Strange DNS issue -- need advice, not help.

Athenor

I just had one of those "WTF" computer support issues. Anyone have any idea what's going on?

Every time IE opened or closed, it would lose the DNS entry of our corporate timeclock. The only way to fix it would be to open and close the Network Connection TCP/IP properties, but that only worked until the next time IE was opened or closed.

Turned out that corporate gave us 3+ Domain name servers to connect to for the intranet. If I used just one, it would work fine. But if I used the 2nd or 3rd ones as backup, the weird behavior with the time server would show up. Now obviously I'm just running on the 1, but I feel vulnerable only operating with 1 name server. Plus, other computers on the network run all 3 DNS just fine without conflicts.

Anyone have any clue whatsoever what might make my boss's DNS wig out like that?

Ruckus

Athenor wrote: »

I just had one of those "WTF" computer support issues. Anyone have any idea what's going on?

Every time IE opened or closed, it would lose the DNS entry of our corporate timeclock. The only way to fix it would be to open and close the Network Connection TCP/IP properties, but that only worked until the next time IE was opened or closed.

Turned out that corporate gave us 3+ Domain name servers to connect to for the intranet. If I used just one, it would work fine. But if I used the 2nd or 3rd ones as backup, the weird behavior with the time server would show up. Now obviously I'm just running on the 1, but I feel vulnerable only operating with 1 name server. Plus, other computers on the network run all 3 DNS just fine without conflicts.

Anyone have any clue whatsoever what might make my boss's DNS wig out like that?

Disable plugins for IE and run an updated virus and malware scan. I've heard of IE malware that redirects DNS lookups through 3rd party DNS servers (but I've never actually seen proof of it's existence myself).

Athenor

But why would 1 DNS by itself work, but not when 2 or 3 are added?

Also, this computer is running McAfee On-access scan (oh my god I wish it wasn't, it's a corporate thing).

PirateJon

If I used just one, it would work fine. But if I used the 2nd or 3rd ones as backup, the weird behavior with the time server would show up

'splain the weird behavior. Like, ipconfig /all didn't show the 2nd or 3rd servers?

First thing I would do is totally check each DNS box and make sure they respond with the right info. nslookup against each server.

Athenor wrote: »

Also, this computer is running McAfee On-access scan (oh my god I wish it wasn't, it's a corporate thing).

That software is the craps.

truck-a-sauras

Ruckus wrote: »

Disable plugins for IE and run an updated virus and malware scan. I've heard of IE malware that redirects DNS lookups through 3rd party DNS servers (but I've never actually seen proof of it's existence myself).

it isn't IE only for that. had it happen to me. mainly use firefox, but was running without virus protection of any kind for a long time. I don't like to wear protection.... it just feels so good surfing the net nekkid.

but since MS put out security essentials and it is free I've gone and picked up my free jimmy hat at the clinic. Just had to manually alter the DNS to an appropriate value and then scan and clean out all the junk.

Athenor

By weird behavior I meant that sometimes it would see the corporate domain with 1 of the lookups, but not with the 2nd or 3rd in there. Sometimes it would work, sometimes it wouldn't as well depending on which corporate server it was trying to talk to (a datashare versus the timeclock). Normally I would get around this by direct IP addresses, but the timeclock requires a DNS lookup.

Furthermore, I found a second computer that was having this issue. Same symptoms: couldn't connect to corporate addresses, only had 3 DNS lookups listed in the properties of TCP/IP, when I removed 2 of them it worked.

Does it matter that both of these computers are running some weird program that acts as a calendar and randomly changes the wallpaper of the desktop?

PirateJon

words your don't make together sense. I'd like to help but you gotta post some meat.

use the tool nslookup to check that all three DNS servers are on-line and you get the proper name resolution from each. If all three server are online and responding with the proper results then this is a client issue.

Furthermore, I found a second computer that was having this issue. Same symptoms: couldn't connect to corporate addresses, only had 3 DNS lookups listed in the properties of TCP/IP, when I removed 2 of them it worked.

Same two?

Does it matter that both of these computers are running some weird program that acts as a calendar and randomly changes the wallpaper of the desktop?

Wall paper doesn't impact DNS resolution. If this program does some other shit on the side, well who knows man.

Athenor

Sorry. I'm trying my best to explain the problem.

Same two DNS's.


Here's our structure, best as I can describe it.

Where I work runs a cloud-based network. Every computer has a static IP, as no DHCP is available (they are all turned off).

Our gateway/router is a Cisco that creates a VPN with corporate. Corporate has its own DNS, which are effectively like any internet DNS but also with some custom domains for corporate resources. The ones I'm most familiar with are the datastores and the timeclock server.

