Recommended Posts

Hey all,

 

A while back, I made a topic regarding some major networking issues my organization was having. I DID basically solve them, and everything works smoothly for the most part. Thanks to all who helped!

 

However, there is a small issue that I thought I had fixed, which seems to have come back to some extent.

 

Basically, our network exists on domain.org. We also have a publicly accessible website which is hosted offsite, outside of the network, at the address domain.org.

 

If you access the website from anywhere BUT the office, there is no problem. Everything loads fine. However, if you try to access domain.org (or www.domain.org, or http://www.domain.org) then it seems to take a really long time to resolve. The browser just sits there churning for a bit, and then finally, the website pulls up and loads normally. It should be noted that if you access it via IP address, it loads perfectly fine, even within the network.

 

Clearly, there is some sort of DNS/resolution issue going on, bu I am stumped as to what the problem is. I already have an alias which points the parent directory (domain.org) to the proper IP address. I also have a www alias which points to the same IP address. From my understanding, that is all I should need to get things working properly,but that doesn't seem to be the case.

 

I did notice there is a secondary host record for domain.org which points to our local server's internal IP address. This record seems to be dynamically and automatically added - I didn't add it myself, and it has a timestamp, rather then the "static" tag that the record I added for our website has.

 

Perhaps there is an issue where the dynamic record gets checked first, and only reverts to the manual record after some sort of time-out? I'm not entirely sure. I'm afraid that if I remove the dynamic record which points to our internal server, that will break functionality for our internal system.

 

Any insight or recommendations would be greatly appreciated. Thanks in advance!

Sorry, I forgot to put details into the post, rather then just the (admittedly vague) tags. We are using Windows 2012 R2 to manage a variety of things, including DNS. And yes, it's a publicly resolvable domain, but as I said, the same exact domain is used for our internal network, thus, by default directs to 10.10.10.6, rather then the public IP address of our external website.

So computers are computername.domain.com and your website is say www.domain.com.

You should have an A Record pointing your external IP of the web-server to www.domain.com in your DNS records, and making sure you are not using http://domain.com to browse the site.

But you said http://www.domain.com and http://domain.com both take just as long?

Also maybe take a look at this - http://www.itgeared.com/articles/1005-active-directory-domain-name/

Yes, I do have an A record for www, as well as the parent directory, which points to the proper IP. Yet, even when using www.domain.org, it takes a long time. I forgot to mention that when you do type it in like that, it ends up being converted to domain.org anyways so I suspect that on the web host's end, they are directing all requests back to domain.org, making my A records useless. Does that make sense?

 

Anyways, as for the fact that our AD domain is domain.org, that is unfortunately something beyond me. The previous technician set it up that way, even though I myself would have set it up on local.domain.org for simplicity sake and saved us a lot of headaches. I did try migrating us to the local domain, but I had issues. Having said that, we had LOTS of issues when I tried that, many of which I fixed since. Perhaps a migration would work now.

 

I was hoping to have a quick fix for the website though, until I can manage to do that.

"he same exact domain is used for our internal network"

 

Not a good idea!!

 

So what is the real domain, it sure isn't domain.org -- I want to look at it what resolve pubic and from where.  You do not host your own external dns off your AD dns servers this 2012r2 box do you?

 

Where do you clients point for dns?  It should only be your AD dns server..  Do a simple query for www.domain.org (using your real domaing) does it resolve the internal IP address..  Your saying it resolves to local IP of 10.10.10.6 -- well then that should be pretty much instant..

 

From a client machine do nslookup and then set debug.

 

C:\>nslookup
Default Server:  pfSense.local.lan
Address:  192.168.9.253

> set debug
> www.domain.org
Server:  pfSense.local.lan
Address:  192.168.9.253

------------
Got answer:
    HEADER:
        opcode = QUERY, id = 2, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        www.domain.org.local.lan, type = A, class = IN

------------
------------
Got answer:

 

And post that full output...  Notice how looked for www.domain.org.local.lan first -- this is suffix search..  Wonder if that is causing you problems?  Please post the whole ouput.. you can replace whatever your real domain is with domain.org if you must.. 

