uscourts.gov Resolution Problem

I am having a problem with resolving names ending in uscourts.gov. I am
using Windows 2003 domain controllers as DNS servers. When the problem
occurs it is for all users using that server. Shutting down the DNS service
on the server for a few seconds and starting it back up fixes the issue.
When the problem is occurring, it is only for URL's ending with uscourts.gov,
other addresses can be resolved. Clients can be XP or Vista. I am using a
CheckPoint firewall where I have opened up DNS specifically for all DNS
servers. No errors are shown in the Windows event logs or the firewall logs.

Any help is appreciated.

What happens when you access the same sites by IP during these "blackout"
times? Are you internal to uscourts.gov?

If this is an external site from where your users sit (in other words, you
are not uscourts.gov) then maybe your DNS cache is getting poisoned? Google
on "cache poisoning".

"Michael K." <> wrote in message
news:E821335A-70D1-4270-A6AD-...
>I am having a problem with resolving names ending in uscourts.gov. I am
> using Windows 2003 domain controllers as DNS servers. When the problem
> occurs it is for all users using that server. Shutting down the DNS
> service
> on the server for a few seconds and starting it back up fixes the issue.
> When the problem is occurring, it is only for URL's ending with
> uscourts.gov,
> other addresses can be resolved. Clients can be XP or Vista. I am using
> a
> CheckPoint firewall where I have opened up DNS specifically for all DNS
> servers. No errors are shown in the Windows event logs or the firewall
> logs.
>
> Any help is appreciated.

"Michael K." <> wrote in message
news:E821335A-70D1-4270-A6AD-...
>I am having a problem with resolving names ending in uscourts.gov. I am
> using Windows 2003 domain controllers as DNS servers. When the problem
> occurs it is for all users using that server. Shutting down the DNS
> service
> on the server for a few seconds and starting it back up fixes the issue.
> When the problem is occurring, it is only for URL's ending with
> uscourts.gov,
> other addresses can be resolved. Clients can be XP or Vista. I am using
> a
> CheckPoint firewall where I have opened up DNS specifically for all DNS
> servers. No errors are shown in the Windows event logs or the firewall
> logs.
>
> Any help is appreciated.

Using Checkpoint? That sounds familiar. I bet is is an EDNSO issue. Read the
following, please:

Some firewalls may reject network traffic that originates from Windows
Server 2003 Service Pack 1-based or Windows Vista-based computers
(This one also relates to the Checkpoint issue documented below.)
http://support.microsoft.com/default.aspx/kb/899148

Checkpoint Firewall and AD, DNS and RPC Communications and Replication
traffic

Checkpoint firewalls have a known issue if you are running R55 or older. You
will need to
make a registry entry to allows traffic to flow between the 2 sites via the
vpn. The preferred solution is to upgrade the Checkpoint firewall.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer


For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

"Efficiency is doing things right; effectiveness is doing the right
things." - Peter F. Drucker
http://twitter.com/acefekay

We are external to uscourts.gov and we can access by IP address. We can also
access any other site that we try by using the url, ie. www.google.com works
fine. I have previously read that it may have something to do with the DNS
servers for uscourts.gov using clustered servers, but I have not been able to
find any other information.

"Spin" wrote:

> What happens when you access the same sites by IP during these "blackout"
> times? Are you internal to uscourts.gov?
>
> If this is an external site from where your users sit (in other words, you
> are not uscourts.gov) then maybe your DNS cache is getting poisoned? Google
> on "cache poisoning".
>
> "Michael K." <> wrote in message
> news:E821335A-70D1-4270-A6AD-...
> >I am having a problem with resolving names ending in uscourts.gov. I am
> > using Windows 2003 domain controllers as DNS servers. When the problem
> > occurs it is for all users using that server. Shutting down the DNS
> > service
> > on the server for a few seconds and starting it back up fixes the issue.
> > When the problem is occurring, it is only for URL's ending with
> > uscourts.gov,
> > other addresses can be resolved. Clients can be XP or Vista. I am using
> > a
> > CheckPoint firewall where I have opened up DNS specifically for all DNS
> > servers. No errors are shown in the Windows event logs or the firewall
> > logs.
> >
> > Any help is appreciated.
>
>

I am running a much later version of Checkpoint and I am running it on
SecurePlatform, not Windows...

"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "Michael K." <> wrote in message
> news:E821335A-70D1-4270-A6AD-...
> >I am having a problem with resolving names ending in uscourts.gov. I am
> > using Windows 2003 domain controllers as DNS servers. When the problem
> > occurs it is for all users using that server. Shutting down the DNS
> > service
> > on the server for a few seconds and starting it back up fixes the issue.
> > When the problem is occurring, it is only for URL's ending with
> > uscourts.gov,
> > other addresses can be resolved. Clients can be XP or Vista. I am using
> > a
> > CheckPoint firewall where I have opened up DNS specifically for all DNS
> > servers. No errors are shown in the Windows event logs or the firewall
> > logs.
> >
> > Any help is appreciated.
>
> Using Checkpoint? That sounds familiar. I bet is is an EDNSO issue. Read the
> following, please:
>
> Some firewalls may reject network traffic that originates from Windows
> Server 2003 Service Pack 1-based or Windows Vista-based computers
> (This one also relates to the Checkpoint issue documented below.)
> http://support.microsoft.com/default.aspx/kb/899148
>
> Checkpoint Firewall and AD, DNS and RPC Communications and Replication
> traffic
>
> Checkpoint firewalls have a known issue if you are running R55 or older. You
> will need to
> make a registry entry to allows traffic to flow between the 2 sites via the
> vpn. The preferred solution is to upgrade the Checkpoint firewall.
>
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> Microsoft Certified Trainer
>
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
> "Efficiency is doing things right; effectiveness is doing the right
> things." - Peter F. Drucker
> http://twitter.com/acefekay
>
>
>

"Michael K." <> wrote in message
news:B3989D09-E5F2-4851-80C5-...
>I am running a much later version of Checkpoint and I am running it on
> SecurePlatform, not Windows...

