External Network Problems

Discussion in 'Linux VPS/Dedicated - General' started by 45n5, Nov 25, 2007.

  1. 45n5

    45n5 New Member

    I have 100% uptime with knownhost from kentucky,usa however I repeatedly get told by other people from around the world that they can't connect to my sites.

    Here are some of the things I will hear.

    Your site is down (even though it's up for me)

    You site has been down all day but google reader is updating your new posts.

    I can see your site using a proxy but not going there directly.

    I can't submit your url's to digg (digg can't see your server)

    Usually when I get an abundance of these types of complaints the sites will go down for me until i hit refresh in my browser, that's all it takes for me.

    Help Fix This

    Is there anything I can do on my end to improve the connectivity of my sites and make these random outages stop?

    This has been going on for weeks. And I'm not the only one noticing

    http://forums.knownhost.com/showthread.php?t=1102

    thanks for your input
     
  2. ppc

    ppc Moderator

    Hello and welcome to the Knownhost forums!

    The thread you mentioned dealt with an oversees customer complaining about a particular ISP that was having trouble with different USA(and non USA) based sites.

    My huntch is that your domain dns is not set up correctly, either at the domain registrar or on your VPS. Both the TX and CA data centers have pretty reliable backbones so this definitely should not be happening and is not normal. Would you mind letting me know your domain name either via this thread or PM?

    Regards,
     
  3. class101

    class101 New Member

    You could try the tool here http://www.intodns.com/ to check if you have errors within your BIND DNS server, helped me out to fix a few bugs today.
     
  4. 45n5

    45n5 New Member

    thanks all for the input so far

    it very well could be my error, however I'm a vps newbie so not sure where to start

    here is one of my domain names put into the suggested tool

    http://www.intodns.com/45n5.com
     
  5. khiltd

    khiltd New Member

    You'd really need to dig up some more information on the failures before you can pinpoint the problem. If the site doesn't load, that could be caused by a number of factors. If the domain name doesn't resolve, then that's a different story. Aside from the overly lengthy TTL value, your BIND config looks fine to me.
     
  6. 45n5

    45n5 New Member

    thank link shows problems with my dns, should I put in a ticket or can you help me here?

    These are the errors

    Same Glue: Looks like the A records (the GLUE) got from the parent zone check are different than the ones got from your nameservers. You have to make sure your parent server has the same NS records for your zone as you do.I detected some problems as follows:
    For ns1.45n5.net the parent reported: ['72.249.86.52'] and your nameservers reported: ['72.249.86.51']

    Different subnets WARNING: Not all of your nameservers are in different subnets


    Different autonomous systems WARNING: Single point of failure
    SOA EXPIRE Your SOA EXPIRE number is: 3600000. This value determines how long a secondary DNS server will still treat its copy of the zone data as valid if it can't contact the primary DNS server. RFC1912 suggests a value of 2-4 weeks (1209600 to 2419200 seconds).
     
  7. 45n5

    45n5 New Member

  8. class101

    class101 New Member

    put it without "www" http://www.intodns.com/45n5.net works fine, your domains appears correctly setup , you have a small SOA warning remaining to fixe, you have setup a large SOA expire

    Code:
                1195952713
                10800
                3600
                [B][COLOR=Red][B]3600000[/B][/COLOR][/B]
                38400 )
    
    set it to

    Code:
                1195952713
                10800
                3600
                [B][COLOR=Red]604800[/COLOR][/B]
                38400 )
    
    below is my Zone configuration (Names to IP) if you want a sample to check with yours:

    Code:
    $ttl 38400
    heapoverflow.com.    IN    SOA    heap1.heapoverflow.com. webmaster.heapoverflow.com. (
                1195952713
                10800
                3600
                604800
                38400 )
    heapoverflow.com.               NS    heap1.heapoverflow.com.
    heapoverflow.com.               NS    heap2.heapoverflow.com.
    heapoverflow.com.               MX  10    mta.heapoverflow.com.
    heapoverflow.com.            IN   A    65.99.213.138
    heap1.heapoverflow.com.         IN   A  65.99.213.138
    heap2.heapoverflow.com.         IN   A  65.99.213.139
    mta.heapoverflow.com.           IN   A  65.99.213.138
    www                             CNAME   heapoverflow.com.
    
    http://www.intodns.com/heapoverflow.com
     
  9. khiltd

    khiltd New Member

    The information that site is providing is very difficult to read. Try dnsstuff.com instead, and don't worry about the "separate class C's" warning as there is nothing you can do about that.

    I suspect whatever load failures you're experiencing are the fault of your CMS or one of the services it depends upon.
     
  10. class101

    class101 New Member

    Probs with DNSStuff is that it is not always free, often it rejects the query because they turned in a paid service :/

    But the URL is if you could try you should have some queries free:

    http://www.dnsstuff.com/tools/dnsreport.ch?domain=45n5.net


    IntoDNS is an alternative to the paid service and you can see reports are almost the sames. The author of intoDNS nicely duped DNSStuff wich helps a lot.
     
