DNS issue
-
@thecreativeone91 said:
I really think IPv6 only WANs are much further off than people keep saying,
I agree, but I limit that view to the west, because there are places in the world where they're becoming the norm. I think the future is actually set to have both, together, for a very long time. My guess is that American ISPs will start charging more for IPv4 addresses and nothing at all (aside from the service itself) for IPv6 addresses. This model is already in use around the world, and works out well.
partially because they've been saying that for years and years.
Imagine how I feel, I've been promoting and working with IPv6 since about 2001. It's been a long road. To give myself credit though, I was never one of those "we're gonna run out tomorrow" people or "transition is coming very soon," my thoughts were always "this is going to take a while and ISPs and IT departments are going to try to really push it off as long as possible, to the point where it's painful."
And the other thing is with most connections being Dynamic IPs they aren't as limited on IPv4 as the can recycle the addresses (and do, especially DSL connections which may drop with no traffic).
This is true, however even now some ISPs are coming up fantastically short and actually about 2 years ago Cox Communications went through a huge renumbering campaign with business customers in order to lower the total amount of allocated addresses. I imagine this bought them a few extra years. Another thing that can be done, and is typically done already, is that if a customer is dynamic, it will fail over to NAT (which you wrote about in your post as well). I've seen this happen before, where you receive an internal address from your ISP. You can still get online, however, you're behind their NAT. This is also in use in places where IPv4 addresses are extremely limited; America has more than anyone.
Dropping off inactive customers is another stop gap solution, however with the rise of cellphones and other internet devices, especially with streaming, this won't last forever.
If you combine ISP-level NAT, dropping off inactive devices, etc, you still only get a small window, there is the overall technical limitation of IPv4 in of itself. These are all temporary solutions.
I have setup IPv4 LANs with IPv6 WANs before as some gear needed wasn't compatible with IPv6, and they didn't wish to upgrade. Many routers will support this using a NAT64/NAT46 with a tunnel. Not something I recommend but can be done.
NAT64/46 is pretty much a thing that shouldn't be done, I agree, if anything people should be multistack if they are trying to coexist.
I'm totally in favour of people transitioning to using IPv6 and IPv4, so that in 5 to 10 years, probably closer to 10, as western ISPs start to catch up with the rest of the world (this is typical, as by the time most Europeans were using DSL, most Americans still had dial up for many more years) people won't scramble to update their networks. I think though the transition will likely be less of a big deal than other historical ones, because since people are moving more "to the cloud" and web apps, and so on, there's less need for crappy software companies to fix their issues, though a lot of people will still be stuck with old stuff that can't be fixed or was created by a company which refuses to fix it (essentially most niche software companies are like this) and it's good there's things like NAT46.
The point of my post above on the issue though was that the desire to rid a network of IPv6 instead of being multistack, I think is a mistake and instead American IT people need to learn to work with it and get used to the idea of it existing, so they're not left behind, as usual.
-
If the website is hosted externally, and you are using that same domain name internally (guardiananytmie.com) then you may need to set up a delegation for the www subdomain. You would delegate another DNS server (Google's public one or maybe your ISP's) to resolve the subdomain.
I've seen this help many times, so I hope it helps you, too.
-
I haven't really worked with IPv6, what about an internal resource.
Let's assume that the above listed website was internal. Would DNS provide the IPv4 address, and the end point would switch over to that stack?
-
@doyle.jack said:
If the website is hosted externally, and you are using that same domain name internally (guardiananytmie.com) then you may need to set up a delegation for the www subdomain. You would delegate another DNS server (Google's public one or maybe your ISP's) to resolve the subdomain.
Do people not read? I clearly stated that his was not a domain owned by the SBS server....
-
@JaredBusch said:
@doyle.jack said:
If the website is hosted externally, and you are using that same domain name internally (guardiananytmie.com) then you may need to set up a delegation for the www subdomain. You would delegate another DNS server (Google's public one or maybe your ISP's) to resolve the subdomain.
Do people not read? I clearly stated that his was not a domain owned by the SBS server....
And I clearly stated - Let's assume that the above listed website was internal - meaning I AM asking a different question.
-
@Dashrender said:
And I clearly stated - Let's assume that the above listed website was internal - meaning I AM asking a different question.
I was replying to the post prior as well as another person above recommending the same thing.
-
WOW, now I'm the ass - seriously I need new glasses - Sorry @JaredBusch
-
@Dashrender said:
WOW, now I'm the ass - seriously I need new glasses - Sorry @JaredBusch
Coffee helps at this time of the day.
Note: I realize that this is a global forum and I will note that Coffee helps me at any time of the day.
-
There's no CNAME or A record for WWW. Fresh from dig.
C:\Users\v436525\Downloads\BIND9.10.1-P1.x64>dig guardiananytime.com any
; <<>> DiG 9.10.1-P1 <<>> guardiananytime.com any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8836
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 3;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;guardiananytime.com. IN ANY;; ANSWER SECTION:
guardiananytime.com. 3553 IN A 63.66.47.183
guardiananytime.com. 86353 IN NS dns1p.prod.gliconline.com.
guardiananytime.com. 86353 IN NS rdrcdns.glic.com.
guardiananytime.com. 86353 IN SOA dns1p.prod.gliconline.com. bnico
lai.glic.com. 2005165536 21600 3600 604800 600;; ADDITIONAL SECTION:
dns1p.prod.gliconline.com. 86353 IN A 63.66.47.140
rdrcdns.glic.com. 86353 IN A 208.253.53.149;; Query time: 260 msec
;; SERVER: 10.1.3.12#53(10.1.3.12)
;; WHEN: Mon Feb 23 11:00:18 Central Standard Time 2015
;; MSG SIZE rcvd: 204Need to either put one in or have whomever hosts it put one in.
