DNS Cache Corrupt for individual zone

Tech-Archive recommends: Fix windows errors by optimizing your registry

We have Windows 2003 DNS servers in our internal network (behind
checkpoint firewall, using BIND DNS servers on our external network
for authoritative DNS of external hosts).

We have a frustrating issue where the zone for one particular zone
(nasa.gov) gets corrupted in the cache consistently (every few
days). Everything within the nasa.gov zone becomes unable to resolve
when the cache is in this state.

The issue is easy to resolve. If you delete this zone in the MMC, the
problem clears immediately and subsequent queries resolve correctly.

Another couple of facts.

1) I know it is not a transient network issue, as NSLOOKUP and DIG
can resolve correctly when using the authoritative name servers. Also
our BIND servers never experience a problem resolving.

2) I don't believe it is a cache pollution issue. Our WIndows 2003
DNS servers are only accessible in our internal DNS network.

3) I don't believe it is a EDNS0 / Checkpoint issue since clearly it
resolves correctly sometimes. Unless the EDNS0 issue is somehow an
intermittent problem, that could result in a corrupt cache.

4) I could have a script clear the DNS cache on a regular basis, or
even better, clear the cache when this zone is unable to resolve, but
that's a bit of a sledgehammer when what is required is a scalpel. I
can't find anyway to programmatically delete this particular zone from
the cache. I don't want to delete the entire cache everytime this
zone has an issue.

5) We have multiple WIndows 2003 DNS servers inside our network and I
see the same problem on all of them.

6) This is the only zone with this problem. We do a lot of work with
NASA so perhaps we do more DNS lookups in this zone than typical.

Any help would be appreciated.
.

Relevant Pages

  • Re: Overlapping Reverse Zone Files
    ... So the proposal was the Forest 1 would have a reverse primary zone ... This post is a lot more clear about your actual network than your original ... In fact to make reverse lookups seamless across the enterprize ths would be ... all DNS servers should have: ...
    (microsoft.public.windows.server.dns)
  • Re: DNS Cache Corrupt for individual zone
    ... for authoritative DNS of external hosts). ... We have a frustrating issue where the zone for one particular zone ... when the cache is in this state. ... DNS servers are only accessible in our internal DNS network. ...
    (microsoft.public.windows.server.dns)
  • Re: Problema Bind 9.6.1 CentOS 5.3
    ... We have some DNS servers with BIND version 9.6.1-P1 and we have some problems to resolve domain addresses. ... The fact that a flush clears that error implies a mismatch between the delegating NS records for a zone (which are used when the resolver doesn't have anything cached), and the NS records at the apex of the zone. ... By clearing the cache, you're forcing your resolver to use the delegating NS records, which may get it working temporarily, but you should try to figure out the real problem, since obviously you can't be flushing your cache constantly to work around this. ...
    (comp.protocols.dns.bind)
  • creating subzones with dnscmd
    ... I am trying to create a script to populate our new MS DNS servers, ... when you create a reverse zone, you only need to state the network part ... service will create the relevent subzones as needed. ...
    (microsoft.public.windows.server.dns)
  • Re: Cannot delete the root zone
    ... B is forwarding all requests it ... B has only forward and reverse lookup zone entries. ... domain names to other DNS servers sitting not in our domain nor tree ... That's because you're looking at it in Advanced View and viewing the cache. ...
    (microsoft.public.windows.server.dns)