Thanks, I'll see if their admins will work with me. Jimmy
-----Original Message----- From: Ben Scott [mailto:mailvor...@gmail.com] Sent: Monday, June 20, 2011 11:34 AM To: NT System Admin Issues Subject: Re: DNS Cache Issue On Mon, Jun 20, 2011 at 1:44 PM, Jimmy Tran <jt...@teachtci.com> wrote: > For the past month or so, I've had issues connecting to github.com, about 3 > or 4 occurances. Whenever my developers notice this, I can confirm a > nslookup for github.com fails with the following error: " *** dc.domain > can't find github.com: Server failed". There are six nameservers delegated authority for <github.com.>, with names of the form <ns{1..4}.everydns.net.> and <ns{1..2}.anchor.net.au.>. The two under <anchor.net.au> try to do EDNS0, but the resulting answers are malformed. They work fine if EDNS0 is avoided and DNS datagrams are limited to 512 bytes. Most likely, they've got an old or misconfigured firewall which believes all DNS packets are 512 bytes. That was correct in 1987 but is wrong in 2011. Ideally, you contact the operators of the domain/nameservers in question, and have them fix their network/change to a better DNS host. Failing that, you'll prolly have to disable EDNS0 at your end to avoid their malfunction. I don't know of any way to disable EDNS0 only for a given server/domain in MS-DNS. The following link explains how to disable EDNS0 for everything. I haven't tried it, I am not familiar with it, it may cause problems, etc., etc., but I wouldn't expect any trouble. http://technet.microsoft.com/en-us/library/cc787130%28WS.10%29.aspx I discovered this by using "dig", the incredibly useful DNS diagnostic tool that's included with the ISC BIND suite. (It's available for MS Windows.) Commands which demonstrate the issue: > dig +noall ANY github.com. @ns1.anchor.net.au. ;; Warning: Message parser reports malformed message packet. ;; Truncated, retrying in TCP mode. [remaining output omitted] > dig+bufsize=512 ANY github.com. @ns1.anchor.net.au. [remaining output omitted] > Note the lack of warning in the second command. (I didn't start with those commands, but they demonstrate the problem.) -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
