asked on Do I need a Reverse DNS Pointer?
I'm having trouble accessing a couple of websites and I've discovered tat we do not have a reverse
We hold our own xxx.xxx.xxx.xxx/024 range and using this we have 2x firewalls in a clustered configuration with a front facing IP of xxx.xxx.xxx.001
I have just found out that there is no Reverse DNS pointer but we do have the Nameserver of our ISP and also Google in the firewall's setting's name server location.
We've never had a problem previously and after checking through the DNS Setting on the internal servers(Svr1 - 2012 Std OS, Svr2 - 2012 Std R2 OS) I've been able to find no errors that indicate that DNS isn't working.
If I do an nslookup of xxx.xxx.xxx.001 I get a response back of:
***servername.ABC.local can't find xxx.xxx.xxx.001: Non-Existent domain
This is a similar message that is seen when trying to access these couple of websites:
DNS_PROBE_FINISHED_NXDOMAIN
which is why I think it may be the reverse pointer that is now required.
Our main website is hosted by another provider but they won't host any reverse pointer settings using our Office location IP address (front facing IP of the firewall) although they do hold all of other other DNS zone records
Has anyone got any ideas as to the best way to resolve or add this pointer into the mix.
I really am not sure what to do next.
We hold our own xxx.xxx.xxx.xxx/024 range and using this we have 2x firewalls in a clustered configuration with a front facing IP of xxx.xxx.xxx.001
I have just found out that there is no Reverse DNS pointer but we do have the Nameserver of our ISP and also Google in the firewall's setting's name server location.
We've never had a problem previously and after checking through the DNS Setting on the internal servers(Svr1 - 2012 Std OS, Svr2 - 2012 Std R2 OS) I've been able to find no errors that indicate that DNS isn't working.
If I do an nslookup of xxx.xxx.xxx.001 I get a response back of:
***servername.ABC.local can't find xxx.xxx.xxx.001: Non-Existent domain
This is a similar message that is seen when trying to access these couple of websites:
DNS_PROBE_FINISHED_NXDOMAIN
which is why I think it may be the reverse pointer that is now required.
Our main website is hosted by another provider but they won't host any reverse pointer settings using our Office location IP address (front facing IP of the firewall) although they do hold all of other other DNS zone records
Has anyone got any ideas as to the best way to resolve or add this pointer into the mix.
I really am not sure what to do next.
DNSNetwork Management
Last Comment
David Favor
ASKER
Hi Kevin
The websites are outside the firewall, they have all been whitelisted.
The clients are behind the firewall on the local network.
4 websites cannot be accessed externally from the internal network.
www.textron.com
www.txtav.com
www.cessna.txtav.com
www.tonymacx86.com
they just persist in presenting the NXDomain error which is why I thought of Reverse DNS.
Other Australian and International sites present perfectly so it's just a bit bizarre
The websites are outside the firewall, they have all been whitelisted.
The clients are behind the firewall on the local network.
4 websites cannot be accessed externally from the internal network.
www.textron.com
www.txtav.com
www.cessna.txtav.com
www.tonymacx86.com
they just persist in presenting the NXDomain error which is why I thought of Reverse DNS.
Other Australian and International sites present perfectly so it's just a bit bizarre
1) I'm having trouble accessing a couple of websites...
Define what "access" might mean... SSH, SFTP, IMAPS, HTTPS, RDP... access can mean many things.
2) and I've discovered tat we do not have a reverse.
DNS PTR records are generally only used by SMTP to verify identity of sending IPs, so if "access" is any non-SMTP protocol, then likely no PTR record is required.
Define what "access" might mean... SSH, SFTP, IMAPS, HTTPS, RDP... access can mean many things.
2) and I've discovered tat we do not have a reverse.
DNS PTR records are generally only used by SMTP to verify identity of sending IPs, so if "access" is any non-SMTP protocol, then likely no PTR record is required.
Aside: Be aware only an IP owner can set a PTR record, so this will be your hosting company, provisioning company or ISP.
So if you do require a PTR record, you must set this by some upstream provider UI or by opening a support ticket with the IP owner.
1) Can you do this yourself in your DNS? Yes!
2) Will it work? No.
So if you do require a PTR record, you must set this by some upstream provider UI or by opening a support ticket with the IP owner.
1) Can you do this yourself in your DNS? Yes!
2) Will it work? No.
You shouldn't have done
nslookup IP_nr
You should have done
nslookup hostname
then followed by
server 8.8.8.8
nslookup hostname
That way you'll know the difference your own DNS server returns, and what the "rest of the world" sees.
If you see it's not the same, add the entry to your own DNS server (you probably overwritten it with your own custom entries).
nslookup IP_nr
You should have done
nslookup hostname
then followed by
server 8.8.8.8
nslookup hostname
That way you'll know the difference your own DNS server returns, and what the "rest of the world" sees.
If you see it's not the same, add the entry to your own DNS server (you probably overwritten it with your own custom entries).
ASKER
Thanks David Favor
Yes it's just a bit weird.
We are using a MS 365 Exchange world these days and it's only the following sites we're having any issues with:
www.textron.com
www.txtav.com
www.cessna.txtav.com
www.tonymacx86.com
that cannot be accessed via any browser.
We own the full /24 domain range so I will try and co-ord this with the ISP.
Yes it's just a bit weird.
We are using a MS 365 Exchange world these days and it's only the following sites we're having any issues with:
www.textron.com
www.txtav.com
www.cessna.txtav.com
www.tonymacx86.com
that cannot be accessed via any browser.
We own the full /24 domain range so I will try and co-ord this with the ISP.
Exchange has nothing to do with your browser problems.
Did you follow any of my steps yet?
Did you follow any of my steps yet?
1) Follow @Kimputer's steps.
2) Answer my questions.
You still aren't clear about what "access" means.
Reading your comment carefully, likely @Kimputer's suggestions will show the problem.
As it appears you're running some internal DNS services that are munged/broken.
2) Answer my questions.
You still aren't clear about what "access" means.
Reading your comment carefully, likely @Kimputer's suggestions will show the problem.
As it appears you're running some internal DNS services that are munged/broken.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Where are the web sites that you can't access? Are they behind your firewall? Where are the clients that can't access? Are they behind the same firewall?
Often times you may try to access a resource and DNS returns the public IP, but the client and resource are both behind the same firewall. In that case the client usually needs to access via the private IP of the web server, not the public IP.
This can be resolved by adding record in internal DNS, or changing firewall behavior (usually pretty complicated).