DNS A Record not updating

I had an A Record in our DNS zone which points to the outside world. I updated this A record with a new IP address 3 weeks ago. Internally when I ping the website that the A record points to, I get the correct IP address (the new ip address i placed in), but to the outside world, when they ping the website domain they get the old IP address.

Our DNS server is master server to our ISP DNS, which acts as a slave to all the records we make.

Im not sure if i am being clear enough in my description because DNS is by no means my strong point.

We are running 2K3 DNS server role. Is there a way I can search the DNS database for the old IP address so I can make the changes. I have scoured the DNS records but to no avai.
LVL 1
steve_fernandesAsked:
Who is Participating?
 
Hypercat (Deb)Connect With a Mentor Commented:
Well, at least part of the problem is that a different DNS server has that IP address pointing to a different host name.  Is it possible that this IP address is assigned to more than one physical location/host?  That doesn't really solve your problem, but even if we figure out why your server is not responding with the correct IP address, this other record out there, if it points to a different physical machine, might still cause you problems. The whipplehill.com domain is hosted by a different DNS server, ns1.p22.dynect.net.

From a workstation inside your domain, could you please open a command prompt and run the following commands:

1.  Type nslookup and press Enter at the command prompt.
2.  Type set q=all and press Enter.
3.  Type stgeorges.bc.ca and press Enter.

Post the results.  If you want to mask any host names other than the one we're trying to fix, go right ahead.

0
 
AustinComputerLabsCommented:
It sounds like your registrars records are not updating the changes from your DNS. I would log into the regisrar or call them and ask why their records are not being updating.
0
 
steve_fernandesAuthor Commented:
I did call them, and they told me that their records depend on our server. The tech then did a dig report right for our dns server and it pulled the old A record information.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
AustinComputerLabsCommented:
Are you using SimpleDNS, OpenDNS or another utility to manage the public DNS records?
Did you set up the first A record?
0
 
Hypercat (Deb)Commented:
Your registrar may not be hosting your public DNS zone.  This may be hosted by your ISP which is very common. So, unless you can answer "yes" to one of AustinComputers' questions, you need to contact your ISP and see if they are hosting the public DNS zone and how you need to go about changing that A record in that zone. If you want to check first to see where your public DNS zone is hosted, you can use this web page to look it up:

http://legacy.zoneedit.com/whois.html

The "Name Servers" listed are the ones that are hosting your public DNS zone.
0
 
steve_fernandesAuthor Commented:
The registrar is not hosting our public DNS and our ISP is acting as a slave to our primary DNS, which we are hosting ourselves.

If you do a whois query on stgeorges.bc.ca, the server ns.stgeorges.bc.ca is hosted by, and ns2.terago.ca is our ISP.

When I called up the ISP they said that their DNS records are based of our DNS records, so the tech did a dig report on our name server and our name server is reporting the incorrect A record to the outside world, yet it reports correctly internally.
0
 
Hypercat (Deb)Commented:
When did you change this IP address and what is the TTL on your public DNS server? External servers will have cached the old IP address and it won't be updated until the TTL is lapsed by at least 50%.  Plus, they are most likely getting their updates from the root servers, which may not have been updated yet.  Have you asked them to connect directly to your DNS server and run the query from there? That's the only way to tell for sure whether your DNS server is actually not responding properly.
0
 
steve_fernandesAuthor Commented:
I updated the record about 2 and half weeks ago. When you say connect directly to my DNS server, can you specify that a bit more?

The exact instructions I got from them were to run a dig report on ns.stgeorges.bc.ca for an A record.

ns.stgeorges.bc.ca is supposedly the main public DNS server that host all the records, which we manage internally. Our firewall has the appropriate ports set to map it to an external IP w/ the proper ports.

As for the TTL record on ns.stgeorges.bc.ca, it is set to 1 hr.
0
 
Hypercat (Deb)Commented:
I was talking Windows DNS v. Linux.  Would you mind posting the host name and IP address that is supposed to be returned?
0
 
steve_fernandesAuthor Commented:
Windows DNS:

Old A Record was for 64.49.241.159

I replaced that with a new A Record of 74.123.152.99.


However the changes externally are still not being shown.
0
 
Hypercat (Deb)Commented:
Well, I can confirm that I am still getting the old IP address with a TTL of 1 hour.  It is querying ns.stgeorges.bc.ca at 67.226.161.4. When I ping 74.123.152.99 it returns a host name of 99.rev.whipplehill.com.
0
 
bjbeckCommented:
Steve,

Have you verified that you have updated the serial for your zone record reloaded your config?  Slave DNS servers will not update from the master unless the serial is higher than that from the previous zone transfer.
0
 
steve_fernandesAuthor Commented:
Bjbeck - Sorry I am kind of lost with that comment, mainly as DNS is not my strong point and I have been left in a position where I have to figure out what my predecessor had done / set up. Can you elaborate a bit more?

