Mark Waters
asked on
I'm looking for some DNS guidance where 1 hidden DC of 3 is showing up as a public nameserver
We have 3 DC's:
DC1, DC2, and DC3 for BigNet.Big.Ten.Edu (suppose to be visible just to Domain computers and servers)
and 2 NameServers:
NS1.BigNet.Big.Ten.Edu and NS2.BigNet.Big.Ten.Edu
(We have control of the BigNet and Big levels of the domain... We don't have control of the Ten.Edu level)
After clearing out many DNS errors due to old/obsolete domain controllers that were found in the records (we had very slow logins),
I'm down to trying to isolate DC3 from showing up as a nameserver publically (as it is firewalled off to all except the Nameservers and Domain attached computers).
I'm in need of guidance in tracking down what we have set wrong.
Thanks,
Mark
DC1, DC2, and DC3 for BigNet.Big.Ten.Edu (suppose to be visible just to Domain computers and servers)
and 2 NameServers:
NS1.BigNet.Big.Ten.Edu and NS2.BigNet.Big.Ten.Edu
(We have control of the BigNet and Big levels of the domain... We don't have control of the Ten.Edu level)
After clearing out many DNS errors due to old/obsolete domain controllers that were found in the records (we had very slow logins),
I'm down to trying to isolate DC3 from showing up as a nameserver publically (as it is firewalled off to all except the Nameservers and Domain attached computers).
I'm in need of guidance in tracking down what we have set wrong.
Thanks,
Mark
Is DC3 showing up as a name server for the BigTen.Big.Ten.Edu domain or the Big.Ten.Edu domain?
ASKER
Hi and thank you for helping
NS1 and NS2 are public name servers for Big.Ten,Edu and allowed through the firewall to be seen from off campus.
DC1, 2, and 1 are not allowed through the firewall.
DC1 would be considered the primary DC.
Nameserver dc3.bignet.big.ten.edu/xxx
(from a zonemaster report)
Our slow logins were cleared when I found and cleared old records of DC's that had been replaced by DC1, 1, and 3.
If i go into dns and remove DC3.bignet.big.ten.edu from references as a name server, I get things cleared for at most a day, then it starts replicating back out to all the DC's and the Name servers as a name server.
Additionally, I might not be updating the records and SOA's correctly (probably not) or in the correct order to have it keep things clear.
I'm willing to edit a zonemaster report and upload if that will help.
Mark
NS1 and NS2 are public name servers for Big.Ten,Edu and allowed through the firewall to be seen from off campus.
DC1, 2, and 1 are not allowed through the firewall.
DC1 would be considered the primary DC.
Nameserver dc3.bignet.big.ten.edu/xxx
(from a zonemaster report)
Our slow logins were cleared when I found and cleared old records of DC's that had been replaced by DC1, 1, and 3.
If i go into dns and remove DC3.bignet.big.ten.edu from references as a name server, I get things cleared for at most a day, then it starts replicating back out to all the DC's and the Name servers as a name server.
Additionally, I might not be updating the records and SOA's correctly (probably not) or in the correct order to have it keep things clear.
I'm willing to edit a zonemaster report and upload if that will help.
Mark
ASKER
should have read DC1, 2, add 3 are not allowed through the firewall (to be visible)
I'm willing to edit a zonemaster report and upload if that will help.
I think that will help. At the moment, it sounds like dc3.bignet.big.ten.edu is listed in an NS record on at least one of the big.ten.edu DNS servers.
ASKER
BASIC
Nameserver for zone big.ten.edu replies when trying to fetch glue. OK
Nameserver for zone big.ten.edu listed these nameservers as glue: dc3.bignet.big.ten.edu., ns0.big.ten.edu., ns1.big.ten.edu.. OK
IPv4 is enabled, can send "NS" query to dc3.bignet.big.ten.edu/xxx
Nameserver dc3.bignet.big.ten.edu/xxx
IPv4 is enabled, can send "NS" query to ns0.big.ten.edu/xxx.xxx.xx
Nameserver ns0.big.ten.edu listed these servers as glue: dc3.bignet.big.ten.edu., ns0.big.ten.edu., ns1.big.ten.edu.. OK
IPv4 is enabled, can send "NS" query to ns1.big.ten.edu/xxx.xxx.xx
Nameserver ns1.big.ten.edu/xxx.xxx.xx
Functional nameserver found. "A" query for www.bignet.big.ten.edu test skipped. OK
ADDRESS
All Nameserver addresses are in the routable public addressing space. OK
Nameserver dc3.bignet.big.ten.edu has an IP address (xxx.xxx.xxx.75) without PTR configured. Warning!
CONNECTIVITY
Nameserver dc3.bignet.big.ten.edu/xxx
Nameserver ns0.big.ten.edu/xxx.xxx.xx
Nameserver ns1.big.ten.edu/xxx.xxx.xx
Nameserver dc3.bignet.big.ten.edu/xxx
Nameserver ns0.big.ten.edu/xxx.xxx.xx
Nameserver ns1.big.ten.edu/xxx.xxx.xx
Name servers have IPv4 addresses in the following ASs: 237. OK
Name servers have IPv6 addresses in the following ASs: . OK
All nameservers in the delegation have IPv4 addresses in the same AS (237). Warning!
All nameservers in the delegation are in the same AS (237). Warning!
CONSISTENCY
Nameserver dc3.bignet.big.ten.edu/xxx
Nameserver dc3.bignet.big.ten.edu/xxx
A single SOA serial number was found (1712152688). OK
Nameserver dc3.bignet.big.ten.edu/xxx
Nameserver dc3.bignet.big.ten.edu/xxx
A single SOA rname value was found (hostmaster.big.ten.edu.) OK
Nameserver dc3.bignet.big.ten.edu/xxx
Nameserver dc3.bignet.big.ten.edu/xxx
A single SOA time parameter set was seen (REFRESH=900, RETRY=600, EXPIRE=604800, MINIMUM=86400). OK
Nameserver dc3.bignet.big.ten.edu/xxx
Nameserver ns1.big.ten.edu/xxx.xxx.xx
Nameserver dc3.bignet.big.ten.edu/xxx
Nameserver ns1.big.ten.edu/xxx.xxx.xx
A single NS set was found (dc3.bignet.big.ten.edu., ns0.big.ten.edu., ns1.big.ten.edu.). OK
Glue records are consistent between glue and authoritative data. OK
DNSSEC
There are neither DS nor DNSKEY records for the zone. OK
The zone is not signed with DNSSEC. OK
DELEGATION
Parent lists enough (3) nameservers (dc3.bignet.big.ten.edu; ns0.big.ten.edu; ns1.big.ten.edu). Lower limit set to 2. OK
Child lists enough (3) nameservers (dc3.bignet.big.ten.edu; ns0.big.ten.edu; ns1.big.ten.edu). Lower limit set to 2. OK
Parent and child list enough (3) nameservers (dc3.bignet.big.ten.edu; ns0.big.ten.edu; ns1.big.ten.edu). Lower limit set to 2. OK
All the IP addresses used by the nameservers are unique OK
The smallest possible legal referral packet is smaller than 513 octets (it is 347). OK
All these nameservers are confirmed to be authoritative : ns0.big.ten.edu, ns1.big.ten.edu. OK
No nameserver points to CNAME alias. OK
All the nameservers have SOA record. OK
All of the nameserver names are listed both at parent and child. OK
NAMESERVER
None of the following nameservers is a recursor : ns0.big.ten.edu. OK
The following nameservers support EDNS0 : ns1.big.ten.edu/xxx.xxx.xx
AXFR not available on nameserver dc3.bignet.big.ten.edu/xxx
AXFR not available on nameserver ns0.big.ten.edu/xxx.xxx.xx
AXFR not available on nameserver ns1.big.ten.edu/xxx.xxx.xx
All nameservers reply with same IP used to query them. OK
Nameserver dc3.bignet.big.ten.edu/xxx
Nameserver ns1.big.ten.edu/xxx.xxx.xx
The following nameservers answer AAAA queries without problems : ns1.big.ten.edu/xxx.xxx.xx
All nameservers succeeded to resolve to an IP address. OK
None of the following nameservers returns an upward referral : dc3.bignet.big.ten.edu, ns0.big.ten.edu, ns1.big.ten.edu. OK
Nameserver ns0.big.ten.edu/xxx.xxx.xx
When asked for SOA records on "www.bignet.big.ten.edu" with different cases, all servers reply consistently. OK
SYNTAX
No illegal characters in the domain name (bignet.big.ten.edu). OK
Neither end of any label in the domain name (bignet.big.ten.edu) has a hyphen. OK
Domain name (bignet.big.ten.edu) has no label with a double hyphen ('--') in position 3 and 4 (with a prefix which is not 'xn--'). OK
Nameserver (dc3.bignet.big.ten.edu) syntax is valid. OK
Nameserver (ns0.big.ten.edu) syntax is valid. OK
Nameserver (ns1.big.ten.edu) syntax is valid. OK
There is no misused '@' character in the SOA RNAME field (hostmaster.big.ten.edu.).
