"Michael Iams" <> wrote in message
news:f0b4e25f-7085-4d98-9d7d-...
> We have Windows 2003 DNS servers in our internal network (behind
> checkpoint firewall, using BIND DNS servers on our external network
> for authoritative DNS of external hosts).
>
> We have a frustrating issue where the zone for one particular zone
> (nasa.gov) gets corrupted in the cache consistently (every few
> days). Everything within the nasa.gov zone becomes unable to resolve
> when the cache is in this state.
>
> The issue is easy to resolve. If you delete this zone in the MMC, the
> problem clears immediately and subsequent queries resolve correctly.
>
> Another couple of facts.
>
> 1) I know it is not a transient network issue, as NSLOOKUP and DIG
> can resolve correctly when using the authoritative name servers. Also
> our BIND servers never experience a problem resolving.
>
> 2) I don't believe it is a cache pollution issue. Our WIndows 2003
> DNS servers are only accessible in our internal DNS network.
>
> 3) I don't believe it is a EDNS0 / Checkpoint issue since clearly it
> resolves correctly sometimes. Unless the EDNS0 issue is somehow an
> intermittent problem, that could result in a corrupt cache.
>
> 4) I could have a script clear the DNS cache on a regular basis, or
> even better, clear the cache when this zone is unable to resolve, but
> that's a bit of a sledgehammer when what is required is a scalpel. I
> can't find anyway to programmatically delete this particular zone from
> the cache. I don't want to delete the entire cache everytime this
> zone has an issue.
>
> 5) We have multiple WIndows 2003 DNS servers inside our network and I
> see the same problem on all of them.
>
> 6) This is the only zone with this problem. We do a lot of work with
> NASA so perhaps we do more DNS lookups in this zone than typical.
>
> Any help would be appreciated.
It's possibly because nasa.gov has no A or CNAME records for nasa.gov,
whereas
www.nasa.gov has multiple Aliases, but no A record. I can see this
may cause a problem when a user tries to go to
http://nasa.gov (without the
www), and DNS tries to cache a non-value.
Notice in the nslookup results that nasa.gov has no entry, but
www.nasa.gov
has three Aliases.
nslookup
> nasa.gov
Server: ace-dc-01.mydomain.com
Address: 192.168.120.50
Name: nasa.gov
> www.nasa.gov
Server: ace-dc-01.mydomain.com
Address: 192.168.120.50
Non-authoritative answer:
Name: a1718.x.akamai.net
Addresses: 64.212.198.41
64.212.198.24
Aliases:
www.nasa.gov
www.nasa.gov.speedera.net
www.nasa.gov.edgesuite.net
----
I tried to run a report at
www.dnsstuff.com for 'nasa.gov.' It stated there
are 5 errors, and nasa.gov is on 6 blacklists, however it wanted me to join
to get the report, but I do not have a membership. It would be interesting
to see what they say about it.
Curious, why are you manually creating the zone? What records are you
creating under the zone? And also curious, why not just allow a forwarder to
resolve nasa.gov records, and not manually create the zone? Or set a
Conditional Forwarder for nasa.gov to their SOAs?
--
Ace
This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.
Please reply back to the newsgroup or forum to benefit from collaboration
among responding engineers, and to help others benefit from your resolution.
Ace Fekay, MCT, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer
http://twitter.com/acefekay
For urgent issues, you may want to contact Microsoft PSS directly. Please
check
http://support.microsoft.com for regional support phone numbers.
Similar Threads
Linear Mode
