Sunday, January 16, 2011

Possible DNS routing issue causing websites to not work

I am completely stumped and don't have a great deal to go on so i am hopping that somebody can suggest what might be wrong.

I have been successfully running a DNS server and Webserver, they are both on separate machines behind a router. My domains nameservers point to the DNS server which contains the a records. The router sends all DNS traffic (coming in at port 53) to the DNS server and routes all HTTP traffic (ports 80 and 443) to the webserver.

Everything has been working fine for ages... until all of a sudden it didn't. Now, whenever i try to view any of the websites i host it just doesn't work. "The connection to the server was reset whilst the page was loading".

When i try to view the websites from inside the network, every single one of my domains points to the router.

The odd thing is, if i view the one website that is configured to use SSL from anywhere then it works so it seems to only be a port 80 issue.

I have recently installed SP2 on the webserver (Windows Server 2008), other than that i am pretty sure nothing else has changed. The NAT tables are all correct on the router.

I don't understand! Any suggestions would be greatly appreciated.

From serverfault mwillmott

  • From your machine get a command prompt up and type nslookup. This will showwhcih DNS server you are using, type debug. This way you know what is being resolved and what DNS server is resolving it, you can then take it from there updating records or entries if required.

    From Nasa

  • The inside IP addresses of your servers are different from the outside IP address on the router, right? So when you attempt to connect to www.whatever.com from an inside computer, it is trying to connect to the outside IP address. Most routers can't handle this properly.

    So what you need to do is override the DNS for your inside computers so that the inside computers use the internal IP address of your web server.

    The quick-and-dirty workaround is to modify the hosts file on each internal computer (windows: C:\windows\system32\drivers\etc\hosts ; Linux: /etc/hosts) to contain the internal IP addresses of the web servers.

    Another way is to run another internal DNS server that gives out the internal IP addresses of your servers. Then configure all your internal systems to use this DNS server instead.

    From Heath

  • I think your issues need some further explaining, but it sounds like something is wrong with your resolver. You can query the server directly via nslookup. However, you also said if you view HTTPS (port TCP443) it works. But, since DNS (UDP53) works the same for both HTTP (TCP80)and HTTPS this is causing a bit of an error with your diagnosis, since if DNS was broken you wouldn't be able to view the HTTPS port either. Note that there could be some DNS caching at play here, and this might be confusing your diagnosis.

    My initial guess is that your ISP started blocking ports. Either TCP/UDP 53 and/or TCP / UDP 80 would both be common ports to block (incoming) because if you have a residential connection they don't want you running servers.

    In summary I would:

    1. Use nslookup to test your DNS servers. See if they are resolving the IPs corrrectly. Check from both inside and outside your ISP's connection.
    2. Use telnet to check connectivity to port 80 and 443, from outside the connection, if this connects,
    3. Use a web browser to open the page, then check the server logs if you are getting the T*he connection to the server was reset whilst the page* was loading error.
    mwillmott : Thanks for the advice. When doing nslookup externally i get a non-authoritative answer pointing to the external IP so that seems to be working fine. The only connections appearing in the IIS logs are on port 443 so it isn't doing anything on port 80 which makes sense because otherwise it would throw an error when going to the domain rather than pointing at the router (i assume). I am not sure if telnet is connecting. When i do telnet www.mydomain.com 80/443 it doesn't seem to do anything. When i do ctrl-j it gives "connection to host lost" so maybe it is connecting?
    From Dave Drager

  • You need to localize which part isn't working. Breaking down "browsing a web page" into it's respective parts:

    1. resolve DNS
    2. connect to IP
    3. receive response

    So, first you need to verify that DNS is resolving correctly. Ideally, this should be from a machine outside (I'm assuming you're serving pages to external customers) your network.

    Secondly, telnet to port 80, internally first. For me this is:

    greeblesnort@greeblesnort:~$ telnet 172.18.1.100 80
Trying 172.18.1.100...
Connected to 172.18.1.100.
Escape character is '^]'.
GET / <<<<<<<<<<<<<<type this and hit <ENTER> twice

HTTP/1.0 301 Found  <<<<<<<<<<<<this, while a "bad" response, *is* a response from the web server

    If that works (with any valid server response), then the server is responding on that port. If you wanna be picky, you can use:

    GET /index.htm HTTP/1.0

    replacing index.htm with whatever your server uses for it's default. This should return a valid page:

    HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.0
x-info: result=success;server=web01;build={IIS}
Date: Fri, 18 Sep 2009 21:56:47 GMT
Connection: close
Content-Length: 12579


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
...

    Now, if you can do this, from the outside, and receive any sort of valid server response, then the problem is on the server itself (code or configuration).

    Third, you need to verify that your server is able to communicate it's response back to the customer. This one is probably more of an issue with SLB setups where the NAT, server, and virtual are all different addresses and the server can communicate back to the customer via a different address than the request was made to (asynchronous routing).

    Hope that helps. If you give some more information, I'm sure some of us would be willing to help you verify the external stuff...

    edit: Well, if 91.135.5.118 is the correct resolution, then DNS appears to be fine from both nameservers.

    However, when I try:

    [greeblesnort@fjdx421 greeblesnort]$ telnet www.enfotext.com 80
Trying 91.135.5.118...
Connected to cust118-dsl91-135-5.idnet.net (91.135.5.118).
Escape character is '^]'.
GET /index.htm HTTP/1.0

    it times out.

    This would normally make me suggest that you talk to your ISP about them potentially blocking inbound port 80 requests. But, that would be kinda silly if they're allowing all those other ports that appear to be open.

    I did a packet capture, just to see what was happening on the wire, and it appears that your server is never actually completing a TCP handshake. It appears to receive the initial SYN, returns a SYN/ACK, I send the final ACK, and your server keeps trying to resend the SYN/ACK.

    My bet moves to a firewall config either upstream or on your server.

    mwillmott : The DNS does seem to be resolving. One of the domains hosted is www.enfotext.com. I cannot seem to connect using telnet, either internally or externally. It is odd, only seems to be port 80 (as i can connect to my VPN, 443 websites work, email works), in the DNS records i can create CNAME records and they work fine, i can create A records that point to the internal IP of the webserver and then internally it stops pointing at the router and the website works again. The thing that really gets me is why is it pointing to the router? Thanks for your help so far!
    From Greeblesnort

  • SOLVED: Very stupid problem, somehow the router had been reconfigured to allow for access to the control panel from the internet so it was clearly trying to take all port 80 traffic pointing to the external IP.

    Thanks for all the help you have offered though!

    Greeblesnort : glad you got it sorted
    From mwillmott
Posted by Mu Cat at 5:11 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)