The SOA RNAME field (hostmaster@big.ten.edu) is compliant with RFC2822. OK
SOA MNAME (dc1.bignet.big.ten.edu) syntax is valid. OK
ZONE
SOA 'mname' nameserver dc1.bignet.big.ten.edu/xxx
SOA 'mname' nameserver (dc1.bignet.big.ten.edu) is not listed in "parent" NS records for tested zone (dc3.bignet.big.ten.edu; ns0.big.ten.edu; ns1.big.ten.edu). OK
SOA 'refresh' value (900) is less than the recommended minimum (14400). OK
SOA 'refresh' value (900) is greater than the SOA 'retry' value (600). OK
SOA 'retry' value (600) is less than the recommended minimum (3600). OK
SOA 'expire' value (604800) is higher than the minimum recommended value (604800) and not lower than the 'refresh' value (900). OK
SOA 'minimum' value (86400) is within the recommended ones (300/86400). OK
SOA 'mname' value (dc1.bignet.big.ten.edu) refers to a NS which is not an alias (CNAME). OK
SOA 'mname' value (dc1.bignet.big.ten.edu) refers to a NS which is not an alias (CNAME). OK
No target (MX, A or AAAA record) to deliver e-mail for the domain name. OK
Using version v1.0.16 of the Zonemaster engine.
IIS presents Zonemaster backend v1.1.0 with Zonemaster engine v1.0.16
Nameserver for zone big.ten.edu replies when trying to fetch glue. OK
Nameserver for zone big.ten.edu listed these nameservers as glue: dc3.bignet.big.ten.edu., ns0.big.ten.edu., ns1.big.ten.edu.. OK
IPv4 is enabled, can send "NS" query to dc3.bignet.big.ten.edu/xxx
Nameserver dc3.bignet.big.ten.edu/xxx
IPv4 is enabled, can send "NS" query to ns0.big.ten.edu/xxx.xxx.xx
Nameserver ns0.big.ten.edu listed these servers as glue: dc3.bignet.big.ten.edu., ns0.big.ten.edu., ns1.big.ten.edu.. OK
IPv4 is enabled, can send "NS" query to ns1.big.ten.edu/xxx.xxx.xx
Nameserver ns1.big.ten.edu/xxx.xxx.xx
Functional nameserver found. "A" query for www.bignet.big.ten.edu test skipped. OK
ADDRESS
All Nameserver addresses are in the routable public addressing space. OK
Nameserver dc3.bignet.big.ten.edu has an IP address (xxx.xxx.xxx.75) without PTR configured. Warning!
CONNECTIVITY
Nameserver dc3.bignet.big.ten.edu/xxx
Nameserver ns0.big.ten.edu/xxx.xxx.xx
Nameserver ns1.big.ten.edu/xxx.xxx.xx
Nameserver dc3.bignet.big.ten.edu/xxx
Nameserver ns0.big.ten.edu/xxx.xxx.xx
Nameserver ns1.big.ten.edu/xxx.xxx.xx
Name servers have IPv4 addresses in the following ASs: 237. OK
Name servers have IPv6 addresses in the following ASs: . OK
All nameservers in the delegation have IPv4 addresses in the same AS (237). Warning!
All nameservers in the delegation are in the same AS (237). Warning!
CONSISTENCY
Nameserver dc3.bignet.big.ten.edu/xxx
Nameserver dc3.bignet.big.ten.edu/xxx
A single SOA serial number was found (1712152688). OK
Nameserver dc3.bignet.big.ten.edu/xxx
Nameserver dc3.bignet.big.ten.edu/xxx
A single SOA rname value was found (hostmaster.big.ten.edu.) OK
Nameserver dc3.bignet.big.ten.edu/xxx
Nameserver dc3.bignet.big.ten.edu/xxx
A single SOA time parameter set was seen (REFRESH=900, RETRY=600, EXPIRE=604800, MINIMUM=86400). OK
Nameserver dc3.bignet.big.ten.edu/xxx
Nameserver ns1.big.ten.edu/xxx.xxx.xx
Nameserver dc3.bignet.big.ten.edu/xxx
Nameserver ns1.big.ten.edu/xxx.xxx.xx
A single NS set was found (dc3.bignet.big.ten.edu., ns0.big.ten.edu., ns1.big.ten.edu.). OK
Glue records are consistent between glue and authoritative data. OK
DNSSEC
There are neither DS nor DNSKEY records for the zone. OK
The zone is not signed with DNSSEC. OK
DELEGATION
Parent lists enough (3) nameservers (dc3.bignet.big.ten.edu; ns0.big.ten.edu; ns1.big.ten.edu). Lower limit set to 2. OK
Child lists enough (3) nameservers (dc3.bignet.big.ten.edu; ns0.big.ten.edu; ns1.big.ten.edu). Lower limit set to 2. OK
Parent and child list enough (3) nameservers (dc3.bignet.big.ten.edu; ns0.big.ten.edu; ns1.big.ten.edu). Lower limit set to 2. OK
All the IP addresses used by the nameservers are unique OK
The smallest possible legal referral packet is smaller than 513 octets (it is 347). OK
All these nameservers are confirmed to be authoritative : ns0.big.ten.edu, ns1.big.ten.edu. OK
No nameserver points to CNAME alias. OK
All the nameservers have SOA record. OK
All of the nameserver names are listed both at parent and child. OK
NAMESERVER
None of the following nameservers is a recursor : ns0.big.ten.edu. OK
The following nameservers support EDNS0 : ns1.big.ten.edu/xxx.xxx.xx
AXFR not available on nameserver dc3.bignet.big.ten.edu/xxx
AXFR not available on nameserver ns0.big.ten.edu/xxx.xxx.xx
AXFR not available on nameserver ns1.big.ten.edu/xxx.xxx.xx
All nameservers reply with same IP used to query them. OK
Nameserver dc3.bignet.big.ten.edu/xxx
Nameserver ns1.big.ten.edu/xxx.xxx.xx
The following nameservers answer AAAA queries without problems : ns1.big.ten.edu/xxx.xxx.xx
All nameservers succeeded to resolve to an IP address. OK
None of the following nameservers returns an upward referral : dc3.bignet.big.ten.edu, ns0.big.ten.edu, ns1.big.ten.edu. OK
Nameserver ns0.big.ten.edu/xxx.xxx.xx
When asked for SOA records on "www.bignet.big.ten.edu" with different cases, all servers reply consistently. OK
SYNTAX
No illegal characters in the domain name (bignet.big.ten.edu). OK
Neither end of any label in the domain name (bignet.big.ten.edu) has a hyphen. OK
Domain name (bignet.big.ten.edu) has no label with a double hyphen ('--') in position 3 and 4 (with a prefix which is not 'xn--'). OK
Nameserver (dc3.bignet.big.ten.edu) syntax is valid. OK
Nameserver (ns0.big.ten.edu) syntax is valid. OK
Nameserver (ns1.big.ten.edu) syntax is valid. OK
There is no misused '@' character in the SOA RNAME field (hostmaster.big.ten.edu.).
The SOA RNAME field (hostmaster@big.ten.edu) is compliant with RFC2822. OK
SOA MNAME (dc1.bignet.big.ten.edu) syntax is valid. OK
ZONE
SOA 'mname' nameserver dc1.bignet.big.ten.edu/xxx
SOA 'mname' nameserver (dc1.bignet.big.ten.edu) is not listed in "parent" NS records for tested zone (dc3.bignet.big.ten.edu; ns0.big.ten.edu; ns1.big.ten.edu). OK
SOA 'refresh' value (900) is less than the recommended minimum (14400). OK
SOA 'refresh' value (900) is greater than the SOA 'retry' value (600). OK
SOA 'retry' value (600) is less than the recommended minimum (3600). OK
SOA 'expire' value (604800) is higher than the minimum recommended value (604800) and not lower than the 'refresh' value (900). OK
SOA 'minimum' value (86400) is within the recommended ones (300/86400). OK
SOA 'mname' value (dc1.bignet.big.ten.edu) refers to a NS which is not an alias (CNAME). OK
SOA 'mname' value (dc1.bignet.big.ten.edu) refers to a NS which is not an alias (CNAME). OK
No target (MX, A or AAAA record) to deliver e-mail for the domain name. OK
Using version v1.0.16 of the Zonemaster engine.
IIS presents Zonemaster backend v1.1.0 with Zonemaster engine v1.0.16
Nameserver for zone big.ten.edu listed these nameservers as glue: dc3.bignet.big.ten.edu., ns0.big.ten.edu., ns1.big.ten.edu.
Check the NS records in the big.ten.edu zone on ns0 and ns1. If the above is correct, there are three of these records, and one of them points to dc3.bignet.big.ten.edu. From what you've said, this NS record should be deleted.
ASKER
Thanks for the advice on where to check. Yes, both Name Servers list DC3 as a name server for bignet.big.ten.edu
Some of the properties for the Forward Lookup Zone for bignet.big.ten.edu are:
Type: Secondary
Name Servers list the two correct name servers and the DC.
I do NOT have the ability to delete, edit or add to the name servers as it is grayed out.
Is there a change that I need to make on the way the DC's and Name servers talk to clear them here, or an order to clear them on the DC's so they propagate correctly?
Some of the properties for the Forward Lookup Zone for bignet.big.ten.edu are:
Type: Secondary
Name Servers list the two correct name servers and the DC.
I do NOT have the ability to delete, edit or add to the name servers as it is grayed out.
Is there a change that I need to make on the way the DC's and Name servers talk to clear them here, or an order to clear them on the DC's so they propagate correctly?
Thanks for the advice on where to check. Yes, both Name Servers list DC3 as a name server for bignet.big.ten.edu
We should be looking at big.ten.edu, though, and not bignet.big.ten.edu...right
ASKER
Ahh sorry, I misread.
When checking Big.Ten.Edu, they are not listed as NameServers on either NS0 or NS1
When checking Big.Ten.Edu, they are not listed as NameServers on either NS0 or NS1
When checking Big.Ten.Edu, they are not listed as NameServers on either NS0 or NS1
Hmmm. Well, now I'm honestly not sure what's going on, since the report you posted above seems to indicate that NS0 lists DC3 as a name server for big.ten.edu, if I'm reading it correctly:
Nameserver ns0.big.ten.edu listed these servers as glue: dc3.bignet.big.ten.edu., ns0.big.ten.edu., ns1.big.ten.edu.. OK
If you rerun that report, does it still say the same thing?
ASKER
Thank you for your patience Ahhh yes, seeing the line you referenced in the Zonemaster report, it is still listed as glue.
I've been removing it from The DC's on a regular basis.
So it seems like the glue record for DC3 may be what keeps it returning??
Additional information that might help or not. DC3 is a 2016 server and DC1 and 2 are 2012's
I've been removing it from The DC's on a regular basis.
So it seems like the glue record for DC3 may be what keeps it returning??
Additional information that might help or not. DC3 is a 2016 server and DC1 and 2 are 2012's
ASKER
I did find an A record for DC3 that was a "same as parent" record.
ASKER
DrDave242,
Thanks for your circling around and focusing on the "Nameserver ns0.big.ten.edu listed these servers as glue: dc3.bignet.big.ten.edu., ns0.big.ten.edu., ns1.big.ten.edu.. " This led me to an A Record "Same as Parent" that I deleted for SC3 which so far has worked. For the 1st time, NS0 and NS1 don't show or report DC3 as a name server.
I'll be checking the next few days to see if it stays this way.
Mark
Thanks for your circling around and focusing on the "Nameserver ns0.big.ten.edu listed these servers as glue: dc3.bignet.big.ten.edu., ns0.big.ten.edu., ns1.big.ten.edu.. " This led me to an A Record "Same as Parent" that I deleted for SC3 which so far has worked. For the 1st time, NS0 and NS1 don't show or report DC3 as a name server.
I'll be checking the next few days to see if it stays this way.
Mark
Ah, excellent. Let me know how it turns out!
ASKER
Alas, I was too quick to say things were successful....
Is DC3 showing up as a name server for big.ten.edu again?
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Do you have private or public name servers
NS1.BigNet.Big.Ten.Edu and NS2.BigNet.Big.Ten.Edu
Which one is PDC, probably DC1 mostly. The slow login could be different reason, are you able to resolve the names for the domain controllers and other workstations from the computer you are facing slow logons. Simple test of ping, nslookup, turn off the firewall and disable the AV could tell the story. If may be old operating system or old systems. If you have all latest computer configurations perhaps the logon authentication process is taking much amount. Meanwhile i believe your domain controller has name space as stated above in the first line. There is not much required for the ten.edu which is the root domain though your DC is having subdomains as primary name space doesn't matter. Coming to your question, check all the DNS records, ensure you remove the irrelevant / non valid dns records related to domain controllers and restart the dns services. Run DCDIAG, nslookup, nltest will give more ideas.