  11. class101

    class101 New Member

    query passed in DNSStuff looks like you have behaviours with somes not caught by intoDNS:

    BIND configuration issue
    Code:
    WARNING:  Your SOA EXPIRE time is : [B]3600000 seconds[/B].  This seems a bit high.  You should consider decreasing this value to about 1209600 to 2419200 seconds (2 to 4 weeks).  [URL="http://www.dnsstuff.com/pages/rfc1912.htm"]RFC1912[/URL] suggests 2-4 weeks. This is how long a secondary/slave nameserver will wait before considering its DNS data stale if it can't reach the primary nameserver.
    
    BIND configuration issue
    Code:
    WARNING:  Your SOA REFRESH interval is : 86400 seconds.  This seems high.  You should consider decreasing this value to about 3600-7200 seconds (or higher, if using DNS NOTIFY).  [URL="http://www.dnsstuff.com/pages/rfc1912.htm"]RFC1912[/URL] 2.2 recommends a value between 1200 to 43200 seconds (20 minutes to 12 hours, with the longer time periods used for very slow Internet connections), and if you are using DNS NOTIFY the refresh value is not as important (RIPE recommend 86400 seconds if using DNS NOTIFY). This value determines how often secondary/slave nameservers check with the master for updates. A value that is too high will cause DNS changes to be in limbo for a long time.
    Iptables Firewall configuration issue
    Code:
    Error: Our local DNS server was unable to get your MX record. This usually means that a firewall in front of your DNS server is interfering. For example, it may be blocking DNS packets from low source port numbers (ours is often in the 1024-1030 range). Firewalls should never block DNS queries based on the source IP address; otherwise, it is guaranteed that legitimate queries will be blocked. This specific lookup must be cached, so a recent change may not be reflected.
    Mail server configuration issue (fix it to avoid spam issues)
    Code:
    Your domain does not have an SPF record. This means that spammers can easily send out E-mail that looks like it came from your domain, which can make your domain look bad (if the recipient thinks you really sent it), and can cost you money (when people complain to you, rather than the spammer). You may want to [URL="http://www.openspf.org/"]add an SPF record[/URL] ASAP, as 01 Oct 2004 was the target date for domains to have SPF records in place (Hotmail, for example, started checking SPF records on 01 Oct 2004).
     
  12. 45n5

    45n5 New Member

    thanks all again

    I changed all of my soa's or 'expires" to

    604800

    hopefully this will solve my problem

    I don't think it's the cms on my part because it always works for me and google reader always works, it is random connectivity issues from around the globe.

    seems like the 604800 cleared up my "GLUE" problems also ;)

    if anybody stumbles on this thread at a later date you need to go into your main WHM panel and click EDIT DNS ZONE then choose your domain and hit EDIT to change these settings.
     
  13. 45n5

    45n5 New Member

    hello class101 I'm checking it at dnsstuff now and see the same errors

    it thinks that 86400 is high and recommends 3600-7200


    I'm also seeing this big FAIL

    WARNING: Your nameservers do not include any corresponding A records when asked for your NS records. They probably are not returning the A records when asked, which can prevent some other DNS servers from contacting your DNS servers. They should do this if they are authoritative for those A records (in BIND, you should not use 'minimal-responses yes;'). The problem record(s) are:

    Nameserver 72.249.86.51 did not provide any IPs
    Nameserver 72.249.86.52 did not provide any IPs
     
  14. magic

    magic New Member

    If you are having problems using DnsStuff.com, try blocking cookies from that domain. ;)
     
  15. class101

    class101 New Member

    could you go in /var/named folder and copy and paster here the content of the *.hosts files, you have a small error somewhere in this files in think

    Tried but no luck , I have CookieSafe Firefox , blocked the site, removed the actuall cookie but it keeps rejecting :(
     
  16. class101

    class101 New Member

    ok I got it working by blocking cookie + using http://www.seoconsultants.com/tools/dns/, I have seen on forums this links advertised to bypass dnsstuff cookie , looks like working from here because if I try directly at dnstuff by blocking my cookie , I m rejected, but from the seoconsultant it appears to work :) but only with blocking cookie else I have tried without blocking cookie and the seoconsultant no more bypass.

    here 's another one http://www.zonecheck.fr/demo/
     
  17. khiltd

    khiltd New Member

    Sounds like you have an overly sensitive firewall that's rejecting legitimate traffic.
     
  18. 45n5

    45n5 New Member

    thanks all for the help again

    I doubt it's an overactive firewall because I can always see it and randomly people can't see the site from around the world, plus this didn't happen on other host the domains were sitting on with many of the same visitors that are having trouble now.

    not sure what I should try next or should I wait a few days and see if the earlier expire time change helps over the next week?
     
  19. khiltd

    khiltd New Member

    What happened on one machine has little to do with what's currently happening on another. There are any number of things you could have setup differently.
     
  20. 45n5

    45n5 New Member

    I understand different machines have different settings.

    The point was people didn't have a problem before I switched to known host, therefore it probably isn't my cms and isn't their firewall, and I'd like to find the settings at known host where visitors don't have trouble.
     

Share This Page