Re: DNS Cache Corrupt for individual zone
- From: "Ace Fekay [MCT]" <aceman@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 19 Jul 2009 11:29:58 -0400
"Michael Iams" <michael.iams@xxxxxxxxx> wrote in message news:f0b4e25f-7085-4d98-9d7d-075b6f0f5f26@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
We have Windows 2003 DNS servers in our internal network (behind
checkpoint firewall, using BIND DNS servers on our external network
for authoritative DNS of external hosts).
We have a frustrating issue where the zone for one particular zone
(nasa.gov) gets corrupted in the cache consistently (every few
days). Everything within the nasa.gov zone becomes unable to resolve
when the cache is in this state.
The issue is easy to resolve. If you delete this zone in the MMC, the
problem clears immediately and subsequent queries resolve correctly.
Another couple of facts.
1) I know it is not a transient network issue, as NSLOOKUP and DIG
can resolve correctly when using the authoritative name servers. Also
our BIND servers never experience a problem resolving.
2) I don't believe it is a cache pollution issue. Our WIndows 2003
DNS servers are only accessible in our internal DNS network.
3) I don't believe it is a EDNS0 / Checkpoint issue since clearly it
resolves correctly sometimes. Unless the EDNS0 issue is somehow an
intermittent problem, that could result in a corrupt cache.
4) I could have a script clear the DNS cache on a regular basis, or
even better, clear the cache when this zone is unable to resolve, but
that's a bit of a sledgehammer when what is required is a scalpel. I
can't find anyway to programmatically delete this particular zone from
the cache. I don't want to delete the entire cache everytime this
zone has an issue.
5) We have multiple WIndows 2003 DNS servers inside our network and I
see the same problem on all of them.
6) This is the only zone with this problem. We do a lot of work with
NASA so perhaps we do more DNS lookups in this zone than typical.
Any help would be appreciated.
It's possibly because nasa.gov has no A or CNAME records for nasa.gov, whereas www.nasa.gov has multiple Aliases, but no A record. I can see this may cause a problem when a user tries to go to http://nasa.gov (without the www), and DNS tries to cache a non-value.
Notice in the nslookup results that nasa.gov has no entry, but www.nasa.gov has three Aliases.
nslookup
nasa.govServer: ace-dc-01.mydomain.com
Address: 192.168.120.50
Name: nasa.gov
www.nasa.govServer: ace-dc-01.mydomain.com
Address: 192.168.120.50
Non-authoritative answer:
Name: a1718.x.akamai.net
Addresses: 64.212.198.41
64.212.198.24
Aliases: www.nasa.gov
www.nasa.gov.speedera.net
www.nasa.gov.edgesuite.net
----
I tried to run a report at www.dnsstuff.com for 'nasa.gov.' It stated there are 5 errors, and nasa.gov is on 6 blacklists, however it wanted me to join to get the report, but I do not have a membership. It would be interesting to see what they say about it.
Curious, why are you manually creating the zone? What records are you creating under the zone? And also curious, why not just allow a forwarder to resolve nasa.gov records, and not manually create the zone? Or set a Conditional Forwarder for nasa.gov to their SOAs?
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.
Please reply back to the newsgroup or forum to benefit from collaboration among responding engineers, and to help others benefit from your resolution.
Ace Fekay, MCT, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer
aceman@xxxxxxxxxxxxxxxxxxxxxxx
http://twitter.com/acefekay
For urgent issues, you may want to contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
.
- References:
- DNS Cache Corrupt for individual zone
- From: Michael Iams
- DNS Cache Corrupt for individual zone
- Prev by Date: Re: DNS resolve problem with ping but not nslookup
- Next by Date: Re: reverse lookup zone corrupt
- Previous by thread: Re: DNS Cache Corrupt for individual zone
- Next by thread: Re: DNS resolve problem with ping but not nslookup
- Index(es):
Relevant Pages
|
