HemisFear
asked on
Can't resolve certain web sites (global)
I'm having an issue where my office cannot hit certain web sites. I've spent countless hours with my ISP trying to resovle this issue but more and more sites are creeping up.
This issue has been ongoing since 10/05/2010 and is only getting worse.
Below are the list of web sites that I cannot hit.
1. www.paypal.com
2. www.dol.gov
3. www.noaa.gov
-We have a windows 2008 network that has our domain controllers/DNS Servers configured to forward all external DNS requests to my ISP's DNS servers.
-All users clients run Windows XP or Windows 7 that DNS1 & DNS2 point to internal DNS servers
-I have contacted my ISP to troubleshoot these issues wtih no resolution.
-I have verified that I do not have any access control lists preventing my users hitting these web sites on my firewall and router
-My ISP has added a reverse DNS entry for my IP block
-My ISP has entered a SWIP (I have no idea what this is) for my account.
None of these recommendations has provided a solution.
Is it possible that my IP block has been placed on blacklists? How would I verify this information?
-Here are example traceroutes that were performed:
WMA-R1#traceroute www.dol.gov
Translating "www.dol.gov"...domain server (65.106.1.196) [OK]
Type escape sequence to abort.
Tracing the route to e1617.b.akamaiedge.net (184.51.182.185)
1 ip65-47-181-113.z181-47-65 .customer. algx.net (65.47.181.113) 4 msec 4 msec 4 msec
2 ge11-1-4d0.mcr1.chicago-il .us.xo.net (207.88.172.5) 4 msec 4 msec 8 msec
3 vb1700.rar3.chicago-il.us. xo.net (216.156.0.161) 4 msec 4 msec 4 msec
4 ae0d1.cir1.chicago2-il.us. xo.net (207.88.13.5) 4 msec 4 msec 4 msec
5 216.156.72.78.ptr.us.xo.ne t (216.156.72.78) 4 msec 12 msec 4 msec
6 * * *
7 * * *
WMA-R1#traceroute nhc.noaa.gov
Translating "nhc.noaa.gov"...domain server (65.106.1.196) [OK]
Type escape sequence to abort.
Tracing the route to nhc.noaa.gov (140.90.176.165)
1 ip65-47-181-113.z181-47-65 .customer. algx.net (65.47.181.113) 4 msec 4 msec 4 msec
2 ge11-1-4d0.mcr2.chicago-il .us.xo.net (207.88.172.13) 32 msec 4 msec 4 msec
3 ae1d0.mcr1.chicago-il.us.x o.net (216.156.1.81) 4 msec 4 msec 4 msec
4 vb1700.rar3.chicago-il.us. xo.net (216.156.0.161) 8 msec 4 msec 4 msec
5 ae0d1.cir1.chicago2-il.us. xo.net (207.88.13.5) 4 msec 4 msec 4 msec
6 206.111.2.86.ptr.us.xo.net (206.111.2.86) 4 msec 4 msec 4 msec
7 dca-edge-21.inet.qwest.net (67.14.6.66) 24 msec 24 msec 24 msec
8 65.123.192.198 24 msec 24 msec 24 msec
9 140.90.111.46 28 msec 28 msec 20 msec
10 140.90.76.74 24 msec 24 msec 24 msec
11 140.90.60.6 28 msec 24 msec 24 msec
12 140.90.60.1 28 msec 24 msec 24 msec
13 * * *
14 * *
This issue has been ongoing since 10/05/2010 and is only getting worse.
Below are the list of web sites that I cannot hit.
1. www.paypal.com
2. www.dol.gov
3. www.noaa.gov
-We have a windows 2008 network that has our domain controllers/DNS Servers configured to forward all external DNS requests to my ISP's DNS servers.
-All users clients run Windows XP or Windows 7 that DNS1 & DNS2 point to internal DNS servers
-I have contacted my ISP to troubleshoot these issues wtih no resolution.
-I have verified that I do not have any access control lists preventing my users hitting these web sites on my firewall and router
-My ISP has added a reverse DNS entry for my IP block
-My ISP has entered a SWIP (I have no idea what this is) for my account.
None of these recommendations has provided a solution.
Is it possible that my IP block has been placed on blacklists? How would I verify this information?