 

Also are your browsers using a proxy?  Or do they directly access the internet?  A great test would be sniffing on a client and then going to your website www.domain.org, make sure you do a ipconfig /flushdns first so that we get to see the dns queries in the sniff as well.

 

As to www.domain.org being converted back to domain.org -- so that is setup on your website, that is not a dns related mechanism..  That is a mod rewrite doing that or other method once you hit your website..  We will see what happens with the nslookup debug.

 

while the nslookup debug is helpful - to be honest nslookup is a horrific tool for dong any real dns troubleshooting.  I would really suggest you grab dig.. Its part of the bind install, you can just install the tools for windows so you can use dig https://www.isc.org/downloads/

I installed ISC BInd as you recommended, and ran nslookup on our domain as well as dig. I replaced our actual domain with "domain" and ***'d the first three octets of our website's IP address, but the results are otherwise unedited.

 

nslookup:

>"C:\Program Files\ISC BIND 9\bin\nslookup.exe" domain.org
Server:         10.10.10.6
Address:        10.10.10.6#53


Name:   domain.org
Address: 10.10.10.6
Name:   domain.org
Address: **.***.***.171


>"C:\Program Files\ISC BIND 9\bin\nslookup.exe" www.domain.org
Server:         10.10.10.6
Address:        10.10.10.6#53


Name:   www.domain.org
Address: **.***.***.171

dig:

>"C:\Program Files\ISC BIND 9\bin\dig.exe" domain.org


; <<>> DiG 9.10.2-P2 <<>> domain.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32494
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1


;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;domain.org.                   IN      A


;; ANSWER SECTION:
domain.org.            600     IN      A       10.10.10.6
domain.org.            600     IN      A       **.***.***.171


;; Query time: 3 msec
;; SERVER: 10.10.10.6#53(10.10.10.6)
;; WHEN: Thu Jul 16 16:43:15 Eastern Daylight Time 2015
;; MSG SIZE  rcvd: 72


>"C:\Program Files\ISC BIND 9\bin\dig.exe" www.domain.org


; <<>> DiG 9.10.2-P2 <<>> www.domain.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5993
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1


;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;www.domain.org.               IN      A


;; ANSWER SECTION:
www.domain.org.        3600    IN      A       **.***.***.171


;; Query time: 2 msec
;; SERVER: 10.10.10.6#53(10.10.10.6)
;; WHEN: Thu Jul 16 16:43:27 Eastern Daylight Time 2015
;; MSG SIZE  rcvd: 60

 

Thanks for any help!

As for your question about a proxy, we are definitely not. All our machines have a direct connection to the internet, and this problem occurrs on personal machines as well (such as my laptop) which have no problem outside of the office.

;; ANSWER SECTION:
domain.org.            600     IN      A       10.10.10.6
domain.org.            600     IN      A       **.***.***.171

 

Why do you have 2 entries here.. You have one for private site the 10.x address and then one for public -- that going to be a problem!!

 

You didn't set debug, with dig you can do +trace

 

But can tell you right now that is a problem where you have 2 A records for your domain.org -- so 1 time you might get 10 other time public, with a ttl of 10 minutes until they forget that and ask again which again then is 50/50 shot they get the one they want.  Is your website hosted on 10.10.10.6 ? ;)

 

Do you want your using access domain.org or www.domain.org?  And I have to assume the site is hosted pubic right?  So resolving it to 10 going to be a problem

  On 17/07/2015 at 12:22, Jared- said:

Split brain DNS ugh.

 

Use .local, .internal, .company, something other than your public dns name.  

You didn't read the in between posts, huh? Tsk tsk.

 

@BudMan: Woops, sorry about forgetting the debug argument.

 

As for the double entry... the A entry for the website is static and was added by me. However, the 10.10.10.6 entry is dynamic, and seems to be automatically made by Windows. I was afraid that if I remove it, some sort of functionality might break? Of course, that could be a worthless worry, and everything will be just fine. I guess the other question would be, how do I prevent Windows 2012 from just automatically recreating the entry again, which seems to be something it does?

