Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 169
  • Last Modified:

DNS not resolving for specific website

One of our employees is trying to access a specific website.  That website won't load on any computer inside our network, but I can tell from outside the network there's nothing wrong with the website.  If I change the DNS on the client PC to point to a public DNS such as 8.8.8.8 instead of my internal DNS server, the website loads fine.  I'm sure this means there is a problem with my internal DNS server, but what is it, and how do I find/fix it?

The website in question had previously been working fine, and I'm unaware of any changes made.
0
fallriverelectric
Asked:
fallriverelectric
  • 4
  • 3
  • 3
  • +1
1 Solution
 
Todd NelsonSystems EngineerCommented:
Is it possible you have a DNS forward lookup zone in your DNS servers for the address you are attempting to access?  Is it happening for everyone or just one user?

If you run the following from a command prompt or PowerShell console, is the result an internal (private) IP address or a public IP address?

nslookup ENTER_SITE_ADDRESS_HERE

Open in new window


If it resolves an external IP address, try running "ipconfig /flushdns" to clear the local DNS cache from the machine.

If it resolved an internal IP address, you will need to work with your IT staff to remediate.
0
 
helpfinderCommented:
what happens if you ping the website from your internal network? did ping resolve some IP address?
0
 
fallriverelectricAuthor Commented:
It happens for every user.

The nslookup resolves to an internal IP address.  DNS flush did not help.  

Pinging it does resolve to an external IP address.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
Steve KnightIT ConsultancyCommented:
OK, you need to track this down then in stages.  Using nslookup as already suggested will stop other issues like HOSTS table entries getting in the way.

nslookup
server x.x.x.x   where x.x.x.x is your normally issued DNS server for clients.
www.domain.com.

So that returns the wrong address (make sure last .)?

server y.y.y.y where y.y.y.y is your forwarder used by your DNS server - is this direct to internet or another corporate server for instance.

So that returns the wrong address (make sure last .)?

If your internal server returns the wrong address and the forwarder doesn't then need to just focus on there.  It would suggest that there must be a conditional forwarder on there or perhaps a zone of that specific domain.

Steve
0
 
fallriverelectricAuthor Commented:
I'm not sure I entirely understand what you want me to check.  Here are the results I'm seeing:


nslookup energystar.gov
Server: myDNSserver.domain.local
Address: 1.2.3.4

DNS request timed out.
         timeout was 2 seconds.
DNS request timed out.
         timeout was 2 seconds.
*** Request to myDNSserver.domain.local timed-out

In contrast if I run the nslookup on google.com I see:


nslookup google.com
Server: myDNSserver.domain.local
Address: 1.2.3.4

Name: google.com
Addresses: 2607:f8b0:400a:808::200e
                     172.217.3.174  

I see nothing under the Conditional Forwarders container on the DNS server, nor a zone for energystar.gov.  I also don't have anything in the forwarders tab.
0
 
Steve KnightIT ConsultancyCommented:
What I meant was type nslookup and press return.  Then you can type in

server x.x.x.x    to make it try server x.x.x.x for DNS and then type in
energystar.gov.  (with final dot) to make it look it up.

But sounds like you aren't using forwarders anyway.  In which case I would suggest on your server:

Add forwarder to your ISP DNS or google say - 8.8.8.8 and 8.8.4.4
right click on server name, Clear cache
ipconfig /flushdns on client
try nslookup to server again

You get "myDNSserver.domain.local timed out" which is odd.  Is one or more of your DNS servers specified by that name not responding - maybe it has multiple IP's?

Hence trying in nslookup

nslookup
server x.x.x.x (one of your dns servers)
energystar.gov.
server x.x.x.x (another dns server)
etc.

Steve
0
 
fallriverelectricAuthor Commented:
Ok, thanks for the clarification.  When I do it that way I get the same results.  I know that server is responding because if I do nslookup on any other address it shows it using that same internal DNS server and the lookup succeeds.  If I change the server to a different internal DNS, it still times out.  

I added forwarders for my ISP and the website works perfectly now, along with nslookup.  I know we used to have forwarders listed, and I'm trying to find out the reason why they were no longer there.  What reason would there be for someone to remove those forwarders?  Will adding them cause me any problems moving forward?
0
 
Todd NelsonSystems EngineerCommented:
Do you need forwarders if the Root Hints are available and working?

If the Root Hints are not working, then I would troubleshoot that rather than the forwarders not being present.
0
 
fallriverelectricAuthor Commented:
I guess I don't know how to answer that.  Root hints seemed to be working for everything except this specific website.  How would I go about troubleshooting that?  Are root hints generally preferable to forwarders?
0
 
Todd NelsonSystems EngineerCommented:
Traditionally, if forwarders are not configured (or working) the root hints are used.  If the root hints are not working then forwarders are recommended.

Typically, there is a large list of name servers in the root hints list, but if the list is small there could be an issue with those that are listed.  You can always add the name servers back in the root hints list.

Take a look at these references for troubleshooting root hints...

0
 
Steve KnightIT ConsultancyCommented:
As has been said above there must be some entry in root hints returning odd value.  Maybe you have somehow added an internal or incorrect server in the root hints list.

No real issue with using a forwarder anyway, either ISP, OpenDNS, Google etc.

Only reason not to maybe would be down to an unreliable ISP DNS kit at some point or the fact you might have to wait for their caches to clear too if a change is needed.

Vast majority of systems I would us a forwarder on, also simplifies your firewall config to tie down from server to internet only needs those couple of IP's for DNS rather than any/any rules.

Steve
1

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 4
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now