Solved

DNS entries for servers with a time stamp

Posted on 2011-03-07
9
1,716 Views
Last Modified: 2012-05-11
I think we may have a few issues with our DNS and I am trying to resolve these.  The issues seem to be:-

1.  I have a number of servers that even though they have a static IP address in DNS they seem to have a timestamp date while others have static.  Is this correct or should they show static in the timestamp if they have a static ip address?

2.  I have a number of desktops who share an IP address  some of which have a time stamp date and the out of date machines have a static time stamp.  I assume it is safe to delete these old static records?

3.  I found a number of instances where I have two machines sharing an IP address (as I have already mentioned)  the problem also seems that one of the machines appears in the forward lookup zone but not the reverse and the other appears in the reverse but not the forward.  

I know these problems are not good but how do I go about fixing the issues?
0
Comment
Question by:WNottsC
  • 5
  • 4
9 Comments
 
LVL 12

Expert Comment

by:Kent W
ID: 35062984
What DNS serve are you talking about here?

I'm going to assume MS, since this seems to mirror the common functions seen day in / day out.

If you are using AD w/ integrated DNS, or allow machines to update the server, it sounds like they are not correctly removing the old entries, and causing multiple hosts per IP.  Now, are you sure you are looking at forward zones, and not reverse?  In reverse, this is quite normal.  You can also end up with overlapping IPs if you have a machine that has been disconnected, so the IP is not in use, and another machine ends up getting that IP assigned via DHCP, or manually.  The record for the old machine doesn't get deleted, so you and up having an entry for the old and new machine, both at the same IP.
Unless you are getting actual IP conflicts, where these machines are being dolled out the same IP, you really just have a nuisance.  
There are ways ensure machines chaning IPs are updated correctly, and you can set scavenging time...but, I'll wait for a reply before going into any of that...I'm still not sure what DNS server you are using. :)
Questions that need to be answered:
What DNS server are you using?
More than one w/ master + slave?
Are you using AD / and or AD integrated DNS
Are you using DHCP? What is your lease life is so?
Are you using WINS servers?
What are the host machines OSs running? Win / Linux or a mix?  Servers, workstations, or a mix?

0
 

Author Comment

by:WNottsC
ID: 35063040
Questions that need to be answered:
What DNS server are you using?
You are correct we are using microsoft

More than one w/ master + slave?
We have more than one yes and I think they are master + slave yes

Are you using AD / and or AD integrated DNS
I think we are using AD integrated DNS

Are you using DHCP? What is your lease life is so?
Yes we are using DHCP.  The lease life is 8 days

Are you using WINS servers?
yes we are using WINS

What are the host machines OSs running? Win / Linux or a mix?  Servers, workstations, or a mix?
the servers are windows server 2008 R2 and the desktops are a mixture of windows XP and Windows 7
0
 
LVL 12

Accepted Solution

by:
Kent W earned 500 total points
ID: 35074929
I don't think you really have an issue here, just some old DNS that didn't get removed when a host changed IPs. If you are sure of the new host+ip, you can remove the old records safely.
With AD and MS DNS, Windows machines, at least, should be if you have the TCP/IP DNS settings on "Register this connection's address in DNS".
Under each domain/zone entry on your DNS server, you can set (Properties, General tab) to allow Dynamic updates (none, secure, secure+nonsecure).  Setting just secure will only allow AD machines to update DNS directly, nonsecure will allow most anything.
This is also where you can set the aging/scavenging to remove stale records after X amount of time.
0
 

Author Comment

by:WNottsC
ID: 35093214
Ok so you are say this seems ok.  However:-

1.  I have machines in the forward lookup zone but not in the reverse lookup zone.
2. I have machines in the reverse lookup zone but not in the forward lookup zone
3. I have machines that are in both zones but the forward timestamp is different to the timestamp for the reverse
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 
LVL 12

Expert Comment

by:Kent W
ID: 35099964
On your DNS server(s) domains and individual Rev zones, what types of updates do you allow? Nonsecure and secure, or secure only?
Also check your aging...if this is really low, especially lower than your lease life on DHCP, you may be cleaning up records before they expire in DHCP.  At the DNS server level, properties, there is also a debug logfile you can turn on...that may help in tracking down the exact issue.  I'm assuming you've also checked your DNS Server Event logs to see if there are any bangs there?

The more I think about your symptoms, the more this seem like your scavenging is set too low.  What is your DHCP lease life vs. your scavenging settings?

0
 

Author Comment

by:WNottsC
ID: 35185970
Can I please revisit this.

To answer your question the DHCP lease life is the default and the scavenging settings are set to 7 and 7.

The more I look at DNS the more I think it is causing me problems.  For example Machines that do correctly have an entry in both the forward and reverse lookup but then each one has a different IP Address (although they only have a single network card)
0
 
LVL 12

Expert Comment

by:Kent W
ID: 35191484
For the rDNS, that is common...the old entry may not be deleted when the DHCP lease expires and the host grabs a new IP (thus setting a new rDNS).  All the windows based servers, at least, should be removing the old IP from forward DNS, that will definately cause problems, as multiple A's with one IP "no good" would be 50% unreachable...
Are you allowing secure and / or non-secure dynamic updates? (general tap under the zone properties...)
0
 

Author Comment

by:WNottsC
ID: 35191523
for the forward lookup zones and for all but 3 reverse lookup zones we are allowing secure and nonsecure.

Just out of interest I checked three machines that have forward lookups but no reverse lookup record and their IP address falls in one of the reverse zones that is set for only secure dynamic updates
0
 
LVL 12

Expert Comment

by:Kent W
ID: 35191732
That may be a clue...and Win-based domain member computers should be able to do the secure update, it's the other machines not technically on the network that would not be able to do dynamic updates.
Genearlly, I also see most Linux distros usually have issues setting or removing both, even with nonsecure allowed.
You may be able to see a pattern if you go through and clean everything up, then watch closely which machines and vs. dns security settings per zone are affected.  
Have you tried running the scavenge ever 1-3 days to clean up stale records? Anything shorter than the lease life should give you some relief, at least on the round-robin A records that are being created.
I haven't tried this, but you may also turn off the "Allow round robing DNS", if that fits your needs.
It would not allow two IPs for the same hostname.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains how a domain name may be inadvertently appended to all DNS queries. This exhibits as described below. (CODE)And / Or: (CODE) Cause This issue can occur in either of these two scenarios. EITHER 1. A Primary DNS S…
I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
This Micro Tutorial demonstrates using Microsoft Excel pivot tables, how to reverse engineer competitors' marketing strategies through backlinks.

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now