qvfps
asked on
DNS Subdomain not resolving correctly
Our company needs to have external PCI scans done on both our website and our company firewalls. The website is hosted by an external company and we have 3 firewalls at different sites witch are managed locally.
We are failing our PCI scan because the certificates on the firewalls are not trusted. We were originally using self-signed certificates but to get rid of this message I purchased one from GoDaddy for one of our sites.
I created the CSR on the firewall for fw1.MySite.org and installed in on the firewall. Since the scan is done by IP, I added an A record with our DNS provider so it would resolve correctly. However we are still failing our scan with "SSL Certificate Common Name Does Not Validate (External Scan)" and "Untrusted Certificate".
I have made sure that if I do a nslookup for fw1.MySite.org it resolves to 456.4457.458.459 which is the IP address of the firewall. However since the scan is done by IP and it is still failing. I tried doing a nslookup 456.4457.458.459 and it returns MySite.org and not fw1.MySite.org.
How is it resolving by IP address to the website and not the fw1.MySite.org? How do I get it to resolve to fw1.MySite.org?
A Records (IP Address)
Host TTL Numeric IP
www 3600 123.124.125.126
@ (None) 3600 123.124.125.126
* (All Others) 3600 234.235.236.237
ecommerce.MySite.org 7200 234.235.236.237
ftp.MySite.org 7200 345.346.347.348
mail.MySite.org 7200 345.346.347.349
pottery.MySite.org 7200 345.346.347.350
fw1.MySite.org 7200 456.4457.458.459
CNAME (Host Aliases)
autodiscover.MySite.org 3600 autodiscover.outlook.com.
k1._domainkey.MySite.org 3600 dkim.mcsv.net.
lyncdiscover.MySite.org 3600 webdir.online.lync.com.
msoid.MySite.org 3600 clientconfig.microsoftonli
sip.MySite.org 3600 sipdir.online.lync.com.
We are failing our PCI scan because the certificates on the firewalls are not trusted. We were originally using self-signed certificates but to get rid of this message I purchased one from GoDaddy for one of our sites.
I created the CSR on the firewall for fw1.MySite.org and installed in on the firewall. Since the scan is done by IP, I added an A record with our DNS provider so it would resolve correctly. However we are still failing our scan with "SSL Certificate Common Name Does Not Validate (External Scan)" and "Untrusted Certificate".
I have made sure that if I do a nslookup for fw1.MySite.org it resolves to 456.4457.458.459 which is the IP address of the firewall. However since the scan is done by IP and it is still failing. I tried doing a nslookup 456.4457.458.459 and it returns MySite.org and not fw1.MySite.org.
How is it resolving by IP address to the website and not the fw1.MySite.org? How do I get it to resolve to fw1.MySite.org?
A Records (IP Address)
Host TTL Numeric IP
www 3600 123.124.125.126
@ (None) 3600 123.124.125.126
* (All Others) 3600 234.235.236.237
ecommerce.MySite.org 7200 234.235.236.237
ftp.MySite.org 7200 345.346.347.348
mail.MySite.org 7200 345.346.347.349
pottery.MySite.org 7200 345.346.347.350
fw1.MySite.org 7200 456.4457.458.459
CNAME (Host Aliases)
autodiscover.MySite.org 3600 autodiscover.outlook.com.
k1._domainkey.MySite.org 3600 dkim.mcsv.net.
lyncdiscover.MySite.org 3600 webdir.online.lync.com.
msoid.MySite.org 3600 clientconfig.microsoftonli
sip.MySite.org 3600 sipdir.online.lync.com.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Reverse DNS doesn't really have any bearing on SSL cert verification.
Best to stay focused on fixing the real problem.
Best to stay focused on fixing the real problem.
ASKER
The certificate is for FW1.MySite.org but we submit the scan by IP address. If you do a nslookukp for fw1.MySite.org it returns 456.457.458.459. However if you do a nslookup 456.457.458.459 it returns MySite.org and not fw1.MySite.org. So when they try and validate the name on the certificate to the IP we have a mismatch and they flag a name mismatch and mark the certificate as un-trusted.
I just want to verify that since I have an A record for fw1.MySite.org doing a nslookup of 456.457.458.459 should return fw1.MySite.org and not just MySite.org.
I just want to verify that since I have an A record for fw1.MySite.org doing a nslookup of 456.457.458.459 should return fw1.MySite.org and not just MySite.org.
If you want the address 456.457.458.459 to resolve to fw1.mysite.org, you have to modify the PTR (reverse lookup) record for that IP address. Public PTR records are almost always controlled by your ISP (not your domain registrar), since the ISP "owns" that public IP address. For that reason, if you want the name on that record to be changed, you'll need to contact your ISP and ask them to make the change.
This is what Gurvinder was referring to above.
This is what Gurvinder was referring to above.
ASKER
Thanks for the comments. I will try and reach out to the ISP tomorrow and see if they will change it.
ASKER
Sorry for the delay. I got pulled of this to take care of a couple more pressing issues. I contacted our ISP and now the reverse lookup resolves to the correct name. However the PCI scan is still failing with common name doesnt match. I am going to have to contact them again. The name on the cert now resolves to the correct address and a reverse lookup matches the name on the cert. So I am not sure what they are complaining about.
Thanks for the help with the PTR Record.
Thanks for the help with the PTR Record.
Tough to guess. Easy to test + know.
2) Might be easier using free https://LetsEncrypt.org which can be generated to cover several domains + hosts or a wildcard cert to cover all hosts on a domain.