DNS Subdomain not resolving correctly

qvfps used Ask the Experts™
Our company needs to have external PCI scans done on both our website and our company firewalls.    The website is hosted by an external company and we have 3 firewalls at different sites witch are managed locally.  

We are failing our PCI scan because the certificates on the firewalls are not trusted.   We were originally using  self-signed certificates but to get rid of this message I purchased one from GoDaddy for one of our sites.    

I created the CSR on the firewall for fw1.MySite.org and installed in on the firewall.  Since the scan is done by IP, I added an A record with our DNS provider so it would resolve correctly.   However we are still failing our scan with "SSL Certificate Common Name Does Not Validate (External Scan)"  and "Untrusted Certificate".  

I have made sure that if I do a nslookup for fw1.MySite.org it resolves to 456.4457.458.459 which is the IP address of the firewall.  However since the scan is done by IP and it is still failing.   I tried doing a nslookup 456.4457.458.459 and it returns MySite.org and not fw1.MySite.org.

How is it resolving by IP address to the website and not the fw1.MySite.org?   How do I get it to resolve to fw1.MySite.org?  

A Records (IP Address)
Host      TTL      Numeric IP
www      3600
@ (None)      3600
* (All Others)      3600
ecommerce.MySite.org      7200
ftp.MySite.org      7200      345.346.347.348
mail.MySite.org      7200      345.346.347.349
pottery.MySite.org      7200      345.346.347.350
fw1.MySite.org      7200      456.4457.458.459

CNAME (Host Aliases)
autodiscover.MySite.org      3600      autodiscover.outlook.com.
k1._domainkey.MySite.org      3600      dkim.mcsv.net.
lyncdiscover.MySite.org      3600      webdir.online.lync.com.
msoid.MySite.org      3600      clientconfig.microsoftonline-p.net.
sip.MySite.org      3600      sipdir.online.lync.com.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
I would propose that you check the reverse DNS with your internet provider. I am assuming that the reverse DNS entry might be pointing to the website, and not to your firewall.

Also, log in to your domain and ensure that there are no redirects from one domain to the other.

Looking forward to hearing from you soon,
David FavorFractional CTO
Distinguished Expert 2018

1) Post your actual domain name for testing.

Tough to guess. Easy to test + know.

2) Might be easier using free https://LetsEncrypt.org which can be generated to cover several domains + hosts or a wildcard cert to cover all hosts on a domain.
David FavorFractional CTO
Distinguished Expert 2018

Reverse DNS doesn't really have any bearing on SSL cert verification.

Best to stay focused on fixing the real problem.
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.


The certificate is for FW1.MySite.org but we submit the scan by IP address.     If you do a nslookukp for fw1.MySite.org it returns 456.457.458.459.  However if you do a nslookup 456.457.458.459 it returns MySite.org and not fw1.MySite.org.  So when they try and validate the name on the certificate to the IP we have a mismatch and they flag a name mismatch and mark the certificate as un-trusted.

I just want to verify that since I have an A record for fw1.MySite.org doing a nslookup of 456.457.458.459 should return fw1.MySite.org and not just MySite.org.
DrDave242Principal Support Engineer

If you want the address 456.457.458.459 to resolve to fw1.mysite.org, you have to modify the PTR (reverse lookup) record for that IP address. Public PTR records are almost always controlled by your ISP (not your domain registrar), since the ISP "owns" that public IP address. For that reason, if you want the name on that record to be changed, you'll need to contact your ISP and ask them to make the change.

This is what Gurvinder was referring to above.


Thanks for the comments.    I will try and reach out to the ISP tomorrow and see if they will change it.


Sorry for the delay.   I got pulled of this to take care of a couple more pressing issues.     I contacted our ISP and now the reverse lookup resolves to the correct name.  However the PCI scan is still failing with common name doesnt match.   I am going to have to contact them again.   The name on the cert now resolves to the correct address and a reverse lookup matches the name on the cert.  So I am not sure what they are complaining about.  

Thanks for the help with the PTR Record.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial