Re: DNS Cache corruption?
- From: "infinitiguy" <derek@xxxxxxxx>
- Date: Thu, 5 Jun 2008 11:56:41 -0400
I had this happen again. This time with our main site, www.iona.com.
What happened is dhcp is giving out 10.65.6.60 for the DNS Server. This is a stub server. It consists of a bunch of stubs pointing to my ADI and primary zones(zones are primary until converted to ADI).
iona.com is a seconary zone hosted on incognito DNS. I have it as a secondary on the stub zone because that's how we have it set up in incognito. I don't see any downside to doing it this way as it should work..
in any case.. from the stub zone first and dc second, I get the below following debug output from nslookup.
As you can see from the stub zone, it only replies with the domain name, no IP. www.iona.com is a cname to iona.intlb.iona.com (set up that way for our load balancers to work properly). When I look in the DNS cache on both servers on the stub I have..
..root\com\iona\
and then some cached lookups under amer and apac(other zones containing file servers etc..) as well as some NS entries and records
however on the dc I have..
..root\com\iona\intlb\
and in intlb is an A record for iona.intlb.iona.com containing the IP address.
For whatever reason the stub zone is not able to resolve this information. Should I maybe instead of having the iona.com zone hosted on the stub as a secondary, host it on my DC as a secondary and have the stub host a stub zone pointing to the secondary? or.. maybe better yet, just tell the stub to point to the incognito DNS server hosting the actual zone?
nslookup -d2 www.iona.com
------------
SendRequest(), len 41
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
60.6.65.10.in-addr.arpa, type = PTR, class = IN
------------
------------
Got answer (79 bytes):
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, auth. answer, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
60.6.65.10.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 60.6.65.10.in-addr.arpa
type = PTR, class = IN, dlen = 26
name = amer-dns1.ionaglobal.com
ttl = 1200 (20 mins)
------------
Server: amer-dns1.ionaglobal.com
Address: 10.65.6.60
------------
SendRequest(), len 51
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
www.iona.com.boston.amer.iona.com, type = A, class = IN
------------
------------
Got answer (142 bytes):
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, auth. answer, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
www.iona.com.boston.amer.iona.com, type = A, class = IN
AUTHORITY RECORDS:
-> boston.amer.iona.com
type = SOA, class = IN, dlen = 59
ttl = 3600 (1 hour)
primary name server = amereast-dc5.ionaglobal.com
responsible mail addr = hostmaster.ionaglobal.com
serial = 508
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
------------
------------
SendRequest(), len 51
HEADER:
opcode = QUERY, id = 3, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
www.iona.com.dublin.emea.iona.com, type = A, class = IN
------------
------------
Got answer (129 bytes):
HEADER:
opcode = QUERY, id = 3, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
www.iona.com.dublin.emea.iona.com, type = A, class = IN
AUTHORITY RECORDS:
-> dublin.emea.iona.com
type = SOA, class = IN, dlen = 46
ttl = 7200 (2 hours)
primary name server = emea-dns-1.dublin.emea.iona.com
responsible mail addr = hostmaster.iona.com
serial = 2008060516
refresh = 600 (10 mins)
retry = 3600 (1 hour)
expire = 604800 (7 days)
default TTL = 7200 (2 hours)
------------
------------
SendRequest(), len 52
HEADER:
opcode = QUERY, id = 4, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
www.iona.com.stjohns.amer.iona.com, type = A, class = IN
------------
------------
Got answer (140 bytes):
HEADER:
opcode = QUERY, id = 4, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
www.iona.com.stjohns.amer.iona.com, type = A, class = IN
AUTHORITY RECORDS:
-> stjohns.amer.iona.com
type = SOA, class = IN, dlen = 55
ttl = 86400 (1 day)
primary name server = ned.stjohns.amer.iona.com.stjohns.amer.iona.com
responsible mail addr = root.ned.stjohns.amer.iona.com.stjohns.amer.iona.com
serial = 2008050201
refresh = 1800 (30 mins)
retry = 10800 (3 hours)
expire = 604800 (7 days)
default TTL = 86400 (1 day)
------------
------------
SendRequest(), len 49
HEADER:
opcode = QUERY, id = 5, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
www.iona.com.ionaglobaltest.com, type = A, class = IN
------------
------------
Got answer (138 bytes):
HEADER:
opcode = QUERY, id = 5, rcode = NXDOMAIN
header flags: response, auth. answer, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
www.iona.com.ionaglobaltest.com, type = A, class = IN
AUTHORITY RECORDS:
-> ionaglobaltest.com
type = SOA, class = IN, dlen = 59
ttl = 3600 (1 hour)
primary name server = amereast-dc5.ionaglobal.com
responsible mail addr = hostmaster.ionaglobal.com
serial = 521
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
------------
------------
SendRequest(), len 45
HEADER:
opcode = QUERY, id = 6, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
www.iona.com.ionaglobal.com, type = A, class = IN
------------
