DNS Subdomain not resolving correctly

Our company needs to have external PCI scans done on both our website and our company firewalls.    The website is hosted by an external company and we have 3 firewalls at different sites witch are managed locally.  

We are failing our PCI scan because the certificates on the firewalls are not trusted.   We were originally using  self-signed certificates but to get rid of this message I purchased one from GoDaddy for one of our sites.    

I created the CSR on the firewall for fw1.MySite.org and installed in on the firewall.  Since the scan is done by IP, I added an A record with our DNS provider so it would resolve correctly.   However we are still failing our scan with "SSL Certificate Common Name Does Not Validate (External Scan)"  and "Untrusted Certificate".  

I have made sure that if I do a nslookup for fw1.MySite.org it resolves to 456.4457.458.459 which is the IP address of the firewall.  However since the scan is done by IP and it is still failing.   I tried doing a nslookup 456.4457.458.459 and it returns MySite.org and not fw1.MySite.org.

How is it resolving by IP address to the website and not the fw1.MySite.org?   How do I get it to resolve to fw1.MySite.org?  


A Records (IP Address)
Host      TTL      Numeric IP
www      3600      123.124.125.126
@ (None)      3600      123.124.125.126
* (All Others)      3600      234.235.236.237
ecommerce.MySite.org      7200      234.235.236.237
ftp.MySite.org      7200      345.346.347.348
mail.MySite.org      7200      345.346.347.349
pottery.MySite.org      7200      345.346.347.350
fw1.MySite.org      7200      456.4457.458.459

CNAME (Host Aliases)
autodiscover.MySite.org      3600      autodiscover.outlook.com.
k1._domainkey.MySite.org      3600      dkim.mcsv.net.
lyncdiscover.MySite.org      3600      webdir.online.lync.com.
msoid.MySite.org      3600      clientconfig.microsoftonline-p.net.
sip.MySite.org      3600      sipdir.online.lync.com.
qvfpsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Gurvinder BharyaDirectorCommented:
I would propose that you check the reverse DNS with your internet provider. I am assuming that the reverse DNS entry might be pointing to the website, and not to your firewall.

Also, log in to your domain and ensure that there are no redirects from one domain to the other.

Looking forward to hearing from you soon,

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
1) Post your actual domain name for testing.

Tough to guess. Easy to test + know.

2) Might be easier using free https://LetsEncrypt.org which can be generated to cover several domains + hosts or a wildcard cert to cover all hosts on a domain.
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Reverse DNS doesn't really have any bearing on SSL cert verification.

Best to stay focused on fixing the real problem.
Starting with Angular 5

Learn the essential features and functions of the popular JavaScript framework for building mobile, desktop and web applications.

qvfpsAuthor Commented:
The certificate is for FW1.MySite.org but we submit the scan by IP address.     If you do a nslookukp for fw1.MySite.org it returns 456.457.458.459.  However if you do a nslookup 456.457.458.459 it returns MySite.org and not fw1.MySite.org.  So when they try and validate the name on the certificate to the IP we have a mismatch and they flag a name mismatch and mark the certificate as un-trusted.

I just want to verify that since I have an A record for fw1.MySite.org doing a nslookup of 456.457.458.459 should return fw1.MySite.org and not just MySite.org.
DrDave242Senior Support EngineerCommented:
If you want the address 456.457.458.459 to resolve to fw1.mysite.org, you have to modify the PTR (reverse lookup) record for that IP address. Public PTR records are almost always controlled by your ISP (not your domain registrar), since the ISP "owns" that public IP address. For that reason, if you want the name on that record to be changed, you'll need to contact your ISP and ask them to make the change.

This is what Gurvinder was referring to above.
qvfpsAuthor Commented:
Thanks for the comments.    I will try and reach out to the ISP tomorrow and see if they will change it.
qvfpsAuthor Commented:
Sorry for the delay.   I got pulled of this to take care of a couple more pressing issues.     I contacted our ISP and now the reverse lookup resolves to the correct name.  However the PCI scan is still failing with common name doesnt match.   I am going to have to contact them again.   The name on the cert now resolves to the correct address and a reverse lookup matches the name on the cert.  So I am not sure what they are complaining about.  

Thanks for the help with the PTR Record.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ssl cert

From novice to tech pro — start learning today.