Is a corrupted DNS cache inevitable?

[JBruyet]

Hey all,

I've been setting up the computers of managers, supervisors and operations personnel so they have access to our security camera system. That's done by entering the IP address of the computers of those who have access to the system in the firewall of the camera DVR. Sometimes DHCP pops out a different IP address for the computer so I go in occasionally and double-check the IP addresses. I use NSLOOKUP to make sure the right address is assigned to the correct computer and I find out that DNS isn't always correct in its name resolution. Is a corrupted DNS cache inevitable? I would say that about every couple of months I start getting incorrect name resolution. I've done some Googling and I see that cache corruption on a Windows 2000 server isn't uncommon. The only real answer I found was to make sure that "Secure cache against pollution" is checked. It is. Is there something more than /flushdns that I should be doing? Is there a way to "strengthen" the DNS cache of a server? I had thought about going in and manually deleting all of the records in the Forward and Reverse lookup zones, but I decided to hold off. Any help would be greatly appreciated.

Thanks,

Joe B

 

[kmcferrin]

If you have a static group of PCs that need to be able to pass traffic through the firewall, set them to have a static IP address instead of using DHCP. If you must use DHCP (i.e., the PCs in question are laptops and move around to different networks), then use DHCP reservations for those specific PCs so that they always get the same IP address.

 

[JBruyet]

Hey kmcferrin,

I thought about setting reservations for the workstations but I have a couple of DHCP servers with different scopes (redundancy and all that). If I setup a reservation on one DHCP server what's to prevent the other DHCP server from giving that PC an address? I guess I could do the static address thing. It's only about 30 workstations but they are at different locations. AND, that doesn't help with my DNS problem, which is the bigger issue. What's up with the ongoing DNS cache mangling???

Thanks,

Joe B

 

[kmcferrin]

If you have two DHCP servers servicing the same subnet, just make sure that the subnets overlap a tad AND that all of the addresses in that range have reservations. For example, say your subnet is 192.168.1.1 through 192.168.1.254:

192.168.1.1 - Gateway
192.168.1.2 - 192.168.1.135 Scope on DHCP server #1
192.168.1.127 - 192.168.1.254 Scope on DHCP server #2
192.168.1.127 - 192.168.1.135 Overlapping IP addresses that are set as either reserved or excluded on both servers. If you make them reservations, make sure that the same IP is reserved on each DHCP server for the same MAC address.

 

[JBruyet]

Aaahhhh... Ok, I never even thought of doing it that way. Thanks.

So, any ideas on how to remedy my DNS issue?

Thanks again,

Jobee

 

[kmcferrin]

I don't know specifically what the issue is, other than nslookup isn't always returning the correct address. But that could be related to the PCs having multiple addresses at any given time (especially if you're using two DNS servers).

Try setting the reservations, then purge bad DNS records, and then watch it for a couple of weeks.

 

[lhuegele]

Make sure your DNS server is set-up to scavange old DNS records properly. We set scavanging to 7 days here.

This should help keep your DNS server cleaned up and loaded with only current DNS information.

Good luck,

 

[JBruyet]

lhuegele,

Yeah, I should have seen that one. I now have my DNS servers set to scavenge "stale records" at seven days. As a matter of fact, I was checking some of the host records and I see that a part of my problem IS with old records that are no longer accurate. My first example was with a static IP address for a server that I've since replaced and assigned a new name and IP address. Sheesh, I should have known that one.

kmcferrin & lhuegele thanks for the time and the help,

Joe B

 

[lhuegele]

no problem, glad it helped.