Is EDNS0 enabled in the Checkpoint firewall?

Does this JUST affect uscourts.gov, or any other website?
Does it affect JUSt uscourts.gov, but you can get to www.uscourts.gov?

When I looked it up using nslookup, there is no record for uscourts.gov, but
there is for www.uscourts.gov.

nslookup
> uscourts.gov
Server: ace-dc-01.nwtraders.com
Address: 192.168.100.200

Name: uscourts.gov

> www.uscourts.gov
Server: ace-dc-01.nwtraders.com
Address: 192.168.100.200

Non-authoritative answer:
Name: a381.g.akamai.net
Addresses: 8.18.95.27
8.18.95.25
Aliases: www.uscourts.gov
www.uscourts.gov.edgesuite.net

Ace

We are having the same issue.
We are running Windows 2003 Server SP2 Domain controllers/DNS servers.
We are able to access uscourts.gov when I clear the DNS cache.
We are not using a Checkpoint firewall (it's an older Watchguard Firebox).

Brian

"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "Michael K." <> wrote in message
> news:B3989D09-E5F2-4851-80C5-...
> >I am running a much later version of Checkpoint and I am running it on
> > SecurePlatform, not Windows...
>
> Is EDNS0 enabled in the Checkpoint firewall?
>
> Does this JUST affect uscourts.gov, or any other website?
> Does it affect JUSt uscourts.gov, but you can get to www.uscourts.gov?
>
> When I looked it up using nslookup, there is no record for uscourts.gov, but
> there is for www.uscourts.gov.
>
> nslookup
> > uscourts.gov
> Server: ace-dc-01.nwtraders.com
> Address: 192.168.100.200
>
> Name: uscourts.gov
>
> > www.uscourts.gov
> Server: ace-dc-01.nwtraders.com
> Address: 192.168.100.200
>
> Non-authoritative answer:
> Name: a381.g.akamai.net
> Addresses: 8.18.95.27
> 8.18.95.25
> Aliases: www.uscourts.gov
> www.uscourts.gov.edgesuite.net
>
> Ace
>
>
>

"Brian" <> wrote in message news:170EF679-CD02-4156-8838-...
> We are having the same issue.
> We are running Windows 2003 Server SP2 Domain controllers/DNS servers.
> We are able to access uscourts.gov when I clear the DNS cache.
> We are not using a Checkpoint firewall (it's an older Watchguard Firebox).
>
> Brian


Brian,

As i stated to the other poster, there is no record for uscourts.gov, but there is one for www.uscourts.gov. Which record are you trying to connect to?

Also, regarding the Firebox, does it support EDNS0?

Ace

Ace,

it doesn't matter.. I tried both with and without the www.
no bones until I clear the cache.

I'm not sure about the firewall supporting EDNSO. I'll check on that, but
how would clearing the cache make the problem go away if the firewall was the
problem?

Brian


"Ace Fekay [Microsoft Certified Trainer]" wrote:

> "Brian" <> wrote in message news:170EF679-CD02-4156-8838-...
> > We are having the same issue.
> > We are running Windows 2003 Server SP2 Domain controllers/DNS servers.
> > We are able to access uscourts.gov when I clear the DNS cache.
> > We are not using a Checkpoint firewall (it's an older Watchguard Firebox).
> >
> > Brian
>
>
> Brian,
>
> As i stated to the other poster, there is no record for uscourts.gov, but there is one for www.uscourts.gov. Which record are you trying to connect to?
>
> Also, regarding the Firebox, does it support EDNS0?
>
> Ace
>
>
>
>

"Brian" <> wrote in message news:58AFB743-7B21-41DF-B79C-...
> Ace,
>
> it doesn't matter.. I tried both with and without the www.
> no bones until I clear the cache.
>
> I'm not sure about the firewall supporting EDNSO. I'll check on that, but
> how would clearing the cache make the problem go away if the firewall was the
> problem?
>
> Brian

Good question. Possibly a bad cache entry? Does the DNS server have all the latest updates?

Looking further into it, it may well be due to the fact that www.uscourts.gov actually has two aliases, which doesn't make sense, especially if one of the aliases, www.uscourts.gov.edgesuite.net, does not respond.

Non-authoritative answer:
Name: a381.g.akamai.net
Address: 8.18.94.107
Aliases: www.uscourts.gov
www.uscourts.gov.edgesuite.net

Are you the administrator for this domain? Since you are the second person indicating an issue about this, it concerns me that the domain records are not correct. So if you ask me, that second alias needs to be REMOVED, as well as create a record for uscourts.gov (without the www). At least remove the non-working alias so the issue for www.uscourts.gov is resolved.

Ace