Every once in a while, an ISP will have a problem with their DNS server and someone can’t access a website.
While troubleshooting the problem, we usually get asked: “If the first server doesn’t give the answer I wanted why didn’t it move to the next one in the list?”
What is DNS?
In the simplest of terms, Domain Name Service (DNS)is the mechanism that translates human-readable names (www.google.ca) into numbers that devices on the internet understand (173.194.33.56).
If we didn’t have DNS you would have to enter that ugly number in each time you wanted to access the website.
It’s a lot easier to remember the name.
Why do you have more than one entry?
Backup.
The second and possibly third servers on the list are there in case the first can’t be connected to.
It means that the first server is either dead, not there or missing.
“Can’t be connected to” is different from “didn’t provide an answer” or “provided the wrong answer”.
Here’s why.
DNS isn’t a “general consensus” protocol where you ask each server on the list for the same information and then take the “best answer”.
That would really slow things down and who’s to say the “best answer” was the one you wanted anyway?
It tries to connect to the first server on the list and, if the connection is successful, it assumes that the answer it gets back is the correct one – even if that information is wrong or empty or nothing returns at all.
It stops there and doesn’t try the next one on the list.
It has an answer – whether you like it or not – why would it continue to look?
However, if that server doesn’t respond (aka dead, not there, missing) your system will try the next DNS server on the list.
It will keep doing this until it makes a connection or reaches the end of the list.
End result.
If the first server is dead and it successfully connects to the second server will it always try the first server for every new request? No.
Your system will remember which of the servers worked last time and try that one first the next time – right up until you restart – then the process starts over again.
Why would a DNS server allow connections but not give an answer?
Usually, this is because that server is too busy to respond to your request.
Bummer for you because you “connected” so the “blank” answer counts.
Don’t confuse a “blank” answer with the “wrong answer” though.
There are a number of reasons why a server might provide you with what it thinks is the right information but it’s not what you were looking for.
The address is in the middle of changing and the server hasn’t updated its copy (cache) with new information being the most common.
2015 Business IT Predictions from The ITeam
/0 Comments/in Cybersecurity /by James WagnerBusinesses will embrace the way technology serves to improve interactions with customers, the experience customers have with businesses, and the ability businesses will have to be more productive.
Along the way, every business leader will be forced to consider how to balance the cost of technology with the need to remain risk averse.
All of this will have to complement the need to be flexible enough to remain competitive on an increasingly shrinking global scale. We predict the following factors will become critical for every business leader in 2015:
Risk-Based Security
The road to the digital future must be paved with security. And businesses will have to balance how they approach security so that their customers and data are protected, while at the same time their ability to be flexible is not impeded. Businesses will rely on IT partners to use mitigation tools and risk assessments. IT security will move beyond firewalls and virus detectors, employing a multi-faceted approach to better detection and prevention.
Cloud Ubiquity
In 2015 the adoption of IT security cloud services will become the norm. Indeed, hosted services for email, IP telephony, and backup and disaster recovery make more than economic sense. They make sense for business continuity, becoming essential to organizations of every size. The union of mobile and cloud computing will continue to promote the growth of centrally synchronized applications that can be delivered to any kind of device. Management and coordination of these applications will depend on the cloud.
Comprehensive Infrastructure Solutions
In today’s world, technology changes fast, and consumers expect you to not only keep up with these changes but to always be available as well. Effective planning – not only for this year but for ongoing success – requires a comprehensive approach to infrastructure. In the coming months we’ll explore the different ways in which businesses must prepare for this fast-paced future. Visit regularly to learn about:
– Disaster recovery
– Offsite backup
– Hosted services
– Cloud services
– Managed services
– Server replication
– Server virtualization
Why Do We Have More Than One DNS Entry?
/0 Comments/in Managed IT /by James WagnerEvery once in a while, an ISP will have a problem with their DNS server and someone can’t access a website.
While troubleshooting the problem, we usually get asked: “If the first server doesn’t give the answer I wanted why didn’t it move to the next one in the list?”