On that interface uncheck auto registration.

 

post-14624-0-97495000-1437157730.png

 

But that should not be registered since there is no host..

 

This is why you don't use the same ad domain as your public.

 

Your other option is have the site use www.domain.com vs redirecting to domain.com  Then you can remove your public entry for domain.com in your AD.

I've already requested that the site redirect to www, but at the time we had.... some issues in regards to the IT management  :hmmm: I'll leave it at that, but as it happens, we are switching hosts now, and the people who made my job harder are more or less out of the picture. I have made sure to specifically request our website redirect to www.

 

However, many people will simply type "huairou.org" into the browser regardless, so it would be nice to get this working in either case.

 

I am leaving the country this Sunday though for two and a half weeks, and am VERY reluctant to make any changes that could possibly break things until I get back. Is there any way this would cause something to break?

  • 5 weeks later...

Hey, sorry for the longer then expected wait! I just made those changes you recommended, and everything seems to be working perfectly now! I guess my next project is to try and migrate our domain over to the local FQDN...

Thanks for all the help!

 

This topic is now closed to further replies.
  • Posts

    • Sam Altman says AI could soon help with discovering new knowledge by Hamid Ganji OpenAI is currently at the forefront of developing powerful AI models, while its ChatGPT product is rewriting our traditional way of looking for new information. The company's CEO, Sam Altman, now says AI could even help humans discover new knowledge. He also described AI agents as junior employees. Speaking at the Snowflake Summit 2025, Altman boasted that AI agents can act like junior employees, saying, "You hear people that talk about their job now is to assign work to a bunch of agents, look at the quality, figure out how it fits together, give feedback, and it sounds a lot like how they work with a team of still relatively junior employees." OpenAI CEO also added AI agents could help humans discover new knowledge in "limited cases" or "figure out solutions to business problems that are kind of very non-trivial." While the use of AI for scientific discovery is still viewed with skepticism, the technology has proven its capabilities for new discoveries in several cases. For example, the Microsoft Discovery platform, designed for accelerating scientific research and development by AI agents, was recently able to discover a new chemical for cooling data centers in just 200 hours, a process that normally takes years to research and complete by humans. AI firms are also shifting their focus toward developing AI agents capable of performing various tasks. OpenAI recently unveiled Codex, which contains AI agents for helping programmers write and debug code. According to Altman, OpenAI engineers are already using Codex. As AI agents become more intelligent, more employees should be concerned about losing their jobs. Companies have already started replacing some specific roles with AI. For example, Duolingo has replaced its contract workers with AI, while Shopify managers need to provide reasons why AI cannot handle a job before seeking approval for new hires. Via: Business Insider
    • I personally don't think there will be many survivors past the ESU date, but I can be wrong🙂 >Firefox still supports Windows 7 (until the end of August), which will be just over 16 years since release. Well, yes, but it's an ESR version, which kind of doesn't count as fresh for me. So the last mainline version of Firefox with W7 support was 115, which was released in 2023, exactly around the W7 ESU expiration.
    • WhatsApp beta users can now craft their own AI chatbots - here's why you might want one by Paul Hill Since the end of 2022, tech companies, and even non-tech companies, have been clamoring to pile AI into their services. Despite what many people say about not liking AI, plenty of people are still using it every day, making it a key offering. Not only that, but for public companies like Meta, the inclusion of AI does very well with investors, so that’s another reason it’s being added. While the most common chatbot people talk about is ChatGPT, which is pretty faceless, there is demand for AI chatbots with a face, this is why people use tools like Character.ai and Replika. One of the only big tech firms that has gone down this route is Meta, which lets you create and share AI characters. To date, some of Meta’s apps, like Messenger, allow you to chat with these AI personas but you can’t do that yet in the stable version of WhatsApp. The company is now testing it with the Android Beta and when it’s ready, it should make a more seamless experience across Meta’s applications. Many of the popular bots that people use including ChatGPT, Gemini, and DeepSeek are faceless and offer the same tone