Re: DNS Cache corruption?
- From: "Ace Fekay [MVP]" <PleaseAskMe@xxxxxxxxxxxxxx>
- Date: Mon, 2 Jun 2008 23:03:20 -0400
In news:A45BB2F1-A77C-4E40-865B-D991F66142B5@xxxxxxxxxxxxx,
infinitiguy <derek@xxxxxxxx> typed:
Sorry, You're right, after reading through.. it is a bit vague.
Currently in production we're using incognito DNS commander(dns and
dhcp). It runs on solaris. There's two servers.. one here
(10.65.6.2) and one in dublin (10.2.2.49). They work in pri/sec
zones.
The plan is to remove those, and implement MSDNS, which we already
have in place for our ionaglobal.com zone(for exchange). We just
consolidated all of our NT4 domains to ionaglobal, so the next
logical step is to get all of our workstations/servers that are using
the old DNS to use the new DNS.
The plan will be to have two stub zones. One here(10.65.6.2
eventually) and one in dublin(10.2.2.49). These stub zones will
point to the various DC's(4 in waltham, and 2 in dublin) for DNS. Overall
there'll be 8 dns servers(2 stubs, and 6 DC's/DNS).
The reason that amer-dns1 is using secondary zones is I'm not cutting
the entire company over to MSDNS in one swoop. I'm going to do
waltham first, then dublin a few weeks later. I'd rather only break
half the company if something goes wrong. The need for the
secondaries will be to do local name resolution for the zones Dublin
hosts, rather than setting up a bunch of zone forwards.. eventually
all of the zones will be ADI zones, and the only zones that
amer-dns1(stub server) will host.. will be stub zones.
We will have a single forest/single domain.
The use of the stub servers will be to allow the DNS server to be
re-iped when it's time to go into production without having to
promote/create a new DC that will inherit that IP.. none of the
clients will be pointing to the other DNS servers so I figure the
stub will be a constant, always on central point to distribute the
load.
There will be a DNS/DC at each major location. That I'm not worried
about yet.
re: firewall. We use a checkpoint firewall. I don't know if it
supports EDNS0.. I know that there was a bug within our current DNS
system where when dns caching was enabled dns would eventually crash,
so that DNS admin just turned off caching... the product is full of
bugs which is why we're moving off of it.
I guess the thing I just don't understand is what causes the behavior
to happen. Why cnn.com? Why aol.com in my experience a month ago,
and why when the cache is cleared does it work fine, and continue to
work fine with the new cached record? Unfortunately I don't have
details of the ttl's or anything for the buggy records since I had to
clear the cache earlier today. Maybe the firewall thing is something
to look into but I'm not sure if that's what's causing the woes.
Ok, that explanation makes more sense. Keep in mind when you install DNS on
a DC, DO NOT MANUALLY create the zone. Let it sit. Since the zone is already
AD Integrated, it will automatically populate. If you manually create it,
you will find yourself with a duplicate zone condition. Tough to clean up.
Even if you create a stub or secondary. Well, matter of fact, if you create
a secondary on a DC with an AD Integrated zone that exists in that scope,
the Secondary will disappear from the console. I believe a stub will
disappear also unless you make it AD integrated, which will cause a dupe
scenario as well.
I assume the ionaglobal.com zone name is your internal AD DNS zone name? If
so, it'snot more for Exchange, but for AD. Keep in mind, that any AD machine
(DC, memeber server or client) must only use DNS servers that either host
the AD zone name or have some sort of reference to it. If any DNS server is
listed that either doesn't host the zone or does not have a reference to it,
will cause numerous issues.
My guess is the Checkpoint, depending on the firmware version, may support
it but it's not enabled. If you are not sure, it may never have been turned
on. But then again, how old is it and when was the last time you upped the
firmware?
I can't explain why it worked before and not now with CNN, AOL, etc. Those
sites have a larger than 512 byte response to a DNS query. So does Yahoo,
Hotmail, and many other larger sites. Microsoft too, I believe. EDNS0 would
apply in this case. If it worked before and not now, could it be something
with a change over that occured between then and now? What server is
actually forwarding out? Well, let me add that if using a Forwarder, it
shouldn't occur because the query is directly sent to an outside DNS by the
DNS server. If a Windows 2003 DNS is using Root Hints and no Forwarding,
then it will occur if the firewall doesn't support EDNS0. If DNS commander
is using it's own Root hints, then I can see it occuring if the checkpoint
doesn;t support it. Try configuring a forwarding to your ISP or look into
the Checkpoint.
Ace
.
- Follow-Ups:
- Re: DNS Cache corruption?
- From: infinitiguy
- Re: DNS Cache corruption?
- References:
- DNS Cache corruption?
- From: infinitiguy
- Re: DNS Cache corruption?
- From: Ace Fekay [MVP]
- Re: DNS Cache corruption?
- From: infinitiguy
- DNS Cache corruption?
- Prev by Date: Re: DNS Cache corruption?
- Next by Date: Re: DNS Cache corruption?
- Previous by thread: Re: DNS Cache corruption?
- Next by thread: Re: DNS Cache corruption?
- Index(es):
Relevant Pages
|
