none
Unable to resolve some .gov websites

    Question

  • Hi,

    Users on my network are unable to browse to certain .gov websites, specifically FDIC, FTC, SEC and HUD are the ones I am aware of so far.  When they attempt to do so, IE times out.

    Here's what I have figured out on my own so far:

     

    • I can get to each site using a Sprint mobile hotspot so I know the sites are up and the problem is on my network.
    • I can also get to each site if I use a web proxy service.  I used proxybrowsing.com.
    • Nslookup using internal DNS fails on all but hud.gov with the following error: Request to dnsservername.domain.local timed-out
    • Nslookup using our ISP’s DNS server is successful for all of them.
    • I can get to each of these sites by using the ip address rather than the name except for hud.gov.  It appears to be doing a redirect and the name cannot be resolved.
    • Tracert fails on all of these sites.

    It appears to me that this is an internal DNS problem.  Any ideas on where I should start to try to fix this?  Any assistance would be greatly appreciated.

    Thanks,

    John

    Monday, January 17, 2011 4:28 PM

Answers

  • This issue has been resolved.  I added my ISP's DNS servers as forwarders and it is working properly now.
    • Marked as answer by John_Guerra Monday, January 17, 2011 4:43 PM
    Monday, January 17, 2011 4:41 PM

All replies

  • This issue has been resolved.  I added my ISP's DNS servers as forwarders and it is working properly now.
    • Marked as answer by John_Guerra Monday, January 17, 2011 4:43 PM
    Monday, January 17, 2011 4:41 PM
  • It actually sounds like an EDNS0 limitation on your perimeter firewall. However, a Forwarder will bypass the issue, therefore good to hear you figured that a Forwarder took care of the problem!

    FYI, for future reference, if you like to read more on what EDNS0 is, my blog has info on it:

    EDNS0 (Extension mechanisms for DNS)
    http://msmvps.com/blogs/acefekay/archive/2010/10/11/edns0-extension-mechanisms-for-dns.aspx

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Monday, January 17, 2011 5:58 PM
  • Hi Ace,

    Thanks for your reply.  It actually made me curious so I did some testing on one of my DNS servers (both win 2008 r2).  I deleted the ISP dns servers from the forwarders tab, cleared the cache and ran nslookup on SEC.gov (one of the sites that was failing) and it failed.  I then ran "dnscmd /Config /EnableEDnsProbes 0" and it worked.  I ran "dnscmd /Config /EnableEDnsProbes 1" and it failed again. 

    These results show that this is probably a problem with my firewall or maybe the router(s), is that correct?  I am using a Sonicwall NSA 2400 for the firewall.  I have two ISP's, one a T-1 from our telco (dynamic voice/data) and cable internet that was supposed to be a backup, but since it is so much faster than the T-1, it has become the primary.  Where is a good place to start?  I've checked for an EDNS setting on the Sonicwall but have not located it.  Could it be called something else?

    It seems to me that this is the correct way for this to be setup and that either setting forwarders or running the previously mentioned command are workarounds.  Is that correct?  Is this something that should be fixed, or are the workarounds sufficient?

    Thanks,

    JG

    Tuesday, January 18, 2011 2:37 PM
  • Your tests indicate that the SonicWall's DNS UDP traffic buffer size is set to default, 512. To allow EDNS0, it should be set to 1280. I would recommend to leave Windows' ENDS0 settings enabled.

    I can tell you how to do it with a Cisco PIX or ASA, but I'm not familiar with SonicWalls. Looking at SonicWall's site, I can't find anything specific. It might be under the "Firewall" section in the GUI. If not, it would be a setting such as, but I can't seem to find the actual command to run it unless you are aware of it:

    +bufsize=1280 (This will Set EDNS0 buffer size to allow up to 1280 bytes).

    Bumping up the UDP buffer size will allow EDNS0. If I find anything else, I'll get back to you, otherwise, if you have a support agreement you can contact support, or if you have access to SonicWall's support forum, you can post the question.

    Here's the list of support phone numbers: http://www.sonicwall.com/us/support/contact.html#telephone

    Here's the forum link: https://forum.sonicwall.com

    Please do let us know your results.

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

     

     

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    • Edited by Ace Fekay [MCT]MVP Tuesday, January 18, 2011 7:52 PM Clarification in first sentence.
    Tuesday, January 18, 2011 7:51 PM
  • I've been dealing with this same issue for a while now and finally came here to post a thread and luckily found this at the top of the list.  Our problem has been more sporadic though and it affects dol.gov and fda.gov.  I'm using Server 2008 R2 for the server having problems.  I did everything John also did and ran into all the same issues.  I then ran the dnscmd /Config /EnableEDnsProbes 0 command and it fixed my issue.

    I'm doing some research into EDNS.  I've never had to work with it before and am getting caught up in the way it works.  Ace - Can you point me in the right direction for allowing EDNS and resetting the UDP buffer on Cisco devices?  I'm using a ASA 5510 on the network with the problem DNS server.

    Tuesday, January 18, 2011 8:39 PM
  • Ace, if you still have any good information I'd like you to send it over if you could please. 

     

    I got this fixed pretty easily.  Just took a little reading of some Cisco documentation and changing it to 1280 was the solution.  I did the following from the ASA:

    conf t
    policy-map type inspect dns preset_dns_map
    parameters
    message-length maximum 1280
    Tuesday, January 18, 2011 9:00 PM
  • Hi Joe,

    I'm glad you figured that out using the CLI. I try to do most things in the CLI, too, but sometimes I find it quicker using the ADSM.