What is DNS?
In the simplest of terms, Domain Name Service (DNS)is the mechanism that translates human-readable names (www.google.ca) into numbers that devices on the internet understand (173.194.33.56).
If we didn’t have DNS you would have to enter that ugly number in each time you wanted to access the website.
It’s a lot easier to remember the name.
Why do you have more than one entry?
Backup.
The second and possibly third servers on the list are there in case the first can’t be connected to.
It means that the first server is either dead, not there or missing.
“Can’t be connected to” is different from “didn’t provide an answer” or “provided the wrong answer”.
Here’s why.
DNS isn’t a “general consensus” protocol where you ask each server on the list for the same information and then take the “best answer”.
That would really slow things down and who’s to say the “best answer” was the one you wanted anyway?
It tries to connect to the first server on the list and, if the connection is successful, it assumes that the answer it gets back is the correct one – even if that information is wrong or empty or nothing returns at all.
It stops there and doesn’t try the next one on the list.
It has an answer – whether you like it or not – why would it continue to look?
However, if that server doesn’t respond (aka dead, not there, missing) your system will try the next DNS server on the list.
It will keep doing this until it makes a connection or reaches the end of the list.
End result.
If the first server is dead and it successfully connects to the second server will it always try the first server for every new request? No.
Your system will remember which of the servers worked last time and try that one first the next time – right up until you restart – then the process starts over again.
Why would a DNS server allow connections but not give an answer?
Usually, this is because that server is too busy to respond to your request.
Bummer for you because you “connected” so the “blank” answer counts.
Don’t confuse a “blank” answer with the “wrong answer” though.
There are a number of reasons why a server might provide you with what it thinks is the right information but it’s not what you were looking for.
The address is in the middle of changing and the server hasn’t updated its copy (cache) with new information being the most common.
Can’t Access a New Subnet Through The VPN?
/0 Comments/in Managed IT /by James WagnerA VPN (Virtual Private Network) is a way to securely connect two locations together across the internet.
In this case, we’ll be discussing a Lan-to-Lan connection between two offices.
Lan-to-Lan Connection
Your office is expanding and you’ve run out of IP’s.
You consult your network architect and decide to create a separate subnet, Virtual LAN (VLAN) or zone for a group of machines (e.g. a new floor or a development group).
You and the network architect get the new zone up and running and test the connectivity to the servers and internet successfully.
All is good.
A while later one of the staff on the new subnet tries to access a device at a remote office (say a printer) but it fails.
You check from the server and everything works fine.
When you try and ping the device from the machine it doesn’t respond.
You traceroute it and see that it goes out to the internet instead of through the tunnel.
Why?
The routes are all correct.
You can ping the firewall so you know it’s getting to the right location.
Why won’t it go to the remote branch?
Answer: You forgot to change the VPN tunnel to allow the new subnet to pass to the remote location!
Did you remember to add the new network to the tunnel?
Why do you need to do that?
The VPN tunnel works by matching both the source IP and destination IP to see if it needs to encrypt the traffic.
This match is done against an access control list (ACL).
If the VPN can’t match both sides it ignores the connection and lets the firewall handle it on its own.
Just having a route from the new subnet to the firewall is not enough.
How do I fix it?
In this case, you have “old subnet” connecting to “remote subnet” and you’ll need to add “new subnet” connecting to “remote subnet” to the existing tunnel ACL.
Remember to do this on both sides or it won’t work (you have to allow the traffic on the remote side to come back!).
The resultant ACL will contain instructions for “old subnet” connecting to “remote subnet” and “new subnet” connecting to “remote subnet” (reverse on the remote end).
The user can now happily access the remote device because their IP matches the local end and the destination matches the remote side – the traffic is encrypted and the device is reachable.
How do I modify my VPN tunnel to add the new subnet?
There are so many versions of firewalls that I couldn’t possibly go through them all here.
We would recommend contacting your support vendor for assistance.