-
@doyle.jack Welcome to MangoLassi!
-
@PSX_Defector thanks, that at least means I am not crazy.
So this begs the question of why this works fine on every other network I have tried it on, just the one network where it fails.
But, I do not care at this point as the user can now get there and sign in and do what she needs to do.
Maybe next week I'll have time to care about a 3rd party issue.
-
@JaredBusch said:
@PSX_Defector thanks, that at least means I am not crazy.
So this begs the question of why this works fine on every other network I have tried it on, just the one network where it fails.
Depends on the vendor, maybe your DNS servers are not getting the info properly.
Just slap in a CNAME record on the SBS for www to point to the root domain. It should resolve properly internally then.
-
@PSX_Defector said:
Depends on the vendor, maybe your DNS servers are not getting the info properly.
SBS is using 8.8.8.8 and 8.8.4.4 as the forwarders
@PSX_Defector said:
Just slap in a CNAME record on the SBS for www to point to the root domain. It should resolve properly internally then.
Pulling the IPv6 caused something to make it resolve or that is what I was going to do.
-
@JaredBusch said:
@PSX_Defector said:
Depends on the vendor, maybe your DNS servers are not getting the info properly.
SBS is using 8.8.8.8 and 8.8.4.4 as the forwarders
Strange, maybe the NS is doing some kind of tricks on their end to put in the WWW for the customer. But I can only see what I see.
C:\Users\v436525\Downloads\BIND9.10.1-P1.x64>dig @8.8.8.8 guardiananytime.com an
y; <<>> DiG 9.10.1-P1 <<>> @8.8.8.8 guardiananytime.com any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50753
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;guardiananytime.com. IN ANY;; ANSWER SECTION:
guardiananytime.com. 21599 IN SOA dns1p.prod.gliconline.com. bnico
lai.glic.com. 2005165536 21600 3600 604800 600
guardiananytime.com. 21599 IN NS rdrcdns.glic.com.
guardiananytime.com. 21599 IN NS dns1p.prod.gliconline.com.
guardiananytime.com. 3599 IN A 63.66.47.183;; Query time: 202 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Mon Feb 23 11:24:07 Central Standard Time 2015
;; MSG SIZE rcvd: 172C:\Users\v436525\Downloads\BIND9.10.1-P1.x64>dig @8.8.4.4 guardiananytime.com an
y; <<>> DiG 9.10.1-P1 <<>> @8.8.4.4 guardiananytime.com any
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51353
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;guardiananytime.com. IN ANY;; ANSWER SECTION:
guardiananytime.com. 21578 IN SOA dns1p.prod.gliconline.com. bnico
lai.glic.com. 2005165536 21600 3600 604800 600
guardiananytime.com. 21578 IN NS rdrcdns.glic.com.
guardiananytime.com. 21578 IN NS dns1p.prod.gliconline.com.
guardiananytime.com. 3578 IN A 63.66.47.183;; Query time: 37 msec
;; SERVER: 8.8.4.4#53(8.8.4.4)
;; WHEN: Mon Feb 23 11:24:28 Central Standard Time 2015
;; MSG SIZE rcvd: 172 -
@JaredBusch said:
Do people not read? I clearly stated that his was not a domain owned by the SBS server....
I know I don't.
-
I'm betting the DNS has a *.guardiananytime.com listing and that's what's being picked up. But for some reason, the client was failing over to IPv6 for the WWW request instead of getting forward to the * entry.
And if not a * DNS, PSX is probably right that the DNS provider is doing a * entry transparently. -
I generally skip forwarders all together. I've never used them. But then again, I've never found a reason to.
-
@doyle.jack said:
I generally skip forwarders all together. I've never used them. But then again, I've never found a reason to.
I take this to mean that you rely on the Root Hints alone?
-
@Dashrender - You generally rely on one or the other. I don't know that it will use both root hints and forwarders.
You do get slightly better performance out of forwarders, but we're talking about miliseconds. Also, if you have multiple DNS servers, you should remember that forwarders are not stored in Active Directory. You would need to configure your forwarders on each of your DNS servers independently.
Root Hints tend to provide more redundancy. While you only see thirteen of them in the list, many of them are distributed geographically and provide their own type of fault tolerance. I believe there are 457 active root DNS servers right now.
The difference in performance is so small that it's really only a matter of preference. You'll get the same result with either. The only real difference is that when you are using Root Hints, you'll perform a series of iterative queries and expect referrals until you get the authoritative server for the domain you're interested in. When you use a forwarder, you're sending a single recursive query to the forwarder and letting that DNS server handle all of the iterative queries and return you the final answer.
Personal preference. I go with the one that requires less configuration and provides more reliability, even if it's at the expense of a few miliseconds on the response time.
-
Yeah, that's what I figured.
Nice write up!
