Solved

Strange DNS happens

Posted on 2016-11-04
14
39 Views
Last Modified: 2016-11-27
Good Morning Folks,

We moved our on prem website to an offsite hosted environment.  Made what I believe to be the proper changes to DNS internally (external was handled by the contractor and looks correct). changed the www DNS entry to reflex the new server address.

What is happening now is this.  When i leave the DHCP settings alone I can access all internal resources and access our servers in Vcloud air, but when you type in the website address it goes to an IIS start page (internally only) externally its fine.  I have added a few different external DNS servers to the mix.  When I move an external higher in the list of available servers the website works internally but breaks RDP to the vcloud servers (i can RDP using the IP address but not the name).

I have waited 24 hours just to make sure everything had time to refresh.  Anyone have any thoughts or ideas.

Thanks

John
0
Comment
Question by:jkandris
  • 7
  • 4
  • 2
  • +1
14 Comments
 
LVL 6

Expert Comment

by:Joshua Hopkins
ID: 41874007
If you updated your DNS host did you also update your internal DNS servers.  If so then you should be fine by just running ipconfig /flushdns on a computer or 2 for testing.

If you have not made the changes to your internal dns then you will need to update the www record to reflect the new server that is hosting your domain.
0
 

Author Comment

by:jkandris
ID: 41874322
Hey Joshua,

Thanks for answering and yes we did update the www record to reflect the new address.

When I ping www.example.com it shows the correct address, but when i ping example.com it shows an internal server (the DNS server)

When I try and go the website with www in front it drops it out of the address and goes to example.com.
0
 
LVL 2

Expert Comment

by:OnlineSupport
ID: 41874334
Yes, that is because your external domain name is the same as your internal? You are going to the DC\DNS server probably

If your site uses 443 try access that https://example.com that probably work
0
 
LVL 6

Expert Comment

by:Joshua Hopkins
ID: 41874346
Is your internal active directory domain the same i.e. example.com or is it example.local?  If it is example.local then you can delete the whole zone from DNS if it is not then you have 2 options.

This issue would be what is know as a split zone.  I would check out Split Zone or no Split Zone - Can't Access Internal Website with External Name

There are a number of options to address this and all of them come with certain costs/risks.  If the split zone article does not help let me know and i will post some of the options.
0
 

Author Comment

by:jkandris
ID: 41874373
onl,

Interestingly or frighteningly enough when I put the s at the end it goes to a completely different companies website.

Joshua,

It is a split zone.  Thanks for the help and Ill see if I can make it work

John
0
 
LVL 2

Expert Comment

by:OnlineSupport
ID: 41874384
That is strange!  I take it you have created the record as root also pointing to external IP, not just the www. ?

I had the same issue with a client, also found it worked on certain browsers once ben cached.

the problem with same external and internal DNS.

you could also save a load of agro and just get internal usres use www.
0
 

Author Comment

by:jkandris
ID: 41874401
Onl,

I have the www a record setup can you explain the root one to me.  that may be the trick.

Im having similar things with certain browsers.  Its all over the place.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 2

Expert Comment

by:OnlineSupport
ID: 41874414
Just when you create the A record leave the name Blank (same as Parent). enter your external IP.
0
 

Author Comment

by:jkandris
ID: 41874456
Thanks.  I added that record flushed dns when I do an nslookup on example.com it shows all the same as entries and it still goes to the same place as before.

Im starting to think I may just live the remapping the drives and only using IP address to RDP to the servers.

Any other suggestions Folks
0
 
LVL 2

Expert Comment

by:OnlineSupport
ID: 41874475
what if you now try https:?

I wouldnt change DNS to external on a Domain. you want to be able to resolve local services. if you cant even resolve internal servers then you bound to get problems.

Why cant they just use www.?

There are lots of options to get round your RDP, you could just create a new forward zone and then add A records for your RDP servers and then just use that to connect to them, just really messy though
1
 

Author Comment

by:jkandris
ID: 41874501
https still goes to a different website.  Ive got someone else checking that out for now.

Ive got a messy work around in place Im not happy with it totally but I can manage it for now.

When they type www.example.com in the browser it drops it off and goes without the www.  

What I found that works kind of is how the dns servers are listed in DHCP  external, internal (lan), internal (wan) external google dns.

Some of the users i am having to remap their network drives using IP addresses but some I am not.

Im going to let it ride a bit longer and see what else happens before I make anymore changes.
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 41879501
You've got a couple of things going on here. First, here's the short fix:

On the website itself, there's an HTTP redirect from www.example.com to example.com. That's why the URL changes in the browser when someone browses to www.example.com. Get rid of that redirect and instruct your internal users to always add the www to the URL, and it should work. (Vigorous cache-flushing may be needed after the change is made.)

Now some more info:

Creating a blank host record in your domain's forward lookup zone won't work consistently, if at all. There are already blank host records in there, and they should all resolve to the IP addresses of your domain controllers. That's by design, and those records are used by Active Directory. Because of round-robin DNS, client-side caching, and browser caching, adding another blank host record and browsing to example.com from an internal client will produce unpredictable results. it's never going to work all the time, and it's likely to not work most of the time. If you've already created that blank host record, you may as well delete it; it's not doing any good. Leave the www record in place, though; it is necessary.

What I found that works kind of is how the dns servers are listed in DHCP  external, internal (lan), internal (wan) external google dns.
That's not really a good idea. Domain-joined machines should only use internal DNS servers. Those users you mentioned as having to re-map drives using IP addresses? That's because their machines are trying to use an external DNS server to resolve the names of internal resources, which is never going to work correctly.
1
 

Accepted Solution

by:
jkandris earned 0 total points
ID: 41897423
Turns out that the hosting company had our PAT IP address blocked for some reason
0
 

Author Closing Comment

by:jkandris
ID: 41902950
It was found to be the correct one
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now