locked
Multiple A record for single ip address in DNS RRS feed

  • Question

  • We have a W2k8R2 domain, and Windows 7 clients. For all of our Intranet website we have CNAME records in DNS.

    Now users would like to connect to our intranet with there mobile devices. (Phone, Ipad)

    We installed a PKI environment, and use Mobile Iron to the manage mobile devices.

    We also need to enable Kerberos (negotiate) on de websites. And here the trouble starts with IIS 7. KRB_AP_ERR_Modified error. I've read a lot of articles about this error and Kerberos authentication with IIS.

    One of the solutions I read, is to create an A record for the website. I did it for testing purposes, and it seems to work.. sometimes..

    http://blog.michelbarneveld.nl/michel/archive/2009/11/14/the-reason-why-kb911149-and-kb908209-are-not-the-soluton.aspx

    But I don't like it. Pinging the ip address would resolve the servername, but some times the website.

    What is my question??

    Is there a situation where you would ever use a 2 A records for the same ip address? I can't think of one, but i'm not a DNS guru.

    Thanks

    Wednesday, February 11, 2015 2:20 PM

Answers

  • From DNS point of view, there is nothing wrong with having multiple A records pointing to the same IP. This is often done to "hide" the actual server name, so that application can be moved to a different machine/instance without clients noticing the move. Reverse dns is another thing. When you have multiple PTR records registered for the same address, DNS server will, depending on configuration, return first record or rotate records when you query PTR. Removing PTR of the server and leaving only website PTR in reverse dns zone, will provide consistent behavior for reverse queries.

    Gleb.

    • Proposed as answer by bshwjt Thursday, February 12, 2015 3:06 AM
    • Marked as answer by Frank Shen5 Monday, March 2, 2015 5:51 AM
    Wednesday, February 11, 2015 3:04 PM
  • Having two A records is okay and there are no problems doing it. Just make sure that your PTR records points to the DNS name you want and it should be okay.

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Marked as answer by Frank Shen5 Monday, March 2, 2015 5:51 AM
    Thursday, February 12, 2015 3:01 AM
  • aha.. Thanks for the reply Gleb.

    I deleted the PTR record for the website. For troubleshooting I like to be able to ping -a ip to servername, not the website. As far as I know the website doesn't do reverse queries. But got to double check with the web admin.

    Thanx

    • Marked as answer by Mahdi Tehrani Monday, February 23, 2015 2:26 PM
    Wednesday, February 11, 2015 4:19 PM

All replies

  • From DNS point of view, there is nothing wrong with having multiple A records pointing to the same IP. This is often done to "hide" the actual server name, so that application can be moved to a different machine/instance without clients noticing the move. Reverse dns is another thing. When you have multiple PTR records registered for the same address, DNS server will, depending on configuration, return first record or rotate records when you query PTR. Removing PTR of the server and leaving only website PTR in reverse dns zone, will provide consistent behavior for reverse queries.

    Gleb.

    • Proposed as answer by bshwjt Thursday, February 12, 2015 3:06 AM
    • Marked as answer by Frank Shen5 Monday, March 2, 2015 5:51 AM
    Wednesday, February 11, 2015 3:04 PM
  • aha.. Thanks for the reply Gleb.

    I deleted the PTR record for the website. For troubleshooting I like to be able to ping -a ip to servername, not the website. As far as I know the website doesn't do reverse queries. But got to double check with the web admin.

    Thanx

    • Marked as answer by Mahdi Tehrani Monday, February 23, 2015 2:26 PM
    Wednesday, February 11, 2015 4:19 PM
  • Having two A records is okay and there are no problems doing it. Just make sure that your PTR records points to the DNS name you want and it should be okay.

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Marked as answer by Frank Shen5 Monday, March 2, 2015 5:51 AM
    Thursday, February 12, 2015 3:01 AM