Sunday, March 16, 2008

More Issues

Some previous firewall configuration was carried over as part of the migration as well. Unfortunately, this created some more problems. For some reason, DNS doctoring was turned on pretty much everywhere. It was being overused to the point that DNS replies of internet addresses were getting overwritten with DMZ addresses. Naturally, this caused a number of internet services to fail.

Now I really haven't messed wtih DNS doctoring much since the alias days. It seems to be a lot easier now, since all one needs to do is to add the dns option to the static translation.

But the real question is, why wasn't this failing before the upgrade. I don't know. I turned off DNS inspection to kill this. That fixed the issue, but it took time to propogate.

The Default DNS TTL is 3 hours, so anyone who grabbed a bad record would have to wait up to 3 hours for their upstream DNS servers to get corrected.

To check the TTL remaining, nslookup can be used

c:\>nslookup
Default Server: cns.manassaspr.va.dc02.comcast.net
Address: 68.87.73.242
> set debug
> www.somecompany.com
Server: cns.manassaspr.va.dc02.comcast.net
Address: 68.87.73.242
------------------------
Got answer: HEADER: opcode = QUERY, id = 5, rcode = NOERROR
header flags: response, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0
QUESTIONS: www.somecompany.com, type = A, class = IN
ANSWERS: -> www.somecomapny.com internet address = 10.1.1.100
ttl = 205 (3 mins 25 secs)
------------
Non-authoritative answer:
Name: www.somecompany.com
Address: 10.1.1.100
>

No comments: