Recommended Posts

Hey all,

 

A while back, I made a topic regarding some major networking issues my organization was having. I DID basically solve them, and everything works smoothly for the most part. Thanks to all who helped!

 

However, there is a small issue that I thought I had fixed, which seems to have come back to some extent.

 

Basically, our network exists on domain.org. We also have a publicly accessible website which is hosted offsite, outside of the network, at the address domain.org.

 

If you access the website from anywhere BUT the office, there is no problem. Everything loads fine. However, if you try to access domain.org (or www.domain.org, or http://www.domain.org) then it seems to take a really long time to resolve. The browser just sits there churning for a bit, and then finally, the website pulls up and loads normally. It should be noted that if you access it via IP address, it loads perfectly fine, even within the network.

 

Clearly, there is some sort of DNS/resolution issue going on, bu I am stumped as to what the problem is. I already have an alias which points the parent directory (domain.org) to the proper IP address. I also have a www alias which points to the same IP address. From my understanding, that is all I should need to get things working properly,but that doesn't seem to be the case.

 

I did notice there is a secondary host record for domain.org which points to our local server's internal IP address. This record seems to be dynamically and automatically added - I didn't add it myself, and it has a timestamp, rather then the "static" tag that the record I added for our website has.

 

Perhaps there is an issue where the dynamic record gets checked first, and only reverts to the manual record after some sort of time-out? I'm not entirely sure. I'm afraid that if I remove the dynamic record which points to our internal server, that will break functionality for our internal system.

 

Any insight or recommendations would be greatly appreciated. Thanks in advance!

Sorry, I forgot to put details into the post, rather then just the (admittedly vague) tags. We are using Windows 2012 R2 to manage a variety of things, including DNS. And yes, it's a publicly resolvable domain, but as I said, the same exact domain is used for our internal network, thus, by default directs to 10.10.10.6, rather then the public IP address of our external website.

So computers are computername.domain.com and your website is say www.domain.com.

You should have an A Record pointing your external IP of the web-server to www.domain.com in your DNS records, and making sure you are not using http://domain.com to browse the site.

But you said http://www.domain.com and http://domain.com both take just as long?

Also maybe take a look at this - http://www.itgeared.com/articles/1005-active-directory-domain-name/

Yes, I do have an A record for www, as well as the parent directory, which points to the proper IP. Yet, even when using www.domain.org, it takes a long time. I forgot to mention that when you do type it in like that, it ends up being converted to domain.org anyways so I suspect that on the web host's end, they are directing all requests back to domain.org, making my A records useless. Does that make sense?

 

Anyways, as for the fact that our AD domain is domain.org, that is unfortunately something beyond me. The previous technician set it up that way, even though I myself would have set it up on local.domain.org for simplicity sake and saved us a lot of headaches. I did try migrating us to the local domain, but I had issues. Having said that, we had LOTS of issues when I tried that, many of which I fixed since. Perhaps a migration would work now.

 

I was hoping to have a quick fix for the website though, until I can manage to do that.

"he same exact domain is used for our internal network"

 

Not a good idea!!

 

So what is the real domain, it sure isn't domain.org -- I want to look at it what resolve pubic and from where.  You do not host your own external dns off your AD dns servers this 2012r2 box do you?

 

Where do you clients point for dns?  It should only be your AD dns server..  Do a simple query for www.domain.org (using your real domaing) does it resolve the internal IP address..  Your saying it resolves to local IP of 10.10.10.6 -- well then that should be pretty much instant..

 

From a client machine do nslookup and then set debug.

 

C:\>nslookup
Default Server:  pfSense.local.lan
Address:  192.168.9.253

> set debug
> www.domain.org
Server:  pfSense.local.lan
Address:  192.168.9.253

------------
Got answer:
    HEADER:
        opcode = QUERY, id = 2, rcode = NXDOMAIN
        header flags:  response, auth. answer, want recursion, recursion avail.
        questions = 1,  answers = 0,  authority records = 0,  additional = 0

    QUESTIONS:
        www.domain.org.local.lan, type = A, class = IN

------------
------------
Got answer:

 

And post that full output...  Notice how looked for www.domain.org.local.lan first -- this is suffix search..  Wonder if that is causing you problems?  Please post the whole ouput.. you can replace whatever your real domain is with domain.org if you must.. 

 

Also are your browsers using a proxy?  Or do they directly access the internet?  A great test would be sniffing on a client and then going to your website www.domain.org, make sure you do a ipconfig /flushdns first so that we get to see the dns queries in the sniff as well.

