On Wed, 2005-08-10 at 11:50, Bryan J. Smith wrote:
Are you sure it's the server?
Most firewalls these days are BSD (including variants like VxWorks) and Linux network stacks and use BIND or another POSIX DNS service.
As I mentioned in a previous post: http://lists.centos.org/pipermail/centos/2005-August/009553.html
Windows NT5+ (2000+) client systems have a _flawed_, _default_ logic to "hold down" DNS resolution upon failure. That means if a DNS resolution fails, Windows clients will _not_ requery the server _until_ that timeout passes. There is a registry hack to change this as follows: [ From http://www.winguides.com/registry/display.php/1203/ ]
'To change the DNS cache timeout for negative responses (where a lookup failed). Windows 2000 - Create or modify the DWORD value called "NegativeCacheTime". Windows XP and .NET Server 2003 - Create or modify the DWORD value called "MaxNegativeCacheTtl". Set the value to equal the required timeout in seconds the default is 300 (5 minutes). Restart Windows for the changes to take effect.'
It's my #1 recommendation until you resolve the problem. UNIX clients/resolvers _never_ (AFAIK) cache a "failure," only Windows -- which I think is flawed, but there is a reason for it (that has to do with legacy SMB file/print).
Regardless of what solution you come to on the server, consider doing the above.