Strange problem with DNS resolution

[Falcon]

I have a remote site connected vi wan link na using dns
server from the main site. But for some unknown reasons
users on remote site cannot access one particular website.
I can access the same website form the main office using
the same dns without a problem. On remote site there is
nothing that would prevent it from accessing the website.
No proxy. But wensite cannot be displayed.

Thanx for any help

 

[Ace Fekay [MVP]]

In

I have a remote site connected vi wan link na using dns
server from the main site. But for some unknown reasons
users on remote site cannot access one particular website.
I can access the same website form the main office using
the same dns without a problem. On remote site there is
nothing that would prevent it from accessing the website.
No proxy. But wensite cannot be displayed.

Thanx for any help

What website is it?
What OS is DNS on?
Using Forwarder? What forwarder are you using?
Firewall rules between the locations?


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Guest]

the website is www.dadeschools.net
DNS is on a server with win2k on it. remote site is nt4
based it sends dns requests to the main site;s internal
dns server that uses forwareders. i have no problems
accessing the same website being in the main office and
using the same local dns server. the remote site is
connected to tha main office via wan link with no firewall
and connects to the internet through pix firewall and t1

thanx a lot

 

[Kevin D. Goodknecht]

In (e-mail address removed) <[email protected]>
posted a question
Then Kevin replied below:

the website is www.dadeschools.net
DNS is on a server with win2k on it. remote site is nt4
based it sends dns requests to the main site;s internal
dns server that uses forwareders. i have no problems
accessing the same website being in the main office and
using the same local dns server. the remote site is
connected to tha main office via wan link with no firewall
and connects to the internet through pix firewall and t1

thanx a lot

Well then, are two questions where is the web site hosted at?
When you run nslookup from the remote NT4 for that name, does DNS resolve it
correctly?

 

[Ace Fekay [MVP]]

In

In (e-mail address removed)


Well then, are two questions where is the web site hosted at?
When you run nslookup from the remote NT4 for that name, does DNS
resolve it correctly?

I bet their trying to get to it by typing in http://dadeschools.net/
(without the www) because I can't get to it that way either. It doesn;'t
resolve with a ping or looking at it thru nslookup, but www.dadeschool.net
does. Their DNS does not have a blank host record for the domain name.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Guest]

No I have thried both with www or without. no luck but
from the main office i ahve no problem accessing it

 

[Ace Fekay [MVP]]

Falcon,

One thing, this is confusing:
the remote site is

connected to tha main office via wan link with no firewall
and connects to the internet through pix firewall and t1

1. What does that mean? You say there is no firewall, but yet you have PIX
running.

2. Where is this website located? Is it your site and you're hostingt it or
is it hosted externally?

3. From the NT4 machines, can they ping www.dadeschools.net and return an
IP? (I'm not looking for response, just the fact they can resolve the name
to IP).

4. Do you guys host your own Nameservers?


Maybe the PIX is blocking it. When I ran an nslookup against it, it shows
some funky characters coming back for their RP. I don;t know if this has
anything to do with it. See below.
==================================

set type=all
dadeschools.net

Server: [168.221.18.8]
Address: 168.221.18.8

dadeschools.net nameserver = root2.dadeschools.net
dadeschools.net
primary name server = root.dadeschools.net
responsible mail addr = netman.oit.dade.k12.fl.us
serial = 3164
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 172800 (2 days)
default TTL = 3600 (1 hour)
dadeschools.net MX preference = 10, mail exchanger = smtp1.dadeschools.net
dadeschools.net MX preference = 50, mail exchanger = mail1.dadeschools.net
dadeschools.net
RP mailbox = (e-mail address removed)12.fl.us
text location = (root)
dadeschools.net
RP mailbox = netman.oit.dade.k12.fl.us
text location = ?,
dadeschools.net
RP mailbox = netman.oit.dade.k12.fl.us
text location = ñ?
root2.dadeschools.net internet address = 168.221.18.9
smtp1.dadeschools.net internet address = 168.221.18.9
mail1.dadeschools.net internet address = 168.221.18.31
==================================
--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Guest]

Thanx Ace for ur help
Remote site has 2 connection: one is to main site via wan
t1 using internal router, the other is connecting remote
site to the internet outside via pix firewall over regular
t1.
I can only ping nodes on internal network and main office
but not the outside sites due to the restriction on
firewall.\

that website does not belong to us. but our user need to
be able to go on it and they cant. I tried everything.
strange thing is though. our main office is has similar
setup. when i run nslookup for that website on a pc in
main office i get response from our local dns server it
returns the name of the website. when i do the same thing
on remote site pc. it still goes to the same dns server in
main office but returns non-existent domain.

