Tag Archives | DNS

Disabling IPv6 Also disables Dynamic DNS Registration

Dynamic DNS updates not happening at boot or when doing an ipconfig release/renew. But manual ipconfig /registerdns works fine. Tracked this down to IPv6 being disabled by GPO. I don’t know the reason for this. but Microsfot do state:

Important Internet Protocol version 6 (IPv6) is a mandatory part of Windows Vista and Windows Server 2008 and newer versions. We do not recommend that you disable IPv6 or its components. If you do, some Windows components may not function. We recommend that you use “Prefer IPv4 over IPv6” in prefix policies instead of disabling IPV6.

Policy: Computer\Polices\Administrative Templates\Network\IPv6 Configuration.
Registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents(DWORD)=0xff

 

Worth noting:

  • Reboot is required for the change to take effect (at least for the dynamic registration behavior to change)
  • De-scoping this policy (or setting it to not configured)  doesn’t revert IPv6 to enabled. Instead you need to configure the setting “Enable all IPv6 components” and then de-scope the policy after the change as taken effect
  • Ticking “Use this connection’s DNS suffix in DNS registration” causes dynamic registration to work as normal, even when IPv6 is disabled. In my testing the primary and the connection specific DNS suffix was the same
  • Consider using ‘Prefer IPv4 over IPv6‘ instead of disabling IPv6 as this does not impact Dynamic DNS updates
  • I’m only talking about DHCP clients here not static clients. The behavior may be different for static clients

1

ISA Not Enough Memory (0x80070008)

I came across this one today when one of our web apps in the perimeter network stopped working for external users after a switch failure on our internal network.

We run split DNS so if you ask an internal DNS server for the IP address of webapp.ourdomain.com it will tell you the private address of the perimeter webserver but if you ask a DNS server on the internet you will get the public address which is NAT’d to the ISA server which publishes the app. Now if you ask a DNS server in the perimeter network he will forward the DNS request to an internal DNS server. If the internal DNS server is unavaliable the perimeter server will use recursion to resolve the address and ultimatily end up resolving and caching the public address of the webapp. By now you can probably guess what happens.

  1. Internet user connects webapp.ourdomain.com which is resolved to 203.271.47.15
  2. The connection is NAT’d by our external hardware firewall and  received by the ISA web listener / publishing rule.
  3. The ISA server resolves the name in the “To” section of the web publishing rule using a perimeter DNS server. The address is from the internal domain (ourdomain.com) so the perimeter DNS server tries to forward  the request to an internal DNS server, this fails so the perimeter DNS server uses recursion to resolve the name and returns the public internet address instead of the private address of the web server in the perimeter network. We now have a loop which results on the above error being logged.

There are a couple of ways to deal with this.

  1. Disable recursion on the domain forwarding in the DNS server settings:
  2. Explicitly specify the IP address in the “To” section of the publishing rule.

Another one of those “Only in this exact and unlikely situation” type posts but oh well!

0