 

As to www.domain.org being converted back to domain.org -- so that is setup on your website, that is not a dns related mechanism..  That is a mod rewrite doing that or other method once you hit your website..  We will see what happens with the nslookup debug.

 

while the nslookup debug is helpful - to be honest nslookup is a horrific tool for dong any real dns troubleshooting.  I would really suggest you grab dig.. Its part of the bind install, you can just install the tools for windows so you can use dig https://www.isc.org/downloads/

I installed ISC BInd as you recommended, and ran nslookup on our domain as well as dig. I replaced our actual domain with "domain" and ***'d the first three octets of our website's IP address, but the results are otherwise unedited.

 

nslookup:

>"C:\Program Files\ISC BIND 9\bin\nslookup.exe" domain.org
Server:         10.10.10.6
Address:        10.10.10.6#53


Name:   domain.org
Address: 10.10.10.6
Name:   domain.org
Address: **.***.***.171


>"C:\Program Files\ISC BIND 9\bin\nslookup.exe" www.domain.org
Server:         10.10.10.6
Address:        10.10.10.6#53


Name:   www.domain.org
Address: **.***.***.171

dig:

>"C:\Program Files\ISC BIND 9\bin\dig.exe" domain.org


; <<>> DiG 9.10.2-P2 <<>> domain.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32494
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1


;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;domain.org.                   IN      A


;; ANSWER SECTION:
domain.org.            600     IN      A       10.10.10.6
domain.org.            600     IN      A       **.***.***.171


;; Query time: 3 msec
;; SERVER: 10.10.10.6#53(10.10.10.6)
;; WHEN: Thu Jul 16 16:43:15 Eastern Daylight Time 2015
;; MSG SIZE  rcvd: 72


>"C:\Program Files\ISC BIND 9\bin\dig.exe" www.domain.org


; <<>> DiG 9.10.2-P2 <<>> www.domain.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5993
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1


;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;www.domain.org.               IN      A


;; ANSWER SECTION:
www.domain.org.        3600    IN      A       **.***.***.171


;; Query time: 2 msec
;; SERVER: 10.10.10.6#53(10.10.10.6)
;; WHEN: Thu Jul 16 16:43:27 Eastern Daylight Time 2015
;; MSG SIZE  rcvd: 60

 

Thanks for any help!

As for your question about a proxy, we are definitely not. All our machines have a direct connection to the internet, and this problem occurrs on personal machines as well (such as my laptop) which have no problem outside of the office.

;; ANSWER SECTION:
domain.org.            600     IN      A       10.10.10.6
domain.org.            600     IN      A       **.***.***.171

 

Why do you have 2 entries here.. You have one for private site the 10.x address and then one for public -- that going to be a problem!!

 

You didn't set debug, with dig you can do +trace

 

But can tell you right now that is a problem where you have 2 A records for your domain.org -- so 1 time you might get 10 other time public, with a ttl of 10 minutes until they forget that and ask again which again then is 50/50 shot they get the one they want.  Is your website hosted on 10.10.10.6 ? ;)

 

Do you want your using access domain.org or www.domain.org?  And I have to assume the site is hosted pubic right?  So resolving it to 10 going to be a problem

  On 17/07/2015 at 12:22, Jared- said:

Split brain DNS ugh.

 

Use .local, .internal, .company, something other than your public dns name.  

You didn't read the in between posts, huh? Tsk tsk.

 

@BudMan: Woops, sorry about forgetting the debug argument.

 

As for the double entry... the A entry for the website is static and was added by me. However, the 10.10.10.6 entry is dynamic, and seems to be automatically made by Windows. I was afraid that if I remove it, some sort of functionality might break? Of course, that could be a worthless worry, and everything will be just fine. I guess the other question would be, how do I prevent Windows 2012 from just automatically recreating the entry again, which seems to be something it does?

On that interface uncheck auto registration.

 

post-14624-0-97495000-1437157730.png

 

But that should not be registered since there is no host..

 

This is why you don't use the same ad domain as your public.

 

Your other option is have the site use www.domain.com vs redirecting to domain.com  Then you can remove your public entry for domain.com in your AD.

I've already requested that the site redirect to www, but at the time we had.... some issues in regards to the IT management  :hmmm: I'll leave it at that, but as it happens, we are switching hosts now, and the people who made my job harder are more or less out of the picture. I have made sure to specifically request our website redirect to www.

 

However, many people will simply type "huairou.org" into the browser regardless, so it would be nice to get this working in either case.