out of the box. To be fair to Gemini, it does allow all users to create Gems now, and they actually offer a bit more flexibility than just creating characters to talk to like in Messenger. The chatbots in Messenger have the benefit of being in the Messenger app, which most people use and giving them a personality and making them feel like an “AI person” fits better in Messenger. Whether we really need these AI bots in Messenger is still up for debate. It’s quite a new feature and some people may find some good uses for them, but as mentioned, they don’t seem as flexible, or provide as detailed responses as custom bots made on Poe or Gemini Gems. They are definitely for having casual conversations with. WhatsApp's new AI chatbot creator We’ve known that the chatbot feature was coming to WhatsApp for a long time already. WhatsApp beta for Android 2.25.1.26, released in January, included the feature for some beta testers. With the latest WhatsApp beta for Android 2.25.18.4, it seems like WhatsApp is trialing the feature with members of the public, suggesting its release is imminent. Screenshots of the app, obtained by WABetaInfo show that you can describe your AI, select its personality, its traits, its image and more. The process seems to be the same as the process already available in Messenger. One of the nice things that Meta provides when creating these AI bots is templates and suggestions such as the attitude of the bot or the instructions for the bot. This is the same as in Messenger and allows you to get started chatting with your custom bots faster. In terms of sharing, you have the option to make the bots private, share them with friends (at least in the case of Messenger and presumably WhatsApp), or share them publicly. If you make something specific for your needs then the private option would be best, while bots with mass appeal could be set to public. Creating bots in WhatsApp is straightforward once you have access to the AI Studio. During the creation process you’ll need to name your AI, define its personality, choose a tone, design an avatar (some will be made for you with Meta’s AI), and create a catchy tagline to attract users if you ever set it to public. Much of the information will be pre-filled based on the initial details you provide about the AI’s role and personality. Some ideas for bots that you can create include a motivational coach, a travel recommendation AI, or a daily planner. While setting up these AI bots is easy to do, users may find their actual benefits limited. Besides the nagging feeling that you’re socializing with a clever bit of code, Meta seems to truncate the answers of these bots so they don’t rattle on, but depending on what you want them to do, you may need them to give a lengthy response, but they won’t. What personalized AI chatbots could offer If you are looking for an AI that chats to you conversationally like real people do, then this could be the feature you’re looking for. The fact that you can personalize bots with specific traits is something you can’t do as easily in apps like ChatGPT and Gemini and the fact that they have an avatar makes them more connectable too. Two of the defining features of Meta’s AI implementation is the ability to create custom AIs with a unique personality and to share them publicly. If you are having difficulty thinking of what a bot could be instructed to do, you can easily find community bots and interact with those instead and may find they provide some value. While these bots could be interesting for some people, they do carry the same risks as other AIs and that is that they can hallucinate. There was also a case in the UK where a man had been encouraged by his Replika to break into Buckingham Palace with a crossbow to kill the then head of state. Similar issues to this could result from Meta’s AI chatbots in time. Potential pitfalls While the feature is pretty interesting there are some things to be aware of. Firstly, the feature is still in beta on WhatsApp so you may run into issues and things could change once it’s finally released. Meta also states that it uses your interactions to improve its AI services, for this reason it is essential not to share personal information as Meta could read it. While Meta does limit the creation of bots that go against its standards, the company also warns that bots can output harmful content, so this could be dangerous for impressionable people who end up acting on what an AI has said with negative outcomes. What to watch for next It’s not clear when these AI chatbots will be available in the stable channel but given that a wider rollout is underway among beta users perhaps we are not too far off. For most people, this is not going to be a must-have feature, just a nice to have. We’ve been using WhatsApp to chat with friends for years, so clearly the app is just fine without the inclusion of AI, but when it’s available, people may be able to get more value out of the app. When the feature launches for all users, bots should be discoverable in the same way they are on Messenger where they’re categorized by category allowing users to begin chats easily. It remains to be seen how users will interact with this feature in the long-run. Last year, we reported that Meta was looking to give bots profiles on its social networks and this was met by somebacklash in our comments section.