As far as I know, we have 3 DNS IP addresses that we were instructed to plug in. So I do, in a certain order. (I'm trying to be vague jusssst in case I violate any corporate secrecy shit here.) However, for these two computers, having just these three IP addresses causes the corporate domains to not work, even though the rest of the internet is accessible just fine. It's almost as if the later DNS's on the list are overwriting the earlier ones, but if I re-arrange them the corporate domains stop working altogether.


I'll look into nslookup tomorrow when I'm back at work.

Again, sorry if I'm not providing enough detail.

Djeet

Has this always happened or did this start recently after some change?

Sounds like what you're saying is that your internal DNS resolution occurs over a VPN link to Corporate. This seems strange to me. Why not have an internal DNS server on your side of the VPN link that does zone transfers from the DNS servers at Corporate?

Anyways this sounds like a routing issue. Like either (1) the DNS resolver on your statically configured clients is sending out DNS queries improperly when trying to send to DNS servers 2 and 3 (there are several reasons why this might be happening) or (2) there is a routing issue, meaning either your VPN gateways/routers don't know how to properly direct outbound DNS requests to servers 2 and 3 at Corporate, or the DNS server or VPN gateways/routers aren't handling the return path properly.

Using nslookup to directly query DNS servers 2 and 3 should yield some insight. If your DNS resolver can retrieve DNS entries directly the something's probably fucked at the application level.


Being circumspect is great, but given the nature of the problem you're probably not going to reveal any information that can hurt you if you went into more detail, presuming all the IP information is private addressing.

Athenor

Yeah, we have had a few changes as of late. We were kind of a "special case" in the corporate structure -- our ISP went out of business, so we switched to Verizon, and about a month ago Corporate finally got us onto the phoenix of the dead ISP (literally the same company/connections/all that).

In the past, the only thing that we really pulled down from the VPN was corporate's ability to remote into our register servers and the datastores. But more and more control is being taken from the store level and moved to corporate, and this last week we migrated to a new payroll system that required the use of the VPN. And we had to go through the Domain -- if I directly went into the IP, errors occurred.

Corporate is playing with having a domain server on the store level, but I doubt that will happen. Considering I'm a register jockey providing on-site contractor-level work, making minimum wage and having to get fixes done between my normal duties.. yeah. But I won't bitch about work too much.

Honestly, I'd love nothing more than for the store to have a domain structure with its own DHCP and DNS, and then VPN through that into corporate. It would give corporate more control, and it would make maintenance far easier. But hey.. we are only running approx. 70 or so unique IP-based devices at work, when most of corporate's stores are only running 5-10, if that many! So of course we should be treated like the smaller stores, right?

Erm.. sorry. Guess I lied there about the bitching part.

Athenor

Well, nslookup is a hell of a program! Thanks!

Yeah. One of the two DNS's that corporate gave me in the past was for one of their mail servers, and the other wasn't actually named. Neither of them have the corporate private addresses in them, so it makes sense that they wouldn't work by themselves.

So that leads to the next question: Can the secondary DNS lookups override the earlier ones? For example:
10.X.X.X is the primary, that works.
216.X.X.9 is the secondary, that doesn't.
216.X.X.11 is the tetriary, which doesn't either.

(And some computers have more entries past those 3.)

Actually, now that I know what the third one is (the mail server), it makes sense that it wouldn't list the corporate domains. So I'm just trying to figure out if the order matters.

Ruckus

Athenor wrote: »

Well, nslookup is a hell of a program! Thanks!

Yeah. One of the two DNS's that corporate gave me in the past was for one of their mail servers, and the other wasn't actually named. Neither of them have the corporate private addresses in them, so it makes sense that they wouldn't work by themselves.

So that leads to the next question: Can the secondary DNS lookups override the earlier ones? For example:
10.X.X.X is the primary, that works.
216.X.X.9 is the secondary, that doesn't.
216.X.X.11 is the tetriary, which doesn't either.

(And some computers have more entries past those 3.)

Actually, now that I know what the third one is (the mail server), it makes sense that it wouldn't list the corporate domains. So I'm just trying to figure out if the order matters.

I'd contact your corporate IT and confirm that all three are supposed to be DNS, it's unusual for a company to run DNS and mail on the same server, especially in a Windows Domain network. Also, the 10 address are private non-routable, obviously inside your VPN network, but 216 is public routable, outside your VPN network.

Theoretically, as long as the Corporate 10.x.x.x DNS server is configured to industry standards, you could use 10.x.x.x as your only DNS server. It's likely the only one providing you with domain specific DNS info anyway. The 216 subnet servers, if they are even providing DNS lookups, probably only would help with Internet address lookups if 10.x.x.x wasn't responding (or wasn't responding fast enough).

Athenor

Yeah, I'm going to remove the 216's. I just still don't understand why some computers get the private addresses off 10. and not others. Then again, a local IT guy mentioned it might be related to older versions of Internet Explorer, so who knows.

Ah well. I'll work on it from here. Thank you guys SO much, you just gave me another tool that will really help with diagnosing problems!