Re: Non-existent A record being returned...

"Ray Van Dolson" <> wrote in message
news:9820cc39-6bad-4337-8880-...
> When querying hostname.tld.com from our Windows 2003 DNS servers, the
> record is returned as follows (for multiple queries:
>
> ; Query 1
> hostname.tld.com. 557 IN A 10.49.104.226
> ; Query 2
> hostname.tld.com. 556 IN A 10.49.104.226
>
> The DNS server(s) being queried are SOA's for tld.com. Other records
> queried from these servers are not returned with a decrementing TTL.
>
> So it seems like the host above is part of the cache on the server,
> but looking at the cache for tld.com the entry isn't there. We don't
> have an A record defined at all for hostname.tld.com.
>
> These DNS servers are set up to forward queries to two other DNS
> servers, but a packet dump and query log examination show that queries
> for hostname.tld.com are not being forwarded...
>
> Maybe flushing the cache would help, but haven't tried it yet.
>
> I did dump the entire tld.com zone with dnscmd. Searchin through for
> the IP comes up with one A record pointing to that IP address, but
> it's something completely different....
>
> Could this record somehow be hiding in the cache but not visible to
> tools? Maybe it would be pruned by initiating scavenging?
>
> Anyone have any thoughts?


I assume you are using nslookup? Nslookup has it's own resolver service, and
doesn't rely or use Windows resolver service, or the local cache (ipconfig
/flushdns doesn't work with nslookup), but rather directly queries DNS,
where I'm assuming you're referring to clearing the DNS server cache?

Does it exist in your reverse zone?

I can't see, nor heard of 'hidden' records existing, unless possibly using
WINS integration? But then again, that would return the name 'wins' in the
query's FQDN result.

Check the zone's properties, Nameserver tab, and see if it's in there.

There isn't any rogue apps/spyjunk on the machine, possibly?

Try the query with all of your other DNS servers, too, using nslookup
interactive mode, instead of batch (as your examples indicated). Simply
change the server it's using with the 'server' command, such as the
following. I would be curious if they all return the IP, including your
forwarders that you've stated you are forwarding to (assuming internally)
and not just this one DNS you're presently querying in nslookup.

C:\>nslookup
Default Server: ace-dc-01.mydomain.com
Address: 192.168.30.55

> server 192.168.30.someothersever
> hostname.tld.com
<enter>


btw - "TLD" stands for Top Level Domain, which is the root of the FQDN, such
as .com, .local, .net, etc. So in the example, 'hostname.domain.com,' the
'com' is the TLD, and the name 'domain' can be looked at (depending on who
you talk to) as the '1st level domain name' or the 2nd level domain name.'
When the name 'domain' is looked at as the second level name, those folks
will call the TLD (com, net, etc) a first level, then domain would be second
level, etc. I've seen various websites in the past refer to it either one
way or the other, but the root name is definitely called the TLD.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum to benefit from collaboration
among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

"Ray Van Dolson" <> wrote in message
news:2134b625-8c89-4ec9-9811-...
Thanks for the reply Ace,

On Jul 31, 4:15 pm, "Ace Fekay [MCT]" <ace...@mvps.RemoveThisPart.org>
wrote:
> "Ray Van Dolson" <rvandol...@esri.com> wrote in
> messagenews:9820cc39-6bad-4337-8880-...
> > When querying hostname.tld.com from our Windows 2003 DNS servers, the
> > record is returned as follows (for multiple queries:
>
> > ; Query 1
> > hostname.tld.com. 557 IN A 10.49.104.226
> > ; Query 2
> > hostname.tld.com. 556 IN A 10.49.104.226
>
> > The DNS server(s) being queried are SOA's for tld.com. Other records
> > queried from these servers are not returned with a decrementing TTL.
>
> > So it seems like the host above is part of the cache on the server,
> > but looking at the cache for tld.com the entry isn't there. We don't
> > have an A record defined at all for hostname.tld.com.
>
> > These DNS servers are set up to forward queries to two other DNS
> > servers, but a packet dump and query log examination show that queries
> > for hostname.tld.com are not being forwarded...
>
> > Maybe flushing the cache would help, but haven't tried it yet.
>
> > I did dump the entire tld.com zone with dnscmd. Searchin through for
> > the IP comes up with one A record pointing to that IP address, but
> > it's something completely different....
>
> > Could this record somehow be hiding in the cache but not visible to
> > tools? Maybe it would be pruned by initiating scavenging?
>
> > Anyone have any thoughts?
>
> I assume you are using nslookup? Nslookup has it's own resolver service,
> and
> doesn't rely or use Windows resolver service, or the local cache (ipconfig
> /flushdns doesn't work with nslookup), but rather directly queries DNS,
> where I'm assuming you're referring to clearing the DNS server cache?

In this case I was using dig from a Linux box. Also was using the
+norecurse
option.

And yes, we're considering just cleaning out the server's cache to see
if this
triggers anything.

>
> Does it exist in your reverse zone?
>

Nope...

> I can't see, nor heard of 'hidden' records existing, unless possibly using
> WINS integration? But then again, that would return the name 'wins' in the
> query's FQDN result.
>
> Check the zone's properties, Nameserver tab, and see if it's in there.

Definitely not there... and we weren't seeing wins in the query result
either.

>
> There isn't any rogue apps/spyjunk on the machine, possibly?
>

Pretty confident there is not, though I'm not one of the admins of
these
machines... the thought had crossed my mind however and we'll probably
double check.

> Try the query with all of your other DNS servers, too, using nslookup
> interactive mode, instead of batch (as your examples indicated). Simply
> change the server it's using with the 'server' command, such as the
> following. I would be curious if they all return the IP, including your
> forwarders that you've stated you are forwarding to (assuming internally)
> and not just this one DNS you're presently querying in nslookup.

It was showing up this way on all the DNS servers (tested with dig
mind
you). Initial query would indicate a 900 second TTL, and subsequent
queries
directly to the DNS server showed a decrementing TTL number like it
was
giving me a cached response for something it wasn't authoritative for.

Very odd.

In any case, one of the other admins just manually created an A record
for that hostname and now the DNS servers are returning that A record
instead of the one I was seeing before.

So unfortunately doesn't look like I'll be able to dig into this odd
one unless it happens again.

I will note that this hostname did correspond with a machine which had
its IP assigned via DHCP. So it may have registered its hostname at
some point... however, I'd still expect to see the record *somewhere*
in DNS...

Thanks for the reply...
===========================

Ray,

I would think the same, that you would see the record somewhere. Does DIG
use hosts files? I've used DIG, but I'm not an expert at it. I know nslookup
uses it's own resolver. Curious, try it with nslookup to see if there are
any difference. Oh, never mind! There's a new record now. :-)

Is there a WINS server in place? Curious, check the records on it, please.

Well, at least you've overcome this issue, which is a good thing.

Cheers!

Ace