    • Microsoft confirms Windows Outlook breaks in many ways after major Calendar feature upgrade by Sayan Sen Microsoft has been trying to get more users onto New Outlook for Windows, and it is doing so not just by enforcing the newer app but also by making improvements along the way. In doing so, though, the company has caused the Classic Outlook app to bug out in the past. The classic app received a major Shared Calendar-related upgrade recently, with many " long-awaited improvements" as well as "small changes in form and function." As the name suggests, the Outlook Shared Calendar essentially allows multiple people to interact with and manage the calendar. With Shared Calendar improvements enabled, users will see the following changes: Instant sync and view of shared calendars Editing series end date does not reset the past Accepting meeting without having to send a response Last Modified By no longer shown in the meeting item Adding same calendar multiple times can't be done Duplicate calendars simultaneously selection Attachments addition not possible when responding to a meeting invitation Event drafts auto-save changes The "Download shared folders" setting is ignored Unfortunately, as with any major feature upgrade, there are bugs, and Microsoft has confirmed this is no different. The tech giant has shared official guidance for it so that users can work around the problems. According to the company, "Shared Calendar improvements are now enabled by default in the most recent versions of Outlook, in all update channels for Microsoft 365 Apps," and thus, the bugs are likely to affect many. Here are some of the bugs Microsoft is investigating, as well as their workarounds: Bug Workaround Meeting cancellation sent unexpectedly to some attendees in classic Outlook In a REST shared calendar, after adding or removing an attendee, or forwarding a meeting, a meeting cancellation may be sent unexpectedly to some attendees. Use the Outlook Web App or new Outlook when adding or removing an attendee or forwarding a meeting. Attendees do not get updates on attachment changes by Delegate When a delegate sends an update on a meeting that requires removing an attachment on an occurrence of a meeting series, the recipients may not get some or all of the attachment changes. In the delegate's Sync Issues folder, you'll see sync errors. Example: 17:23:26 Synchronizer Version 16.0.15313 17:23:26 Synchronizing Mailbox 'Delegate User' 17:23:26 Synchronizing local changes in folder 'Manager User' 17:23:27 Uploading to server 'https://outlook.office365.com/mapi/emsmdb/?xxxxxxxx-xx' 17:23:30 Error synchronizing folder 17:23:30 [0-320] There is no known workaround. It is recommended, whenever possible, to save attachments to SharePoint or to OneDrive and share with a link. After an attachment is deleted from an existing meeting, it may reappear after being deleted Please wait approximately one minute to give the sync time to complete. Additionally, it is advisable to save attachments to SharePoint or OneDrive whenever possible and share them using a link. A meeting created by a delegate with limited calendar access disappears and is unsent when a sensitivity label other than "Normal" is selected Three potential solutions to address this issue, each with their own implications for functionality: Manager can update delegate's permissions to allow viewing of private items. Delegate can change the sensitivity label of the meeting to "Normal". Delegate can disable Shared Calendar Improvements (not recommended). Aside from these, Microsoft has also fixed several other bugs, which you can find in the official support article here on the company's website.
    • I’ve just paid £290/$390 for a 4TB Samsung 990 Pro for my PS5 Pro so it’s not too far from the going rate. Microsoft should definitely copy Sony and let users buy their own SSD in their next consoles rather than this proprietary stuff. I paid £374/$505 for the 2TB Seagate card for my Series X a few years ago so it’s not exactly over priced. 4TB of NVMe storage ain’t cheap!
  • Recent Achievements

    • Enthusiast
      Epaminombas went up a rank
      Enthusiast
    • Posting Machine
      Fiza Ali earned a badge
      Posting Machine
    • One Year In
      WaynesWorld earned a badge
      One Year In
    • First Post
      chriskinney317 earned a badge
      First Post
    • Week One Done
      Nullun earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      186
    2. 2
      snowy owl
      130
    3. 3
      ATLien_0
      129
    4. 4
      Xenon
      119
    5. 5
      +FloatingFatMan
      93
  • Tell a friend

    Love Neowin? Tell a friend!