    Just an FYI for everyone if using the ADSM:

    Cisco PIX:
    fixup protocol dns maximum-length 4096

    Cisco ASA 55xx series (assuming using the latest IOS 8.3.2ED)
      Configuration
        Firewall
          Advanced
            Objects
              Inspect Maps
                DNS
                  If a "preset_dns_map policy doesn't exist
                      click on Add
                      type in preset_dns_map
                      Next to "Security Level," click the Details button
                      Select the Filter tab
                      Change "Maximum Packet Length" from 512 to 4096
                      Click OK
                      File, "save Running Configuration to Flash (also suggest to save it to TFTP)
                  If a "preset_dns_map policy does exist
                      Right-Click "preset_dns_map"
                      Choose "Edit"
                      Next to "Security Level," click the Details button
                      Select the Filter tab
                      Change "Maximum Packet Length" from 512 to 4096
                      Click OK
                      File, "save Running Configuration to Flash (also suggest to save it to TFTP)             

    Cheers!

    Ace


    Ace Fekay
    MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.



    • Edited by Ace Fekay [MCT]MVP Tuesday, March 27, 2012 6:04 PM - changed the EDNS0 UDP allow size from 1280 to 4096
    Wednesday, January 19, 2011 4:20 AM
  • Hello,

    I came across this during a search for the same issue except for scientificamerican.com and sciam.com (same site).  I've done each of the recommendations, added the ISP's DNS servers as forwarders, I've run the dnscmd /config /enableednsprobes 0 restarted the DNS service.

    I've also followed the recommendations in Ace's blog. The one thing that did work was to add the entry for the site to the lmhost file on the workstation.  Entering the IP in the browser allows me to go to the site but every subsequent link resolves back to the name and times out.

    The last thing I haven't done is to make a change to the Cisco firewall which is managed by another group.

    Are there any other alternative solutions.

    Thanks in advance.

    Tuesday, March 27, 2012 5:30 PM
  • I would actually suggest to bump it up to 4096, not 1280 (my post edited for the change).

    As for disabling EDNS0 on the server, I wouldn't recommend that. THere are other things that need EDNS0. EDNS0 simply states to allow DNS queries using larger than 512 bytes. Previously it would change to TCP, but with EDNS0, it;'s more efficient just allowing the larger packet. WHen you disable it on the server (wtih the dnscmd command you ran), you may be affecting internal resolution, so I wouldn't really do that. I suggest to put it back to "1" to enable it.
    dnscmd /config /enableednsprobes 1

    As for scientificamerican.com, I don't think the problem is specifically with that, rather when you use www.scientificamerican.com. Look at the differences, scientificamerican.com (an A record) and www.scientificamerican.com(actually it's a CNAME record) are pointing to two different things. I have no idea who designed that.

    But below that, is sciam.com, which both that and www.sciam.comare pointing to an A record. So my feeling is the problem is with the www version.

    .

    scientificamerican.com:

    ; <<>> DiG 9.8.0 <<>> scientificamerican.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8483
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;scientificamerican.com.                IN      A

    ;; ANSWER SECTION:
    scientificamerican.com. 5678    IN      A       63.131.142.246

    ;; Query time: 51 msec
    ;; SERVER: 199.191.128.103#53(199.191.128.103)
    ;; WHEN: Tue Mar 27 13:57:35 2012
    ;; MSG SIZE  rcvd: 56

    .

    www.scientificamerican.com:

    ; <<>> DiG 9.8.0 <<>> www.scientificamerican.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54317
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;www.scientificamerican.com.    IN      A

    ;; ANSWER SECTION:
    www.scientificamerican.com. 81  IN      CNAME   www.scientificamerican.com.edgekey.net.
    www.scientificamerican.com.edgekey.net. 5303 IN CNAME e2133.b.akamaiedge.net.
    e2133.b.akamaiedge.net. 20      IN      A       184.29.168.213

    ;; Query time: 82 msec
    ;; SERVER: 199.191.128.103#53(199.191.128.103)
    ;; WHEN: Tue Mar 27 13:57:54 2012
    ;; MSG SIZE  rcvd: 145

    .

    .

    sciam.com:

    ; <<>> DiG 9.8.0 <<>> sciam.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 734
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;sciam.com.                     IN      A

    ;; ANSWER SECTION:
    sciam.com.              14072   IN      A       63.131.142.246

    ;; Query time: 69 msec
    ;; SERVER: 199.191.128.103#53(199.191.128.103)
    ;; WHEN: Tue Mar 27 14:01:44 2012
    ;; MSG SIZE  rcvd: 43


    www.sciam.com:

    ; <<>> DiG 9.8.0 <<>> www.sciam.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54858
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;www.sciam.com.                 IN      A

    ;; ANSWER SECTION:
    www.sciam.com.          445     IN      A       63.131.142.246

    ;; Query time: 59 msec
    ;; SERVER: 199.191.128.103#53(199.191.128.103)
    ;; WHEN: Tue Mar 27 14:01:53 2012
    ;; MSG SIZE  rcvd: 47

    .

    Either way, I would enable it on the server. Besides, if you enable it on the firewall, but disable it on the server, what's the point?

    .

     


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    Tuesday, March 27, 2012 6:03 PM