec 24 msec 24 msec
13  *  *  *
 14  *  *

HemisFearAsked:
Who is Participating?
 
jar3817Connect With a Mentor Commented:
"We have a windows 2008 network that has our domain controllers/DNS Servers configured to forward all external DNS requests to my ISP's DNS servers."

Turn that off. Try having your servers recursively get the answers themselves. It doesn't really add any ovehead and it'll probably be faster once your cache builds up.
0
 
rjwesleyConnect With a Mentor Commented:
Take a laptop and connect directly to your modem, essentially bypassing your firewall. Is connecting to these sites possible this way?

Rob
0
 
HemisFearAuthor Commented:
Jar3817: Is that as simple as going into the properties of each DNS server (WMA-DC1 & WMA-DC3), going into the Forwarders tab and removing the two server entries that I have added?  If I do this, I assume that the servers will immediately begin resolving IP addresses to DNS entries immediately wtih no adverse effects?
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
HemisFearAuthor Commented:
RJWesley: I'll do that now and report back my findings to you in a moment.
0
 
Darius GhassemCommented:
Make sure your ISP DNS serevrs are updated this could be causing the problem as well.

You can use 4.2.2.2 and 4.2.2.1
0
 
HemisFearAuthor Commented:
UPDATE:  I just bypassed my internal DNS servers and my firewall by connecting my laptop directly to the router and I was able to hit all three web sites without a problem! (Thank you RJWesley)

The question is where do I go from here?

0
 
rjwesleyCommented:
Firewall, what is it?

Rob
0
 
HemisFearAuthor Commented:
Cisco PIX 515E
0
 
rjwesleyCommented:
What are your DNS settings in your firewall.

I simply use 8.8.8.8, 4.2.2.1, then ISP DNS.

Rob
0
 
Darius GhassemCommented:
Make sure your server is only pointing to internal DNS servers within it's TCP\IP settings.

0
 
HemisFearAuthor Commented:
I have attached the configuration of my firewall for your review.  I'm not an L3 technician so I'm a bit unfamiliar with how I should configure the firewall other than asking for your help (up to the commands!)


Firewall-Config-2010-10-21.log
0
 
HemisFearAuthor Commented:
There are no DNS server settings on the firewall.  

My router is configured wtih the appropriate DNS server IP addresses which are currently configured on my Windows 2008 DNS servers as forwarding servers.

I have verified that when I change my clients to bipass my internal windows servers, & utilize my ISP's DNS server IP's I can resolve the web sites without a problem.

Why would Windows 2008 DNS servers that are configured to forward their requests directly to my ISP's DNS servers cause this problem?  


0
 
HemisFearAuthor Commented:
I found the solution on my own:  It's a windows 2008 R2 DNS server issue.  It is documented here:

http://weblogs.asp.net/owscott/archive/2009/09/15/windows-server-2008-r2-dns-issues.aspx

The solution is to perform the following command on your Windows 2008 R2 DNS servers:

dnscmd /config /EnableEDNSProbes 0

I will award points for you guys for helping me troubleshoot.
0
 
HemisFearAuthor Commented:
While the solution wasn't presented completely here, it lead me down the correct path to find the solution on my own.  I am awarding the points.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.