Link to home
Create AccountLog in
Avatar of HemisFear
HemisFearFlag for United States of America

asked on

Can't resolve certain web sites (global)

I'm having an issue where my office cannot hit certain web sites.  I've spent countless hours with my ISP trying to resovle this issue but more and more sites are creeping up.

This issue has been ongoing since 10/05/2010 and is only getting worse.  

Below are the list of web sites that I cannot hit.

1. www.paypal.com
2. www.dol.gov
3. www.noaa.gov

-We have a windows 2008 network that has our domain controllers/DNS Servers configured to forward all external DNS requests to my ISP's DNS servers.
-All users clients run Windows XP or Windows 7 that DNS1 & DNS2 point to internal DNS servers
-I have contacted my ISP to troubleshoot these issues wtih no resolution.  
-I have verified that I do not have any access control lists preventing my users hitting these web sites on my firewall and router
-My ISP has added a reverse DNS entry for my IP block
-My ISP has entered a SWIP (I have no idea what this is) for my account.

None of these recommendations has provided a solution.
Is it possible that my IP block has been placed on blacklists?  How would I verify this information?

-Here are example traceroutes that were performed:

WMA-R1#traceroute www.dol.gov 
Translating "www.dol.gov"...domain server (65.106.1.196) [OK]

Type escape sequence to abort.
Tracing the route to e1617.b.akamaiedge.net (184.51.182.185)

  1 ip65-47-181-113.z181-47-65.customer.algx.net (65.47.181.113) 4 msec 4 msec 4 msec
  2 ge11-1-4d0.mcr1.chicago-il.us.xo.net (207.88.172.5) 4 msec 4 msec 8 msec
  3 vb1700.rar3.chicago-il.us.xo.net (216.156.0.161) 4 msec 4 msec 4 msec
  4 ae0d1.cir1.chicago2-il.us.xo.net (207.88.13.5) 4 msec 4 msec 4 msec
  5 216.156.72.78.ptr.us.xo.net (216.156.72.78) 4 msec 12 msec 4 msec
  6  *  *  *
  7  *  *  *

WMA-R1#traceroute nhc.noaa.gov
Translating "nhc.noaa.gov"...domain server (65.106.1.196) [OK]

Type escape sequence to abort.
Tracing the route to nhc.noaa.gov (140.90.176.165)

  1 ip65-47-181-113.z181-47-65.customer.algx.net (65.47.181.113) 4 msec 4 msec 4 msec
  2 ge11-1-4d0.mcr2.chicago-il.us.xo.net (207.88.172.13) 32 msec 4 msec 4 msec
  3 ae1d0.mcr1.chicago-il.us.xo.net (216.156.1.81) 4 msec 4 msec 4 msec
  4 vb1700.rar3.chicago-il.us.xo.net (216.156.0.161) 8 msec 4 msec 4 msec
  5 ae0d1.cir1.chicago2-il.us.xo.net (207.88.13.5) 4 msec 4 msec 4 msec
  6 206.111.2.86.ptr.us.xo.net (206.111.2.86) 4 msec 4 msec 4 msec
  7 dca-edge-21.inet.qwest.net (67.14.6.66) 24 msec 24 msec 24 msec
  8 65.123.192.198 24 msec 24 msec 24 msec
  9 140.90.111.46 28 msec 28 msec 20 msec
10 140.90.76.74 24 msec 24 msec 24 msec
11 140.90.60.6 28 msec 24 msec 24 msec
12 140.90.60.1 28 msec 24 msec 24 msec
13  *  *  *
 14  *  *

ASKER CERTIFIED SOLUTION
Avatar of jar3817
jar3817

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of HemisFear

ASKER

Jar3817: Is that as simple as going into the properties of each DNS server (WMA-DC1 & WMA-DC3), going into the Forwarders tab and removing the two server entries that I have added?  If I do this, I assume that the servers will immediately begin resolving IP addresses to DNS entries immediately wtih no adverse effects?
RJWesley: I'll do that now and report back my findings to you in a moment.
Avatar of Darius Ghassem
Make sure your ISP DNS serevrs are updated this could be causing the problem as well.

You can use 4.2.2.2 and 4.2.2.1
UPDATE:  I just bypassed my internal DNS servers and my firewall by connecting my laptop directly to the router and I was able to hit all three web sites without a problem! (Thank you RJWesley)

The question is where do I go from here?

Firewall, what is it?

Rob
Cisco PIX 515E
What are your DNS settings in your firewall.

I simply use 8.8.8.8, 4.2.2.1, then ISP DNS.

Rob
Make sure your server is only pointing to internal DNS servers within it's TCP\IP settings.

I have attached the configuration of my firewall for your review.  I'm not an L3 technician so I'm a bit unfamiliar with how I should configure the firewall other than asking for your help (up to the commands!)


Firewall-Config-2010-10-21.log
There are no DNS server settings on the firewall.  

My router is configured wtih the appropriate DNS server IP addresses which are currently configured on my Windows 2008 DNS servers as forwarding servers.

I have verified that when I change my clients to bipass my internal windows servers, & utilize my ISP's DNS server IP's I can resolve the web sites without a problem.

Why would Windows 2008 DNS servers that are configured to forward their requests directly to my ISP's DNS servers cause this problem?  


I found the solution on my own:  It's a windows 2008 R2 DNS server issue.  It is documented here:

http://weblogs.asp.net/owscott/archive/2009/09/15/windows-server-2008-r2-dns-issues.aspx

The solution is to perform the following command on your Windows 2008 R2 DNS servers:

dnscmd /config /EnableEDNSProbes 0

I will award points for you guys for helping me troubleshoot.
While the solution wasn't presented completely here, it lead me down the correct path to find the solution on my own.  I am awarding the points.