-----Original Message-----
Falcon,

One thing, this is confusing:
the remote site is

1. What does that mean? You say there is no firewall, but yet you have PIX
running.

2. Where is this website located? Is it your site and you're hostingt it or
is it hosted externally?

3. From the NT4 machines, can they ping

www.dadeschools.net and return an

IP? (I'm not looking for response, just the fact they can resolve the name
to IP).

4. Do you guys host your own Nameservers?


Maybe the PIX is blocking it. When I ran an nslookup against it, it shows
some funky characters coming back for their RP. I don;t know if this has
anything to do with it. See below.
==================================

set type=all
dadeschools.net

Server: [168.221.18.8]
Address: 168.221.18.8

dadeschools.net nameserver = root2.dadeschools.net
dadeschools.net
primary name server = root.dadeschools.net
responsible mail addr = netman.oit.dade.k12.fl.us
serial = 3164
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 172800 (2 days)
default TTL = 3600 (1 hour)
dadeschools.net MX preference = 10, mail exchanger = smtp1.dadeschools.net
dadeschools.net MX preference = 50, mail exchanger = mail1.dadeschools.net
dadeschools.net
RP mailbox = (e-mail address removed)12.fl.us
text location = (root)
dadeschools.net
RP mailbox = netman.oit.dade.k12.fl.us
text location = ?,
dadeschools.net
RP mailbox = netman.oit.dade.k12.fl.us
text location = ñ?
root2.dadeschools.net internet address = 168.221.18.9
smtp1.dadeschools.net internet address = 168.221.18.9
mail1.dadeschools.net internet address = 168.221.18.31
==================================
--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================

No I have thried both with www or without. no luck but
from the main office i ahve no problem accessing it their
thoughts, then I and
t1 the
domain name.

.

 

[Ace Fekay [MVP]]

In

Thanx Ace for ur help
Remote site has 2 connection: one is to main site via wan
t1 using internal router, the other is connecting remote
site to the internet outside via pix firewall over regular
t1.
I can only ping nodes on internal network and main office
but not the outside sites due to the restriction on
firewall.\

that website does not belong to us. but our user need to
be able to go on it and they cant. I tried everything.
strange thing is though. our main office is has similar
setup. when i run nslookup for that website on a pc in
main office i get response from our local dns server it
returns the name of the website. when i do the same thing
on remote site pc. it still goes to the same dns server in
main office but returns non-existent domain.

I see. So from what you're describing it seems to point to a PIX issue. I
would look at that at this time, because frankly, there doesn't seem to be
anything else to look at, especially if nslookup won't work from there. Try
this at the other site, when you run nslookup, do a:

nslookup

set vc

That switch will force it to use all TCP instead of UDP. If that works, then
it proves it's the PIX. If it doesn;t work, I would still look at the PIX
configuration.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Guest]

No luck. I even installed DNS server on the server in the
remote site and point it dns resolution to it instead of
going to the main site's DNS for resolution. I configured
forwarders too. Still no joy. I get non-existent domain. I
checked firelwall and did not not notice anything unusual.
I can access any other websites without a problem.

What could that be ... I am lost

Thanx a again for ur time and help

 

[Ace Fekay [MVP]]

In

No luck. I even installed DNS server on the server in the
remote site and point it dns resolution to it instead of
going to the main site's DNS for resolution. I configured
forwarders too. Still no joy. I get non-existent domain. I
checked firelwall and did not not notice anything unusual.
I can access any other websites without a problem.

What could that be ... I am lost

Thanx a again for ur time and help

I'm fresh out of ideas other than the PIX! Have you checked the PIX settings
to see if it's being blocked?

Tell you what, create the zone manually on the DNS server at that location,
create a www record for it, and give it the actual IP of the website and let
me know if that works.

Hopefully someone else may think of something too. I'm sure tomorrow there
will be one or two others chiming in.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Michael Snyder [MSFT]]

Are you sure that you don't have a Windows 2003 DNS server? There is a
known problem with PIX and the EDNS0 feature in W2k3. Cisco has a patch,
and Microsoft has a KB on how to workaround. The result of that particular
problem is that data transfers get truncated...which might explain some of
what you are seeing.

