some external domains not resolving

Discussion in 'DNS Server' started by DavidH, Dec 7, 2006.

  1. DavidH

    DavidH Guest

    setup: windows server 2003 standard (srvr1), with AD and DNS server enabled
    behind a firewall.

    DNS on srvr1 Interfaces: Listen on All IP addresses
    Forwarders: DNS servers of ISP

    problem - a user is trying to access a website www.tnchamber.org but can't,
    I've tried from many workstations within the office and can't access this
    one website, all others can be accessed on the web. A tracert resolves the
    name and can start a trace - there is no website blocking on the firewall.
    The ISP can access the website from within their network which we are a part
    of..... so the restriction seems to be coming from inside but I can't figure
    it out. Any ideas?
     
    DavidH, Dec 7, 2006
    #1
    1. Advertisements

  2. If tracert resolves it, then it isn't a DNS problem, but I would double
    check that you are getting the correct IP address (66.18.102.194). Here is
    something else to try:

    Open a command prompt and type "telnet www.tnchamber.org 80" without the
    quotes, and hit enter. This will tell you if the problem is related to your
    web browser or something on the network. If telnet connects, the command
    window will go blank. Type anything in the window and hit enter again to
    disconnect. You'll see some HTML output from the web server and be back at a
    command prompt. If you get "Connect failed" then something is blocking this
    site, or you aren't resolving it to the correct IP address locallly. If you
    are able to connect with telnet, it's likely a browser configuration
    problem, perhaps related to the proxy (if you use one).
     
    Greg Lindsay [MSFT], Dec 7, 2006
    #2
    1. Advertisements

  3. In
    Greg, there's also a possibility that it may be an EDNS0 issue. However when
    I queried tnchamber.org using nslookup, the response does not appear to be
    larger than 512 bytes (using UDP). However, if it is EDNS0 (which supports
    UDP to allow up to1280 bytes), then I would think the query supporting
    EDNS0, may not be understood by the firewall and may block the answer coming
    back in.

    DavidH, the only way to test that is to see if nslookup will resolve it at
    the first shot., If not, force it to use TCP (typing in the command "set vc"
    without the qutoes). If that works then it's and EDNS0 issue.

    DavidH, not to confuse you, but try Greg's suggested tests first. If the
    problem is resolution (resolving the name to IP in telnet), it may be a
    firewall issue. What type of firewall do you have? What type of internet
    connection/provider do you have?

    Not to confuse the matters more, but if using an ADSL line with PPPoE, it
    could also be an MTU issue on the router.


    --
    Ace
    Innovative IT Concepts, Inc (IITCI)
    Willow Grove, PA

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
    Microsoft MVP - Directory Services
    Microsoft Certified Trainer

    Having difficulty reading or finding responses to your post?
    Instead of the website you're using, I suggest to use OEx (Outlook Express
    or any other newsreader), and configure a news account, pointing to
    news.microsoft.com. This is a direct link to the Microsoft Public
    Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
    to easily find, track threads, cross-post, sort by date, poster's name,
    watched threads or subject.
    It's easy:

    How to Configure OEx for Internet News
    http://support.microsoft.com/?id=171164

    Infinite Diversities in Infinite Combinations
    Assimilation Imminent. Resistance is Futile
    "Very funny Scotty. Now, beam down my clothes."

    The only constant in life is change...
     
    Ace Fekay [MVP], Dec 8, 2006
    #3
  4. DavidH

    DavidH Guest

    I received "could not open connection to the host, on port 80: connect
    failed" I tried with other websites and they connected. I double checked
    the firewall and no websites/IP addresses are being blocked. I'm swapping
    out the firewall soon since this one (sonicwall) is limited. I'll see if
    that affects anything.



     
    DavidH, Dec 11, 2006
    #4
  5. DavidH

    DavidH Guest

    I ran nslookup and received:

    Can't find server name for address 192.168.0.105 "our dns server":
    Non-existent domain
    Server: UnKnown
    address: 192.168.0.105

    Non-authoritative answer:
    Name: www.tnchamber.org
    address: 66.18.102.194

    I believe I have our DNS server configured correctly - forwarders are
    pointed at our ISP DNS servers, but for DNS requests our DNS server is
    listed.
     
    DavidH, Dec 11, 2006
    #5
  6. The error message below just means that you haven't set up reverse DNS (i.e.
    PTR records) for your web server yet. It does appear that you are resolving
    the correct IP address.

    I did notice a small problem with that web site address. Reverse DNS for
    66.18.102.194 resolves to neo.digitalminds.net which has no corresponding A
    record. This may not be significant, but if your firewall has a security
    feature that requires a valid reverse DNS record in order to connect, this
    could be causing the problem.

    I noticed that www.digitalminds.net has the same IP address as
    www.tnchamber.org which means they are both sites on the same web server.
    That gives you an opportunity for another test. See if you can access
    www.digitalminds.net ! If you can't, then you know the problem is not the
    tnchamber.org domain, but the web server itself.

    --
    Greg Lindsay [MSFT]

    Disclaimer: This posting is provided "AS IS" with no warranties, and confers
    no rights.
     
    Greg Lindsay [MSFT], Dec 11, 2006
    #6
  7. DavidH

    DavidH Guest

    Thanks - I'm upgrading the firewall this week so hopefully that will clear
    up the issue.

     
    DavidH, Dec 11, 2006
    #7
  8. In
    It may or may not. Just in case, look for an EDNS0 setting in your new
    firewall, or ask the vendor or support. This is also known as DNS UDP
    packets upto 1280 bytes.

    Ace
     
    Ace Fekay [MVP], Dec 12, 2006
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.