
Every once in a while, an ISP will have a problem with their DNS server and someone can’t access a website.
While troubleshooting the problem, we usually get asked: “If the first server doesn’t give the answer I wanted why didn’t it move to the next one in the list?”
What is DNS?
In the simplest of terms, Domain Name Service (DNS)is the mechanism that translates human-readable names (www.google.ca) into numbers that devices on the internet understand (173.194.33.56).
If we didn’t have DNS you would have to enter that ugly number in each time you wanted to access the website.
It’s a lot easier to remember the name.
Why do you have more than one entry?
Backup.
The second and possibly third servers on the list are there in case the first can’t be connected to.
It means that the first server is either dead, not there or missing.
“Can’t be connected to” is different from “didn’t provide an answer” or “provided the wrong answer”.
Here’s why.
DNS isn’t a “general consensus” protocol where you ask each server on the list for the same information and then take the “best answer”.
That would really slow things down and who’s to say the “best answer” was the one you wanted anyway?
It tries to connect to the first server on the list and, if the connection is successful, it assumes that the answer it gets back is the correct one – even if that information is wrong or empty or nothing returns at all.
It stops there and doesn’t try the next one on the list.
It has an answer – whether you like it or not – why would it continue to look?
However, if that server doesn’t respond (aka dead, not there, missing) your system will try the next DNS server on the list.
It will keep doing this until it makes a connection or reaches the end of the list.
End result.
If the first server is dead and it successfully connects to the second server will it always try the first server for every new request? No.
Your system will remember which of the servers worked last time and try that one first the next time – right up until you restart – then the process starts over again.
Why would a DNS server allow connections but not give an answer?
Usually, this is because that server is too busy to respond to your request.
Bummer for you because you “connected” so the “blank” answer counts.
Don’t confuse a “blank” answer with the “wrong answer” though.
There are a number of reasons why a server might provide you with what it thinks is the right information but it’s not what you were looking for.
The address is in the middle of changing and the server hasn’t updated its copy (cache) with new information being the most common.
Why Do We Have More Than One DNS Entry?
/0 Comments/in Managed IT /by James WagnerEvery once in a while, an ISP will have a problem with their DNS server and someone can’t access a website.
While troubleshooting the problem, we usually get asked: “If the first server doesn’t give the answer I wanted why didn’t it move to the next one in the list?”
What is DNS?
In the simplest of terms, Domain Name Service (DNS)is the mechanism that translates human-readable names (www.google.ca) into numbers that devices on the internet understand (173.194.33.56).
If we didn’t have DNS you would have to enter that ugly number in each time you wanted to access the website.
It’s a lot easier to remember the name.
Why do you have more than one entry?
Backup.
The second and possibly third servers on the list are there in case the first can’t be connected to.
It means that the first server is either dead, not there or missing.
“Can’t be connected to” is different from “didn’t provide an answer” or “provided the wrong answer”.
Here’s why.
DNS isn’t a “general consensus” protocol where you ask each server on the list for the same information and then take the “best answer”.
That would really slow things down and who’s to say the “best answer” was the one you wanted anyway?
It tries to connect to the first server on the list and, if the connection is successful, it assumes that the answer it gets back is the correct one – even if that information is wrong or empty or nothing returns at all.
It stops there and doesn’t try the next one on the list.
It has an answer – whether you like it or not – why would it continue to look?
However, if that server doesn’t respond (aka dead, not there, missing) your system will try the next DNS server on the list.
It will keep doing this until it makes a connection or reaches the end of the list.
End result.
If the first server is dead and it successfully connects to the second server will it always try the first server for every new request? No.
Your system will remember which of the servers worked last time and try that one first the next time – right up until you restart – then the process starts over again.
Why would a DNS server allow connections but not give an answer?
Usually, this is because that server is too busy to respond to your request.
Bummer for you because you “connected” so the “blank” answer counts.
Don’t confuse a “blank” answer with the “wrong answer” though.
There are a number of reasons why a server might provide you with what it thinks is the right information but it’s not what you were looking for.
The address is in the middle of changing and the server hasn’t updated its copy (cache) with new information being the most common.
Can’t Access a New Subnet Through The VPN?
/0 Comments/in Managed IT /by James WagnerA VPN (Virtual Private Network) is a way to securely connect two locations together across the internet.
In this case, we’ll be discussing a Lan-to-Lan connection between two offices.
Lan-to-Lan Connection
Your office is expanding and you’ve run out of IP’s.
You consult your network architect and decide to create a separate subnet, Virtual LAN (VLAN) or zone for a group of machines (e.g. a new floor or a development group).
You and the network architect get the new zone up and running and test the connectivity to the servers and internet successfully.
All is good.
A while later one of the staff on the new subnet tries to access a device at a remote office (say a printer) but it fails.
You check from the server and everything works fine.
When you try and ping the device from the machine it doesn’t respond.
You traceroute it and see that it goes out to the internet instead of through the tunnel.
Why?
The routes are all correct.
You can ping the firewall so you know it’s getting to the right location.
Why won’t it go to the remote branch?
Answer: You forgot to change the VPN tunnel to allow the new subnet to pass to the remote location!
Did you remember to add the new network to the tunnel?
Why do you need to do that?
The VPN tunnel works by matching both the source IP and destination IP to see if it needs to encrypt the traffic.
This match is done against an access control list (ACL).
If the VPN can’t match both sides it ignores the connection and lets the firewall handle it on its own.
Just having a route from the new subnet to the firewall is not enough.
How do I fix it?
In this case, you have “old subnet” connecting to “remote subnet” and you’ll need to add “new subnet” connecting to “remote subnet” to the existing tunnel ACL.
Remember to do this on both sides or it won’t work (you have to allow the traffic on the remote side to come back!).
The resultant ACL will contain instructions for “old subnet” connecting to “remote subnet” and “new subnet” connecting to “remote subnet” (reverse on the remote end).
The user can now happily access the remote device because their IP matches the local end and the destination matches the remote side – the traffic is encrypted and the device is reachable.
How do I modify my VPN tunnel to add the new subnet?
There are so many versions of firewalls that I couldn’t possibly go through them all here.
We would recommend contacting your support vendor for assistance.