--
Michael Snyder
Active Directory Admin Tool Test

This posting is provided "AS IS" with no warranties, and confers no rights.
"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

Are you sure that you don't have a Windows 2003 DNS server? There is
a known problem with PIX and the EDNS0 feature in W2k3. Cisco has a
patch, and Microsoft has a KB on how to workaround. The result of
that particular problem is that data transfers get truncated...which
might explain some of what you are seeing.

Hi Michael,

I kind of thought that too, but Falcon insisted it's a W2k server. If it is
W2k3, that would explain everything, and if not, I kind of feel it's being
blocked by the PIX.

Cheers!


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Guest]

No DNS is on 2k server. I even installed DNS on local nt
server and configured forwarders. so no luck

 

[Guest]

strange thing that it only affects one particular website.
i did not have any complaints about other websites. i
triple checked the pix config. it has bare minimum no
access lists or anything else that would prevent access

-----Original Message-----
In Michael Snyder [MSFT] <[email protected]> posted their thoughts,
then I offered mine

Are you sure that you don't have a Windows 2003 DNS server? There is
a known problem with PIX and the EDNS0 feature in W2k3. Cisco has a
patch, and Microsoft has a KB on how to workaround. The result of
that particular problem is that data transfers get truncated...which
might explain some of what you are seeing.

Hi Michael,

I kind of thought that too, but Falcon insisted it's a W2k server. If it is
W2k3, that would explain everything, and if not, I kind of feel it's being
blocked by the PIX.

Cheers!


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================


.

 

[Guest]

i even used dns forwarders from my cable coonection at home
still no luck

-----Original Message-----
strange thing that it only affects one particular website.
i did not have any complaints about other websites. i
triple checked the pix config. it has bare minimum no
access lists or anything else that would prevent access

-----Original Message-----
In Michael Snyder [MSFT] <[email protected]> posted their thoughts,
then I offered mine

Are you sure that you don't have a Windows 2003 DNS server? There is
a known problem with PIX and the EDNS0 feature in W2k3. Cisco has a
patch, and Microsoft has a KB on how to workaround. The result of
that particular problem is that data transfers get truncated...which
might explain some of what you are seeing.

Hi Michael,

I kind of thought that too, but Falcon insisted it's a W2k server. If it is
W2k3, that would explain everything, and if not, I kind of feel it's being
blocked by the PIX.

Cheers!


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory
--
=================================


.

.

 

[Ace Fekay [MVP]]

In

i even used dns forwarders from my cable coonection at home
still no luck

As your post orignally says, this is strange. I am fresh out of suggestions.
Sorry. The only thing I keep thinking is the PIX or if your ISP is blocking
it for some reason or if the website is blocking that remote IP subnet for
some reason.


--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory

 

[Rahul Indurkar [MS]]

Maybe you should try and debug this from the client perspective.

First isolate what path name resolution requests are taking from a client in
the remote site -- i.e. are they going through the main office, or are they
going through your ISP (via PIX). You might want to enable packet logging in
your main office DNS server (presumably you control that) to see if the
request is coming through there.

That should narrow down the problem. One comment Falcon made seems
interesting -- (s)he said that the response received in the remote site when
the name www.dadeschools.net is queried for is non-existant domain. That
indicates that whatever path the DNS resolution is taking, the response is
getting back. If it were a PIX Acling type issue, the response would
probably be dropped.

Hope this helps.

-Rahul.

 

[Ace Fekay [MVP]]

In

Maybe you should try and debug this from the client perspective.

First isolate what path name resolution requests are taking from a
client in the remote site -- i.e. are they going through the main
office, or are they going through your ISP (via PIX). You might want
to enable packet logging in your main office DNS server (presumably
you control that) to see if the request is coming through there.

That should narrow down the problem. One comment Falcon made seems
interesting -- (s)he said that the response received in the remote
site when the name www.dadeschools.net is queried for is non-existant
domain. That indicates that whatever path the DNS resolution is
taking, the response is getting back. If it were a PIX Acling type
issue, the response would probably be dropped.

Hope this helps.

-Rahul.

-----

Great ideas!
I was running out of them. Glad you jumped in with some other suggestions.

In addition, maybe start sniffing some packets too and see what's up there.

--
Regards,
Ace

Please direct all replies to the newsgroup so all can benefit.
This posting is provided "AS IS" with no warranties.

Ace Fekay, MCSE 2000, MCSE+I, MCSA, MCT, MVP
Microsoft Windows MVP - Active Directory