Re: Prevent Caching of real world domain in W2K3 sp1 DNS.



"010010010101000" <1001010100100110@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:12ho617n5ourn4d@xxxxxxxxxxxxxxxxxxxxx
I have finally gotten this to recur. As of this morning I can no longer
resolve anything usda.gov on either of my main DNS servers. All other
resolution is working perfectly. DNS services have been up about 4 days
and the cache is quite full.


If you need help (here) with this then you really are going
to need to post the tests and results I have suggested and
be specific about which sites you are trying (we can't help
with "anything usda.gov" nearly as well.

For instance:

ns1.usda.gov 199.141.126.202
ns2.usda.gov 199.141.126.206

nslookup EACH_NAME_IN_QUESTION YOUR_DNS_IP_ADDRESS

nslookup EACH_NAME_IN_QUESTION 199.141.126.202

Also using the "-time=10" (or larger) to determine if there is some
threshold beyond which it does/doesn't time out.

Look for discrepancies. You will of course need to do this perhaps
separately if USDA.gov has child zones served by other DNS servers
(than 199.141.126.202 which I have resolved above.)

It could also be your ISP so you might want to check ping,
tracert (or pathping) etc.....

If you ISP is routing badly then timeouts might give negative
or inconsistent results.


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

"010010010101000" <1001010100100110@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:12ho617n5ourn4d@xxxxxxxxxxxxxxxxxxxxx
I have finally gotten this to recur. As of this morning I can no longer
resolve anything usda.gov on either of my main DNS servers. All other
resolution is working perfectly. DNS services have been up about 4 days
and the cache is quite full.


On the surface this sounds like a problem with THEIR DNS
setup which is their admins responsibility and should be referred
to that admin for resolution.

I agree, but get no aquiescence from anyone I talk to about it possibly
being their problem.


Do other people (can you determine) experience similar problems
since you say it is not a "typical DNS hierarchy"?

If not, what do you mean by it not being typical?

It is very complex with numerous subdomains. So much so that I cannot
even begin to decipher what is going on.


How does the problem manifest PRECISELY?
By this I don't mean the application symptoms but rather
the precise results if you use NSLOOKUP to test specifically
what is in your own DNS server vs. what the usda.gov DNS
server(s) all say?

nslookup EACH_NAME_IN_QUESTION YOUR_DNS_IP_ADDRESS

nslookup EACH_NAME_IN_QUESTION 199.141.126.202

Look for descrepancies. You will of course need to do this perhaps
separately if USDA.gov has child zones served by other DNS servers
(than 199.141.126.202 which I have resolved above.)

My DNS:
server 10.5.1.4
Default Server: lbksvpccadc.pcca.com
Address: 10.5.1.4

www.fas.usda.gov
Server: lbksvpccadc.pcca.com
Address: 10.5.1.4

DNS request timed out.
timeout was 2 seconds.
*** Request to lbksvpccadc.pcca.com timed-out



My ISP's DNS:
server 216.167.161.35
Default Server: dns1.nts-online.net
Address: 216.167.161.35

www.fas.usda.gov
Server: dns1.nts-online.net
Address: 216.167.161.35

Non-authoritative answer:
Name: www.fas.usda.gov
Address: 151.121.3.140


usda.gov's DNS:
server 199.141.126.202
Default Server: ns1.usda.gov
Address: 199.141.126.202

www.fas.usda.gov
Server: ns1.usda.gov
Address: 199.141.126.202

Name: www.fas.usda.gov
Address: 151.121.3.140






usually 10-14 days after a DNS restart, some but not all hosts in the
hierarchy stop resolving.


But only for usda.gov usually?

only usda.gov appears to be failing right now.



Clearing the cache is the only way to fix the problem. It mostly
manifests itself in mail delivery failures, but has also shown up in
failed ftp transfers.


Then determine what is DIFFERENT about your cache and what
is returned and what is ACTUALLY CURRENT over on USDA.gov
(ns1.usda.gov)


When this happens there are items in the cache for usda.gov, but not the
items I am looking for and resolution just fails.