 

I am leaving the country this Sunday though for two and a half weeks, and am VERY reluctant to make any changes that could possibly break things until I get back. Is there any way this would cause something to break?

  • 5 weeks later...

Hey, sorry for the longer then expected wait! I just made those changes you recommended, and everything seems to be working perfectly now! I guess my next project is to try and migrate our domain over to the local FQDN...

Thanks for all the help!

 

This topic is now closed to further replies.
  • Posts

    • Staged. It's a requirement that vehicles are strapped down to the bed. Usually wheel and/or chassis tie downs are used. That appears to just be on the winch.
    • I feel Apple's big problem is the lack of big data to train any AI LLM model. They have statistics on usage, but they don't have the written social media, messaging (they were early adopters of end-to-end encryption), they didn't scrape the Internet before the book companies and new sources were wise. So they have no choice but to use a third party LLM provider. Which ties them in knots with their own stance on security and privacy. In short, they are royally stuffed when it comes to developing an in-house AI.
    • Nothing is black and white. Democracy can suck, just as communism can. The risk is people who blindly think one is vastly superior over the other. Democracy needs a lot to make it work well, and there are many examples around the world of it. Good education, mandatory voting, accessible voting, and removing money from politics are just a few elements that need to be sorted for a functional democracy. The USA is the playbook on what not to do with democracy.
    • Weekend PC Game Deals: Showcase specials, Timeloop freebies, Resident Evils, and more by Pulasthi Ariyasinghe Weekend PC Game Deals is where the hottest gaming deals from all over the internet are gathered into one place every week for your consumption. So kick back, relax, and hold on to your wallets. The Epic Games Store brought the finale of its Mega Sale mystery giveaways this week, and that involved giving away the Bethesda and Arkane title Deathloop alongside the indie title Ogu and the Secret Forest. Deathloop comes in as a time-loop FPS adventure that puts you into the shoes of an assassin that must take down eight targets in a single day to escape the time travel shenanigans. In usual Arkane fashion, each target can be taken care of in multiple ways, and there are supernatural powers that give the player upgrades like teleportation and telekinesis. There is an invasion mechanic for taking down other players in their campaigns too. As for Ogu and the Secret Forest, it's an indie adventure featuring hand-drawn characters and intricate puzzles. The 2D game involves befriending characters across a fantasy land as baby Ogu, with plenty of exploration elements and boss battles available. The Deathloop and Ogu and the Secret Forest giveaways are available on the Epic Games Store until June 12. On the same day, the store will begin a giveaway for the humorous hospital simulation entry Two Point Hospital. Next, we look at a giveaway happening on the Steam store. Gearbox is only a few months away from releasing Borderlands 4, and to prepare some new fans, Borderlands 2 is free to claim on Steam right now. The four-player cooperative title offers a humorous campaign filled with wacky villains, a massive amount of weapons to loot, and skill trees that let you break the balance entirely. The Borderlands 2 giveaway on Steam is live right now. It's slated to come to an end on June 8 at 10am PT. Since it's a new month, the Humble Choice bundle went through its standard refresh earlier this week, releasing eight more games for subscription holders to add to their library. This time, you can grab Warhammer 40K: Boltgun, Legacy of Kain Soul Reaver 1 and 2 Remastered, Nobody Wants to Die, Dungeons of Hinterberg, Tchia, Sker Ritual, Biped, and Havendock. It will cost you $12 to get all eight games. As a month-long Humble Choice Bundle, though, you can ponder the contents until July 1, when a new selection of games will replace these ones. In the regular bundle space, the Humble Store is also celebrating showcase season with its IGN Live bundle. This carries Slay the Spire, Potion Craft: Alchemist Simulator, and Bloodroots in the starting tier for $10. Next, paying $16 gets you