Generic CNAME & DNS Name Resolution (Windows 2003 servers)
A domain has records similar to this on its NS servers at Network Solutions:
www.placeholder.com A 212.25.25.25
*.placeholder.com CNAME xyz.general.com
When our DNS servers (Windows 2003) try to resolve the name www.placeholder.com, sometimes they get the correct address (212.25.25.25) but other times they get the IP of generic CNAME record (xyz.general.com) which is different and wrong.
How can I prevent our DNS servers from picking the generic CNAME record? If this cannot be done, is the CNAME entry at the Network Solution NS servers at fault? Thanks.
Ajay
www.placeholder.com A 212.25.25.25
*.placeholder.com CNAME xyz.general.com
When our DNS servers (Windows 2003) try to resolve the name www.placeholder.com, sometimes they get the correct address (212.25.25.25) but other times they get the IP of generic CNAME record (xyz.general.com) which is different and wrong.
How can I prevent our DNS servers from picking the generic CNAME record? If this cannot be done, is the CNAME entry at the Network Solution NS servers at fault? Thanks.
Ajay
Paul MacDonald
Are you sure they're resolving www.placeholder.com to xyz.general.com? Maybe someone is typing in placeholder.com expecting to get www.placeholder.com...
ASKER
No, sometimes even NSlookup will give CNAME address for WWW record query.
So this problem is there for www record.
So this problem is there for www record.
That CNAME is wrong and should be removed
ASKER
GColtharp, what justification do you have for this statement?. This CNAME has been there for a long time and I cannot ask my superiors to remove an entry without a good reason.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Wildcards will only match if there is not a "real" record in place for the name queried.
*.domain.com. will not match domain.com.
@Akulsh, I'm assuming the names in your wildcard CNAME are terminated with a ".", even though you didn't explicitly post that?
On that note you also don't have a "." for your A record, guessing this was just a copy/paste typo.
If you can provide the actual domain in question, we can verify if the records themselves look good.
*.domain.com. will not match domain.com.
@Akulsh, I'm assuming the names in your wildcard CNAME are terminated with a ".", even though you didn't explicitly post that?
*.placeholder.com CNAME xyz.general.com*.placeholder.com. CNAME xyz.general.com.On that note you also don't have a "." for your A record, guessing this was just a copy/paste typo.
www.placeholder.com A 212.25.25.25If you can provide the actual domain in question, we can verify if the records themselves look good.
ASKER
@Papertrip, there is indeed a dot at the end of cname record - xyz.general.com. -- like this.
There is no other dot. For www record, it states like this:
www 7200 (TTL) 212.25.25.25
The domain is a COM domain with four letters T N I K, but in reverse order. Thanks.
(@gcoltharp, I had thought of what you are suggesting but the company does not want just the work around -- these people have many other domains with similar setup.)
There is no other dot. For www record, it states like this:
www 7200 (TTL) 212.25.25.25
The domain is a COM domain with four letters T N I K, but in reverse order. Thanks.
(@gcoltharp, I had thought of what you are suggesting but the company does not want just the work around -- these people have many other domains with similar setup.)
ASKER
In your responses, please don't mention the domain name explicitly...
In your responses, please don't mention the domain name explicitly...Understood :)
So I did some snooping around and your records look fine. I'm not sure what could be causing your issues, possibly hitting some broken upstream cache or some weird internal misconfiguration on your servers. Unfortunately I don't have direct experience with admin'ing MS DNS, so hopefully someone can help on that front.
As for your question if the CNAME is at fault -- technically it is not, everything looks ok.
ASKER
We analyzed the traffic and found out that there are no "upstream" servers. Our Windows 2003 servers are getting response directly from Network Solutions's Name Servers.
Also, we found that bad response happens only when query is sent out in IPv6 format -- from some Mac OS X machines. This format is used as long as IPv6 in installed. Disabling it does not prevent IPv6 queries from these workstations. Sometimes even Windows 7 send out IPv6 queries as long as this protocol is installed, even if disabled.
Who is the culprit here? Windows 2003 DNS servers or Network Solutions's NS servers? Any solution other than totally uninstalling IPv6 from all new workstations? Thanks.
Ajay
Also, we found that bad response happens only when query is sent out in IPv6 format -- from some Mac OS X machines. This format is used as long as IPv6 in installed. Disabling it does not prevent IPv6 queries from these workstations. Sometimes even Windows 7 send out IPv6 queries as long as this protocol is installed, even if disabled.
Who is the culprit here? Windows 2003 DNS servers or Network Solutions's NS servers? Any solution other than totally uninstalling IPv6 from all new workstations? Thanks.
Ajay
Everything on the nameserver side appears to be correct.
ASKER
But these Network Solution NS servers are giving wrong responses whenever IPv6-formatted query is sent. How can you say they are correctly configured for IPv6? Thanks.
Ajay
Ajay
You have IPv6 setup on your network? Are you saying that your machines are sending queries over IPv6, or that they are querying IPv6 records over IPv4?
ASKER
I don't exactly know what "IPv6 records over IPv4" means. Let me describe what we have:
We are using only IPv4 in our network. However some new MAC and Win7 machines have IPv6 installed but disabled (unchecked). This MAC workstation sends out 2 queries each time it needs to resolve a www or other DNS name. The first packet is a regular IPv4 packet and second one is IPv6 packet. We found this out by running NetMon. 2nd DNS packet clear says: "Question Type = IPv6 Host Address". Our Win2K3 servers forward that request to Network Solution NS servers which don't understand it and give out generic response.
I can include NetMon capture files if you like. Thanks.