Give specific examples so we can help determine if this is
USDA.gov OR YOUR server with the problem.

Perhaps it is a deeper child of usda.gov and a different DNS
server than the one I listed above....


I am currently restarting all three of my DSN servers every week to clear
the cache.


You could just clear the cache rather than restart.

What OS specifically? What Service Pack level?

Fully patched W2K3 Server Standard with sp1. Both DNS servers are DC's


You don't by any chance have your DNS servers MUTUALLY
FORWARDING to each other do you? (e.g., #1 forwards to #2
which forwards back to #1 -- or even in a circle with #3)

Usually the mutual forwarding problem causes the entire DNS
server or RPC service to either crash or get flakey.


Nope.



AFAIK this is the only external domain that gives me trouble and I have
over 1000 hosts resolving internal and external off these DNS servers. I
have had no luck what-so-ever in talking with anyone from their ITworld.


IF it is "their problem" then you cannot fix it. Who did you contact
there?

nslookup -q=soa usda.gov
usda.gov
primary name server = NS1.usda.gov
responsible mail addr = dns.list.att.com

So the correct connect for DNS there is SUPPOSED to be:

dns@xxxxxxxxxxxx

(Subdomains/zones might offer additional contacts)

Gov domains don't give much whois info, but I haven't had
need to contact any and so don't know any tricks for getting
the right info beyond the SOA record.

Administrator and/or Postmaster are required (some RFC) to
be monitored for email compliance so you might try those and
explain the problem.


This has to be my problem, but I cannot figure out what is happening. Only
how to fix it.

Here are the caches of my two main DNS servers.

10.5.1.6(secondary on mosts hosts)

Name Type Data
(same as parent folder) Name Server (NS) ns1.usda.gov.
(same as parent folder) Name Server (NS) ns2.usda.gov.


10.5.1.4(primary on most hosts)

Name Type Data
ams egov ers fcic nass nitc nrcs rma (same as parent folder) Mail
Exchanger (MX) [10] mailproxy1.usda.gov.
ok Mail Exchanger (MX) [2] ftc-mail-edge1.fsc.usda.gov.
ok Mail Exchanger (MX) [4] kcc-mail-edge1.fsc.usda.gov.
ok Mail Exchanger (MX) [4] stl-mail-edge1.fsc.usda.gov.
(same as parent folder) Name Server (NS) ns1.usda.gov.
(same as parent folder) Name Server (NS) ns2.usda.gov.
www Alias (CNAME) www2.usda.gov.edgesuite.net.


Any other ideas before I clear the cache?

-tM


.



Relevant Pages

  • Re: sys vol check
    ... instead of the local DNS server and two ISP DNS servers. ... I need to configure the DHCP to use all three internal DNS servers ... If DNS zones are AD Integrated are writtable. ...
    (microsoft.public.windows.server.active_directory)
  • Re: DNS Cache Corrupt for individual zone
    ... for authoritative DNS of external hosts). ... We have a frustrating issue where the zone for one particular zone ... when the cache is in this state. ... DNS servers are only accessible in our internal DNS network. ...
    (microsoft.public.windows.server.dns)
  • Re: DNS re-structure
    ... > internal entries so that all requests for externally facing sites ... Internal clients should not access external DNS servers for resources on the ... You need to add records to the internal domain to resolve names ...
    (microsoft.public.windows.server.dns)
  • RE: Cannot resolve download.microsoft.com
    ... can you resolve any other websites for example www.google.co.uk? ... What do your servers have set as their dns servers in the network card tcp/ip ... timeout was 2 seconds. ...
    (microsoft.public.windows.server.dns)
  • Re: sys vol check
    ... You've 3 DC DNS servers one in each Site with different subnets. ... You've A forward lookup Zone named CORP.DLECINC.COM and a reverse lookup ... The clients should use only their local DNSserver in ther NIC ...
    (microsoft.public.windows.server.active_directory)