copies of Art of Rally, Old World, and Black Book. Lastly, paying the full $22 for the bundle will add on copies of The Medium and Wartales. The bundle has a two-week counter attached to it, so you have plenty of time to decide on it. Big Deals Alongside plenty of showcase-related sales, massive franchise discounts from 2K, Capcom, Techland, and more are currently available for you to check out. Here are our hand-picked big deals for this weekend: Lies of P – $29.99 on Steam Company of Heroes 3 – $29.99 on Steam Sekiro: Shadows Die Twice - GOTY Edition – $29.99 on Steam Dragon's Dogma 2 – $29.39 on Steam Satisfactory – $27.99 on Steam Diablo IV – $27.49 on Steam Another Crab's Treasure – $20.99 on Steam Resident Evil 4 – $19.99 on Steam Tetris Effect: Connected – $19.99 on Steam Dying Light 2 Stay Human: Reloaded Edition – $19.79 on Steam No Man's Sky – $19.62 on Gamebillet Chained Echoes – $18.74 on Steam Starship Troopers: Terran Command – $17.99 on Steam The Outlast Trials – $15.99 on Steam Tales from the Borderlands – $14.99 on Steam Phasmophobia – $14.99 on Steam Divinity: Original Sin 2 - Definitive Edition – $13.49 on Steam Gotham Knights – $11.99 on Steam Receiver 2 – $9.99 on Steam Resident Evil Village – $9.99 on Steam Goat Simulator 3 – $9.89 on Steam Borderlands Game of the Year Enhanced – $9.89 on Steam The Outer Worlds – $9.89 on Steam Dorfromantik – $9.79 on Steam Turnip Boy Robs a Bank – $9.74 on Steam Ni no Kuni II: Revenant Kingdom – $9.59 on Steam Batman: Arkham Collection – $8.99 on Steam Escape Academy – $8.00 on Steam Resident Evil 7 Biohazard – $7.99 on Steam Inscryption – $7.99 on Steam Devil May Cry 5 – $7.49 on Steam Watch_Dogs 2 – $7.49 on Steam Suicide Squad: Kill the Justice League – $6.99 on Steam Control Ultimate Edition – $5.99 on Steam Injustice 2 Legendary Edition – $5.99 on Steam Manifold Garden – $4.99 on Steam Cultist Simulator – $4.99 on Steam Watch_Dogs – $4.99 on Steam Dragon's Dogma: Dark Arisen – $4.79 on Steam ARK: Survival Evolved – $4.49 on Steam Batman: Arkham Origins – $3.99 on Steam Dying Light – $3.99 on Steam PAYDAY 2 – $3.29 on Steam WRC 9 FIA World Rally Championship – $2.99 on Steam Alan Wake – $2.99 on Steam Borderlands 3 – $2.99 on Steam Among Us – $2.99 on Steam Hitman: Absolution – $1.99 on Steam Borderlands 2 – $0 on Steam Ogu and the Secret Forest – $0 on Epic Store Deathloop – $0 on Epic Store DRM-free Specials The GOG store's latest DRM-free specials for this weekend are touting Atari classics, story-rich games, and much more. Here are some highlights: Atari 50: The Anniversary Celebration - $19.99 on GOG The Thaumaturge - $19.24 on GOG Turok 3: Shadow of Oblivion Remastered - $17.99 on GOG STAR WARS: Dark Forces Remaster - $16.49 on GOG INDIKA - $16.24 on GOG Blood West - $12.49 on GOG Shadowrun Trilogy - $10.07 on GOG Disco Elysium - The Final Cut - $9.99 on GOG Pathologic 2 - $6.99 on GOG Tacoma - $6.59 on GOG Little Nightmares - $4.99 on GOG RollerCoaster Tycoon 3: Complete Edition - $4.99 on GOG Gone Home - $4.94 on GOG Blade Runner - Enhanced Edition - $2.49 on GOG Blood: Fresh Supply - $2.49 on GOG SiN Gold - $1.99 on GOG The Wheel of Time - $1.49 on GOG RollerCoaster Tycoon Deluxe - $1.19 on GOG Pirates! Gold Plus - $1.19 on GOG Sid Meier's Colonization - $1.19 on GOG POSTAL 2 - $0.99 on GOG Keep in mind that availability and pricing for some deals could vary depending on the region. That's it for our pick of this weekend's PC game deals, and hopefully, some of you have enough self-restraint not to keep adding to your ever-growing backlogs. As always, there are an enormous number of other deals ready and waiting all over the interwebs, as well as on services you may already subscribe to if you comb through them, so keep your eyes open for those, and have a great weekend.
  • Recent Achievements

    • First Post
      Mr bot earned a badge
      First Post
    • First Post
      Bkl211 earned a badge
      First Post
    • One Year In
      Mido gaber earned a badge
      One Year In
    • One Year In
      Vladimir Migunov earned a badge
      One Year In
    • Week One Done
      daelos earned a badge
      Week One Done
  • Popular Contributors

    1. 1
      +primortal
      492
    2. 2
      snowy owl
      255
    3. 3
      +FloatingFatMan
      252
    4. 4
      ATLien_0
      224
    5. 5
      +Edouard
      187
  • Tell a friend

    Love Neowin? Tell a friend!