We are using only IPv4 in our network. However some new MAC and Win7 machines have IPv6 installed but disabled (unchecked). This MAC workstation sends out 2 queries each time it needs to resolve a www or other DNS name. The first packet is a regular IPv4 packet and second one is IPv6 packet. We found this out by running NetMon. 2nd DNS packet clear says: "Question Type = IPv6 Host Address". Our Win2K3 servers forward that request to Network Solution NS servers which don't understand it and give out generic response.
I can include NetMon capture files if you like. Thanks.
Yeah log files would help speed this along and make sure we are both talking about the same things.
ASKER
Here is a tiny file with extension *.cap but I had to rename is with extension .txt to send. Please rename back and open in a network monitor of MS. It shows IPv6 packets. Thanks.
IPv6-20011026-1151.txt
IPv6-20011026-1151.txt
Check this out, I've never come across this situation before but I think this is actually exactly what you are seeing.
These tests are done against your real domain
A normal A record lookup, CNAME chain is followed and correct IP given as result.
An AAAA lookup, CNAME chain is followed, but final IP is not given back in answer
I'm curious about this now and will do some testing in a few. My answer at this point is that this seems to just be how DNS operates in a AAAA query type -> CNAME -> CNAME -> A record scenario...
Have you explored removing IPv6 entirely from the workstations? Aside from this particular problem (and maybe a future problem due to it?), it's really just unnecessary network traffic.
These tests are done against your real domain
A normal A record lookup, CNAME chain is followed and correct IP given as result.
[root@broken ~]# dig @8.8.8.8 test.domain.com a
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 <<>> @8.8.8.8 test.domain.com a
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23350
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;test.domain.com. IN A
;; ANSWER SECTION:
test.domain.com. 7133 IN CNAME first.cname.com.
first.cname.com. 7133 IN CNAME string.compute-1.amazonaws.com.
string.compute-1.amazonaws.com. 6147 IN A 184.73.x.xAn AAAA lookup, CNAME chain is followed, but final IP is not given back in answer
[root@broken ~]# dig @8.8.8.8 test.domain.com aaaa
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1 <<>> @8.8.8.8 test.domain.com aaaa
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23350
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;test.domain.com. IN AAAA
;; ANSWER SECTION:
test.domain.com. 7133 IN CNAME first.cname.com.
first.cname.com. 7133 IN CNAME string.compute-1.amazonaws.com.[root@broken ~]# dig @8.8.8.8 test.domain.com a +short
first.cname.com.
string.compute-1.amazonaws.com.
184.73.x.x
[root@broken ~]# dig @8.8.8.8 test.domain.com aaaa +short
first.cname.com.
string.compute-1.amazonaws.com.I'm curious about this now and will do some testing in a few. My answer at this point is that this seems to just be how DNS operates in a AAAA query type -> CNAME -> CNAME -> A record scenario...
Have you explored removing IPv6 entirely from the workstations? Aside from this particular problem (and maybe a future problem due to it?), it's really just unnecessary network traffic.
Will look at your capture in a few, but I think my last answer might be right on the money.
Man I have rewritten this reply like 20 times so far... Kept finding new things and testing and getting results I haven't seen before and blah blah... I think I have the correct solution finally.
Add an AAAA record for www.yourdomain.com pointing to the same IP that the A record for www is.
If that works, I will explain why.
Add an AAAA record for www.yourdomain.com pointing to the same IP that the A record for www is.
If that works, I will explain why.
ASKER
I am logged onto Network Solutions, but cannot see how to add AAAA record. I can add A record, CNAME record etc. but not AAAA record. Please advise. Thanks.
Your next reply was supposed to be something along the lines of "omg it works now, you are so awesome!"
:D
http://www.networksolutions.com/support/Adding-an-IPv6-record/
:D
http://www.networksolutions.com/support/Adding-an-IPv6-record/
ASKER
I had seen that link but was not able to follow it after line 4:.
5. Check the Designated DNS radio button and click on Apply Changes.
6. Click on Move DNS under Change Domain Name Servers.
7. Follow the Advanced User instructions in the box on the Edit DNS page and send an email with the appropriate inforation.
I don't see Designated DNS radio button. Even after that do we have to move DNS server and send email to add AAAA record? Please clarify if possible. Thanks.
5. Check the Designated DNS radio button and click on Apply Changes.
6. Click on Move DNS under Change Domain Name Servers.
7. Follow the Advanced User instructions in the box on the Edit DNS page and send an email with the appropriate inforation.
I don't see Designated DNS radio button. Even after that do we have to move DNS server and send email to add AAAA record? Please clarify if possible. Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I'm about 98% sure I have identified the underlying issue and provided the appropriate fix.
ASKER
I admire your spending so much time with me on this issue but give me a bit of time to close this thread for good. I am also 98% sure of what you are saying is correct and will give you proper credit for it.
Understood, good luck!
ASKER
I am still working -- or, should I say fighting? -- with Network Solutions to add AAAA record. Once I have some definite answer, positive or negative, from them, I will post it here, and perhaps close this case. Will certainly close the case if answer is positive. Thanks for waiting.
ASKER
Network Solutions, so far, in 4 days, has not been able to create AAAA record -- and they are the big boys! So who can?
I am closing this case because it has been inactive too long and people here have helped as much as can be hoped.
(Papertrip, please post a comment similar to the one here to my other still-open question (ID: 27420284). I had opened that question thinking that IPv6 will be a new topic, but you handled it here. You deserve some credit there also since other postings are not so helpful. Thanks.)
I am closing this case because it has been inactive too long and people here have helped as much as can be hoped.
(Papertrip, please post a comment similar to the one here to my other still-open question (ID: 27420284). I had opened that question thinking that IPv6 will be a new topic, but you handled it here. You deserve some credit there also since other postings are not so helpful. Thanks.)