[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 684
  • Last Modified:

Generic CNAME & DNS Name Resolution (Windows 2003 servers)

A domain has records similar to this on its NS servers at Network Solutions:

www.placeholder.com      A       212.25.25.25
*.placeholder.com      CNAME      xyz.general.com

When our DNS servers (Windows 2003) try to resolve the name www.placeholder.com, sometimes they get the correct address (212.25.25.25) but other times they get the IP of generic CNAME record (xyz.general.com) which is different and wrong.

How can I prevent our DNS servers from picking the generic CNAME record? If this cannot be done, is the CNAME entry at the Network Solution NS servers at fault? Thanks.

Ajay
0
Akulsh
Asked:
Akulsh
  • 13
  • 12
  • 2
  • +1
2 Solutions
 
Paul MacDonaldDirector, Information SystemsCommented:
Are you sure they're resolving www.placeholder.com to xyz.general.com?  Maybe someone is typing in placeholder.com expecting to get www.placeholder.com...
0
 
AkulshAuthor Commented:
No, sometimes even NSlookup will give CNAME address for WWW record query.
So this problem is there for www record.
0
 
Gary ColtharpSr. Systems EngineerCommented:
That CNAME is wrong and should be removed
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
AkulshAuthor Commented:
GColtharp, what justification do you have for this statement?. This CNAME has been there for a long time and I cannot ask my superiors to remove an entry without a good reason.
0
 
Gary ColtharpSr. Systems EngineerCommented:
The CNAME is trying to wildcard forward the entire domain to a different domain and then there is an A record which is trapping one A record....  of course it wont work well.

But if that is what it is and there is no intention to correct it, then I am assuming you have DNS servers running on your 2003 box.

The workaround would be to create an implicit zone.... create a new, non ad integrated zone called www.placeholder.com. create an A record in the zone with no name that points to the correct IP.

It will never get it wrong again.
0
 
PapertripCommented:
Wildcards will only match if there is not a "real" record in place for the name queried.

*.domain.com. will not match domain.com.

@Akulsh, I'm assuming the names in your wildcard CNAME are terminated with a ".", even though you didn't explicitly post that?

*.placeholder.com      CNAME      xyz.general.com

Open in new window

should technically be
*.placeholder.com.      CNAME      xyz.general.com.

Open in new window


On that note you also don't have a "." for your A record, guessing this was just a copy/paste typo.
www.placeholder.com      A       212.25.25.25

Open in new window


If you can provide the actual domain in question, we can verify if the records themselves look good.
0
 
AkulshAuthor Commented:
@Papertrip, there is indeed a dot at the end of cname record - xyz.general.com. -- like this.

There is no other dot. For www record, it states like this:
www      7200 (TTL)     212.25.25.25

The domain is a COM domain with four letters T N I K, but in reverse order. Thanks.

(@gcoltharp, I had thought of what you are suggesting but the company does not want just the work around -- these people have many other domains with similar setup.)
0
 
AkulshAuthor Commented:
In your responses, please don't mention the domain name explicitly...
0
 
PapertripCommented:
In your responses, please don't mention the domain name explicitly...
Understood :)

So I did some snooping around and your records look fine.  I'm not sure what could be causing your issues, possibly hitting some broken upstream cache or some weird internal misconfiguration on your servers.  Unfortunately I don't have direct experience with admin'ing MS DNS, so hopefully someone can help on that front.

As for your question if the CNAME is at fault -- technically it is not, everything looks ok.
0
 
AkulshAuthor Commented:
We analyzed the traffic and found out that there are no "upstream" servers. Our Windows 2003 servers are getting response directly from Network Solutions's Name Servers.

Also, we found that bad response happens only when query is sent out in IPv6 format -- from some Mac OS X machines. This format is used as long as IPv6 in installed. Disabling it does not prevent IPv6 queries from these workstations. Sometimes even Windows 7 send out IPv6 queries as long as this protocol is installed, even if disabled.

Who is the culprit here? Windows 2003 DNS servers or Network Solutions's NS servers? Any solution other than totally uninstalling IPv6 from all new workstations? Thanks.

Ajay
0
 
PapertripCommented:
Everything on the nameserver side appears to be correct.
0
 
AkulshAuthor Commented:
But these Network Solution NS servers are giving wrong responses whenever IPv6-formatted query is sent. How can you say they are correctly configured for IPv6? Thanks.

Ajay
0
 
PapertripCommented:
You have IPv6 setup on your network? Are you saying that your machines are sending queries over IPv6, or that they are querying IPv6 records over IPv4?
0
 
AkulshAuthor Commented:
I don't exactly know what "IPv6 records over IPv4" means. Let me describe what we have:

We are using only IPv4 in our network. However some new MAC and Win7 machines have IPv6 installed but disabled (unchecked). This MAC workstation sends out 2 queries each time it needs to resolve a www or other DNS name. The first packet is a regular IPv4 packet and second one is IPv6 packet. We found this out by running NetMon. 2nd DNS packet clear says: "Question Type = IPv6 Host Address". Our Win2K3 servers forward that request to Network Solution NS servers which don't understand it and give out generic response.