On that note, when I check my Stgeorges.bc.ca properties and then click on the zone transfer tab, the checkbox that says allow zone transfers is unchecked. Should I have this checked off, and specify the IPS to which name servers I would like the zone transfer information to be sent too.

HyperCat - Yes the 74.123.152.99 is the new address that I need the old A record to point too.

0
 
steve_fernandesAuthor Commented:
Also, do I have to add my ISP's DNS under the name server TAB for the stgeorges.bc.ca zone properties.

And under the general tab, dynamic updates is set to none. Should this be set to secure?

Thanks

0
 
bjbeckCommented:
Steve,

The 'allow zone transfers' should definitely be checked.

The serial for a zone record is a value in the SOA (start of authority) and should be incremented whenever a record is updated on the master server.  This allows secondary servers to determine if a zone transfer should be made or not, as transfers are only made when there are changes on the master record.  To be honest, I do not know if this serial number is auto-incremented in Win 2003 DNS service, but I do know that it has to be manually updated in BIND 9 for secondaries to initiate a transfer.

These pages can explain it more elaborately than I can here:

http://technet.microsoft.com/en-us/library/cc781340(WS.10).aspx (Understanding zones and zone transfer)

http://technet.microsoft.com/en-us/library/cc782181(WS.10).aspx (Modify DNS zone transfer settings)
0
 
Hypercat (Deb)Commented:
In order for your ISP's server to receive your zone information, you would have to allow zone transfers to their DNS server(s).  Currently, when I query their DNS server that is listed as one of the DNS servers for your domain, it says that it doesn't have any information available.

The only reason you would want to allow dynamic updates is if you did not want to retain complete manual control over the records in this zone.  When dynamic updates are allowed, hosts in the domain will automatically update their DNS records whenever their IP address is changed.  I would think you would not want to enable dynamic updates on a publicly available DNS zone, but I've never managed one, so I'm not an authority on that.
0
 
steve_fernandesAuthor Commented:
Here is the info:


Default Server:  UnKnown
Address:  10.0.4.44

> set q=all
> stgeorges.bc.ca
Server:  UnKnown
Address:  10.0.4.44

stgeorges.bc.ca internet address = 74.123.152.99
stgeorges.bc.ca nameserver = sradm.saints.local
stgeorges.bc.ca nameserver = ns2.stgeorges.bc.ca
stgeorges.bc.ca nameserver = ns.stgeorges.bc.ca
stgeorges.bc.ca nameserver = jrlab.saints.local
stgeorges.bc.ca nameserver = jradm.saints.local
stgeorges.bc.ca nameserver = ns2.terago.ca
stgeorges.bc.ca
        primary name server = sradm.saints.local
        responsible mail addr = helpdesk.stgeorges.bc.ca
        serial  = 2870752929
        refresh = 900 (15 mins)
        retry   = 600 (10 mins)
        expire  = 86400 (1 day)
        default TTL = 3600 (1 hour)
stgeorges.bc.ca MX preference = 10, mail exchanger = mail.stgeorges.bc.ca
stgeorges.bc.ca MX preference = 10, mail exchanger = students.stgeorges.bc.ca
sradm.saints.local      internet address = xxxxx
ns2.stgeorges.bc.ca     internet address = 10.0.4.48
ns.stgeorges.bc.ca      internet address = 10.0.4.44
jrlab.saints.local      internet address = xxxxxxx
jradm.saints.local      internet address = 10.0.4.48
mail.stgeorges.bc.ca    internet address = xxxxxx
students.stgeorges.bc.ca        internet address =xxxxxxx


I also now enabled Zone transfers only to the specified IPS in the name server tab. I added my ISP IP to the name server tab.

Finally I incremented the Serial number.

0
 
bjbeckConnect With a Mentor Commented:
Steve, all that looks correct.  Also verify that 'Automatically Notify' is checked for the secondaries you want to push transfers to.

http://technet.microsoft.com/en-us/library/cc759426%28WS.10%29.aspx (Create and manage a notify list for a zone)
0
 
steve_fernandesAuthor Commented:
Yes Automatically notifiy is also checked off.
0
 
steve_fernandesAuthor Commented:
Thank you all for your comments and time. After using the combined knowledge of all, i used nslookup internally and externally and found that my SOA serial numbers did not match, which gave way to the assumption that I had to have had another DNS server somewhere in the network. I pulled cables of the WAN switch and followed it to a suspicious looking server box. Logged on, checked the roles and found the DNS roles.

I was able to do what I needed to do.


Granted I would not have got there had i not known about serial numbers, SOA's etc which I got from everyone. I am splitting the points between bjbeck and hypercat for their time that they put in.
0
 
bjbeckCommented:
Good stuff Steve.  Glad you got it worked out.
0
 
Hypercat (Deb)Commented:
Thanks for the points, Steve. Good work on your part to trace it back to the "rogue" server.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.