-Here are example traceroutes that were performed:
WMA-R1#traceroute www.dol.gov
Translating "www.dol.gov"...domain server (65.106.1.196) [OK]
Type escape sequence to abort.
Tracing the route to e1617.b.akamaiedge.net (184.51.182.185)
1 ip65-47-181-113.z181-47-65
2 ge11-1-4d0.mcr1.chicago-il
3 vb1700.rar3.chicago-il.us.
4 ae0d1.cir1.chicago2-il.us.
5 216.156.72.78.ptr.us.xo.ne
6 * * *
7 * * *
WMA-R1#traceroute nhc.noaa.gov
Translating "nhc.noaa.gov"...domain server (65.106.1.196) [OK]
Type escape sequence to abort.
Tracing the route to nhc.noaa.gov (140.90.176.165)
1 ip65-47-181-113.z181-47-65
2 ge11-1-4d0.mcr2.chicago-il
3 ae1d0.mcr1.chicago-il.us.x
4 vb1700.rar3.chicago-il.us.
5 ae0d1.cir1.chicago2-il.us.
6 206.111.2.86.ptr.us.xo.net
7 dca-edge-21.inet.qwest.net
8 65.123.192.198 24 msec 24 msec 24 msec
9 140.90.111.46 28 msec 28 msec 20 msec
10 140.90.76.74 24 msec 24 msec 24 msec
11 140.90.60.6 28 msec 24 msec 24 msec
12 140.90.60.1 28 msec 24 msec 24 msec
13 * * *
14 * *
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
RJWesley: I'll do that now and report back my findings to you in a moment.
Make sure your ISP DNS serevrs are updated this could be causing the problem as well.
You can use 4.2.2.2 and 4.2.2.1
You can use 4.2.2.2 and 4.2.2.1
ASKER
UPDATE: I just bypassed my internal DNS servers and my firewall by connecting my laptop directly to the router and I was able to hit all three web sites without a problem! (Thank you RJWesley)
The question is where do I go from here?
The question is where do I go from here?
Firewall, what is it?
Rob
Rob
ASKER
Cisco PIX 515E
What are your DNS settings in your firewall.
I simply use 8.8.8.8, 4.2.2.1, then ISP DNS.
Rob
I simply use 8.8.8.8, 4.2.2.1, then ISP DNS.
Rob
Make sure your server is only pointing to internal DNS servers within it's TCP\IP settings.
ASKER
I have attached the configuration of my firewall for your review. I'm not an L3 technician so I'm a bit unfamiliar with how I should configure the firewall other than asking for your help (up to the commands!)
Firewall-Config-2010-10-21.log
Firewall-Config-2010-10-21.log
ASKER
There are no DNS server settings on the firewall.
My router is configured wtih the appropriate DNS server IP addresses which are currently configured on my Windows 2008 DNS servers as forwarding servers.
I have verified that when I change my clients to bipass my internal windows servers, & utilize my ISP's DNS server IP's I can resolve the web sites without a problem.
Why would Windows 2008 DNS servers that are configured to forward their requests directly to my ISP's DNS servers cause this problem?
My router is configured wtih the appropriate DNS server IP addresses which are currently configured on my Windows 2008 DNS servers as forwarding servers.
I have verified that when I change my clients to bipass my internal windows servers, & utilize my ISP's DNS server IP's I can resolve the web sites without a problem.
Why would Windows 2008 DNS servers that are configured to forward their requests directly to my ISP's DNS servers cause this problem?
ASKER
I found the solution on my own: It's a windows 2008 R2 DNS server issue. It is documented here:
http://weblogs.asp.net/owscott/archive/2009/09/15/windows-server-2008-r2-dns-issues.aspx
The solution is to perform the following command on your Windows 2008 R2 DNS servers:
dnscmd /config /EnableEDNSProbes 0
I will award points for you guys for helping me troubleshoot.
http://weblogs.asp.net/owscott/archive/2009/09/15/windows-server-2008-r2-dns-issues.aspx
The solution is to perform the following command on your Windows 2008 R2 DNS servers:
dnscmd /config /EnableEDNSProbes 0
I will award points for you guys for helping me troubleshoot.
ASKER
While the solution wasn't presented completely here, it lead me down the correct path to find the solution on my own. I am awarding the points.
ASKER