I can include NetMon capture files if you like. Thanks.
0
 
PapertripCommented:
Yeah log files would help speed this along and make sure we are both talking about the same things.
0
 
AkulshAuthor Commented:
Here is a tiny file with extension *.cap but I had to rename is with extension .txt to send. Please rename back and open in a network monitor of MS. It shows IPv6 packets. Thanks.
IPv6-20011026-1151.txt
0
 
PapertripCommented:
Check this out, I've never come across this situation before but I think this is actually exactly what you are seeing.

These tests are done against your real domain

A normal A record lookup, CNAME chain is followed and correct IP given as result.
[root@broken ~]# dig @8.8.8.8 test.domain.com a

; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 <<>> @8.8.8.8 test.domain.com a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23350
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;test.domain.com.          IN      A

;; ANSWER SECTION:
test.domain.com.   7133    IN      CNAME   first.cname.com.
first.cname.com.     7133    IN      CNAME   string.compute-1.amazonaws.com.
string.compute-1.amazonaws.com. 6147 IN A 184.73.x.x

Open in new window


An AAAA lookup, CNAME chain is followed, but final IP is not given back in answer
[root@broken ~]# dig @8.8.8.8 test.domain.com aaaa

; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 <<>> @8.8.8.8 test.domain.com aaaa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23350
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;test.domain.com.          IN      AAAA

;; ANSWER SECTION:
test.domain.com.   7133    IN      CNAME   first.cname.com.
first.cname.com.     7133    IN      CNAME   string.compute-1.amazonaws.com.

Open in new window

[root@broken ~]# dig @8.8.8.8 test.domain.com a +short
first.cname.com.
string.compute-1.amazonaws.com.
184.73.x.x

[root@broken ~]# dig @8.8.8.8 test.domain.com aaaa +short
first.cname.com.
string.compute-1.amazonaws.com.

Open in new window

I'm not sure why that is happening, but it's the same on all the resolvers I tried it against, so it doesn't appear to be an issue with your nameservers.

I'm curious about this now and will do some testing in a few.  My answer at this point is that this seems to just be how DNS operates in a AAAA query type -> CNAME -> CNAME -> A record scenario...

Have you explored removing IPv6 entirely from the workstations?  Aside from this particular problem (and maybe a future problem due to it?), it's really just unnecessary network traffic.
0
 
PapertripCommented:
Will look at your capture in a few, but I think my last answer might be right on the money.
0
 
PapertripCommented:
Man I have rewritten this reply like 20 times so far...  Kept finding new things and testing and getting results I haven't seen before and blah blah... I think I have the correct solution finally.

Add an AAAA record for www.yourdomain.com pointing to the same IP that the A record for www is.

If that works, I will explain why.
0
 
AkulshAuthor Commented:
I am logged onto Network Solutions, but cannot see how to add AAAA record. I can add A record, CNAME record etc. but not AAAA record. Please advise. Thanks.
0
 
PapertripCommented:
Your next reply was supposed to be something along the lines of "omg it works now, you are so awesome!"

:D

http://www.networksolutions.com/support/Adding-an-IPv6-record/
0
 
AkulshAuthor Commented:
I had seen that link but was not able to follow it after line 4:.

5. Check the Designated DNS radio button and click on Apply Changes.
6. Click on Move DNS under Change Domain Name Servers.
7. Follow the Advanced User instructions in the box on the Edit DNS page and send an email with the appropriate inforation.

I don't see Designated DNS radio button. Even after that do we have to move DNS server and send email to add AAAA record? Please clarify if possible. Thanks.
0
 
PapertripCommented:
I don't know the specifics of how to add quad A record to Network Solutions aside from the link I provided.  If the instructions are unclear or are not working, I suggest you contact their customer support.

Since this isn't a "quick" fix, I will explain my reasoning for asking you to do it.

So you have the following records currently:
www.placeholder.com      A       212.25.25.25
*.placeholder.com      CNAME      xyz.general.com

Open in new window


Problem:
When you query for an A record for www.placeholder.com, you get the correct IP as listed in the A record.
When you query for a AAAA record for www.placeholder.com, your query gets matched to the wildcard because there is no AAAA record, so the wildcard matches.
Since there is no AAAA record after the CNAME chain, you do not get the final IP as I posted in a previous answer with my dig outputs.

Solution:
Add AAAA record for www.placeholder.com just like your existing A record.  Now all AAAA queries for www.placeholder.com will get an IP as a result instead of matching your wildcard.
0
 
PapertripCommented:
I'm about 98% sure I have identified the underlying issue and provided the appropriate fix.
0
 
AkulshAuthor Commented:
I admire your spending so much time with me on this issue but give me a bit of time to close this thread for good. I am also 98% sure of what you are saying is correct and will give you proper credit for it.
0
 
PapertripCommented:
Understood, good luck!
0
 
AkulshAuthor Commented:
I am still working -- or, should I say fighting? -- with Network Solutions to add AAAA record. Once I have some definite answer, positive or negative, from them, I will post it here, and perhaps close this case. Will certainly close the case if answer is positive. Thanks for waiting.
0
 
AkulshAuthor Commented:
Network Solutions, so far, in 4 days, has not been able to create AAAA record -- and they are the big boys! So who can?

I am closing this case because it has been inactive too long and people here have helped as much as can be hoped.

(Papertrip, please post a comment similar to the one here to my other still-open question (ID: 27420284). I had opened that question thinking that IPv6 will be a new topic, but you handled it here. You deserve some credit there also since other postings are not so helpful. Thanks.)
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 13
  • 12
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now