------------
Got answer (113 bytes):
HEADER:
opcode = QUERY, id = 6, rcode = NXDOMAIN
header flags: response, auth. answer, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
www.iona.com.ionaglobal.com, type = A, class = IN
AUTHORITY RECORDS:
-> ionaglobal.com
type = SOA, class = IN, dlen = 42
ttl = 3600 (1 hour)
primary name server = amereast-dc5.ionaglobal.com
responsible mail addr = admin
serial = 84271
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 900 (15 mins)
------------
------------
SendRequest(), len 39
HEADER:
opcode = QUERY, id = 7, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
www.iona.com.iona.com, type = A, class = IN
------------
------------
Got answer (120 bytes):
HEADER:
opcode = QUERY, id = 7, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
www.iona.com.iona.com, type = A, class = IN
AUTHORITY RECORDS:
-> iona.com
type = SOA, class = IN, dlen = 61
ttl = 7200 (2 hours)
primary name server = dubdns.dublin.emea.iona.com
responsible mail addr = hostmaster.iona.ie
serial = 2008060300
refresh = 10800 (3 hours)
retry = 3600 (1 hour)
expire = 604800 (7 days)
default TTL = 7200 (2 hours)
------------
------------
SendRequest(), len 44
HEADER:
opcode = QUERY, id = 8, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
www.iona.com.apac.iona.com, type = A, class = IN
------------
------------
Got answer (128 bytes):
HEADER:
opcode = QUERY, id = 8, rcode = NXDOMAIN
header flags: response, auth. answer, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
www.iona.com.apac.iona.com, type = A, class = IN
AUTHORITY RECORDS:
-> apac.iona.com
type = SOA, class = IN, dlen = 59
ttl = 3600 (1 hour)
primary name server = amereast-dc5.ionaglobal.com
responsible mail addr = hostmaster.ionaglobal.com
serial = 1
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
------------
------------
SendRequest(), len 30
HEADER:
opcode = QUERY, id = 9, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
www.iona.com, type = A, class = IN
------------
------------
Got answer (55 bytes):
HEADER:
opcode = QUERY, id = 9, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
www.iona.com, type = A, class = IN
ANSWERS:
-> www.iona.com
type = CNAME, class = IN, dlen = 13
canonical name = iona.intlb.iona.com
ttl = 2 (2 secs)
------------
Name: www.iona.com
================================
================================
the working output from amereast-dc5 (a DC with iona.com recently added as a secondary zone) is..
nslookup -d2 www.iona.com
------------
SendRequest(), len 41
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
44.6.65.10.in-addr.arpa, type = PTR, class = IN
------------
------------
Got answer (82 bytes):
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS:
44.6.65.10.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 44.6.65.10.in-addr.arpa
type = PTR, class = IN, dlen = 29
name = amereast-dc5.ionaglobal.com
ttl = 1200 (20 mins)
------------
Server: amereast-dc5.ionaglobal.com
Address: 10.65.6.44
------------
SendRequest(), len 45
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
www.iona.com.IONAGLOBAL.COM, type = A, class = IN
------------
------------
Got answer (113 bytes):
HEADER:
opcode = QUERY, id = 2, rcode = NXDOMAIN
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 0, authority records = 1, additional = 0
QUESTIONS:
www.iona.com.IONAGLOBAL.COM, type = A, class = IN
AUTHORITY RECORDS:
-> ionaglobal.com
type = SOA, class = IN, dlen = 42
ttl = 3600 (1 hour)
primary name server = amereast-dc5.ionaglobal.com
responsible mail addr = admin
serial = 84271
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 900 (15 mins)
------------
------------
SendRequest(), len 30
HEADER:
opcode = QUERY, id = 3, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0
QUESTIONS:
www.iona.com, type = A, class = IN
------------
------------
Got answer (71 bytes):
HEADER:
opcode = QUERY, id = 3, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 2, authority records = 0, additional = 0
QUESTIONS:
www.iona.com, type = A, class = IN
ANSWERS:
-> www.iona.com
type = CNAME, class = IN, dlen = 13
canonical name = iona.intlb.iona.com
ttl = 2 (2 secs)
-> iona.intlb.iona.com
type = A, class = IN, dlen = 4
internet address = 10.70.2.23
ttl = 10 (10 secs)
------------
Name: iona.intlb.iona.com
Address: 10.70.2.23
Aliases: www.iona.com
"Herb Martin" <news@xxxxxxxxxxxxxx> wrote in message news:uzOY9NTxIHA.4560@xxxxxxxxxxxxxxxxxxxxxxx
"infinitiguy" <derek@xxxxxxxx> wrote in message news:A45BB2F1-A77C-4E40-865B-D991F66142B5@xxxxxxxxxxxxxxxxSorry, You're right, after reading through.. it is a bit vague.
The plan is to remove those, and implement MSDNS, which we already have in place for our ionaglobal.com zone(for exchange). We just consolidated all of our NT4 domains to ionaglobal, so the next logical step is to get all of our workstations/servers that are using the old DNS to use the new DNS.
The plan will be to have two stub zones. One here(10.65.6.2 eventually) and one in dublin(10.2.2.49). These stub zones will point to the various DC's(4 in waltham, and 2 in dublin) for DNS. Overall there'll be 8 dns servers(2 stubs, and 6 DC's/DNS).
What's the point of all these stubs? Don't you have DCs in those locations?
None of this has much to do in all likelyhood with your subject line.
The reason that amer-dns1 is using secondary zones is I'm not cutting the entire company over to MSDNS in one swoop. I'm going to do waltham first, then dublin a few weeks later. I'd rather only break half the company if something goes wrong. The need for the secondaries will be to do local name resolution for the zones Dublin hosts, rather than setting up a bunch of zone forwards.. eventually all of the zones will be ADI zones, and the only zones that amer-dns1(stub server) will host.. will be stub zones.
Microsoft DNS just works. You are likely experiencing some problem
from OUTSIDE, e.g., whoever is giving you AOL and CNN, not
your DNS servers or those that are authoritative for those zones.
We will have a single forest/single domain.
The use of the stub servers will be to allow the DNS server to be re-iped when it's time to go into production without having to promote/create a new DC that will inherit that IP.. none of the clients will be pointing to the other DNS servers so I figure the stub will be a constant, always on central point to distribute the load.
You aren't really focusing on one problem here.
When Ace asked for a clear infrastructure he doesn't care about
YOUR ZONES.
Your problem is with EXTERNAL ZONES.
Resolving your own zones is a nearly separate job from resolving
the INTERNET.
You should ALWAYS think of these, design these, troubleshoot
these as separate jobs even if the same server(s) do them.
There will be a DNS/DC at each major location. That I'm not worried about yet.
None of this matters to your current problem.
re: firewall. We use a checkpoint firewall. I don't know if it supports EDNS0.. I know that there was a bug within our current DNS system where when dns caching was enabled dns would eventually crash, so that DNS admin just turned off caching... the product is full of bugs which is why we're moving off of it.
I guess the thing I just don't understand is what causes the behavior to happen. Why cnn.com? Why aol.com in my experience a month ago, and why
Where is it happening?
You need to "Nslookup" and/or view the caches with the MMC until
you find the FIRST (most outside) culprit.
If I ask YOU a question, and get a wrong answer, then I pass that wrong
answer on to someone else the problem is not with me (by analogy.)
Do this (when it happens):
nslookup www.cnn.com IP.DNS.Server.Local
nslookup www.cnn.com IP.Local.Forwards.To
Etc, until you find the FURTHEST outbound server
with the wrong answer.
If you find a RECURSIVE (non-fowarding) DNS Server
in the list then you have to work through from the ROOT
down, the same way that recursive server does it until
you find the culprit.
Isolate. Isolate. Isolate.
Probably are easy to solve (usually) but sometimes difficult to
locate.
when the cache is cleared does it work fine, and continue to work fine with the new cached record? Unfortunately I don't have details of the ttl's or anything for the buggy records since I had to clear the cache earlier today. Maybe the firewall thing is something to look into but I'm not sure if that's what's causing the woes.
Your DNS infrastructure description is a bit confusing and doesn't provide enough specific info.
Can you elaborate on what the following sentence means?"I've gotten internal IT on to my
DNS server, "
Are the "other" DNS servers, such as Amer-DNS1, domain controllers? If so, be careful to manually create a zone that is AD Integrated, especially if the zone is in the same Replication Scope the domain controller is part of.
Do you have one domain in one forest or a multi-domain forest?
Not sure why you are using stubs and secondaries, that is if these other DNS servers are truly domain controllers? It can lead to DNS issues.
Is there a DC at each location? If so, it would be beneficial for them to be DNS servers.
What type of firewall do you have? Maybe it doesn't support EDNS0. Check your documentation on how to enable it. Lack of EDNS0 support will lead to failed resolution of zone with large data, that is above 512 bytes. You can check if your firewall supports EDNS0. Use nslookup. Query for the sites you say you cannot resolve. Then change it to TCP (by using the set vc command). If it resolves, then it's an EDNS0 issue.
By legacy methods, DNS query traffic uses UDP. Now on the response side, if it is larger than 512 bytes, legacy method (non-EDNS0) will revert the response to TCP. If DNS supports EDNS0, which WIndows 2003 does, it believes there is no reason to revert, but then what happens is the firewall will block the traffic if it cannot support a DNS UDP response packet larger than 512 bytes.
If you have a PIX, the command is:
protocol fixup dns 1280
--
Regards,
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT,
MVP Microsoft MVP - Directory Services
Microsoft Certified Trainer
For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Infinite Diversities in Infinite Combinations
.
- Follow-Ups:
- Re: DNS Cache corruption?
- From: Herb Martin
- Re: DNS Cache corruption?
- References:
- DNS Cache corruption?
- From: infinitiguy
- Re: DNS Cache corruption?
- From: Ace Fekay [MVP]
- Re: DNS Cache corruption?
- From: infinitiguy
- Re: DNS Cache corruption?
- From: Herb Martin
- DNS Cache corruption?
- Prev by Date: Re: Primary + Secondary DNS
- Next by Date: Re: DNS Cache corruption?
- Previous by thread: Re: DNS Cache corruption?
- Next by thread: Re: DNS Cache corruption?
- Index(es):
Relevant Pages
|
Loading
