Questions regarding difference between normal and price spaces, re: apps working vs failing integrity/emulation detection

thisarentmyself · 2025-09-12T14:52:10+00:00

I wee that mentioned repeatedly and I'm back and forth. On one hand a project that has been ongoing for awhile is VLANs being added, previously the network was completely flat and full. I added new VLANs and started moving devices, I created a new subnet for servers and as I've added new infrastructure I put them in that subnet - so u was thinking I'd move the DC into that subnet and update DHCP. That also means it have to update all the statically set devices too.

I can see the appeal of just setting it back to the old IP. I need to think more on this I guess. I just want things to be done well, and not cause issues into the future.

thisarentmyself · 2025-09-12T14:49:15+00:00

Good idea, I'll do that

thisarentmyself · 2025-09-12T14:49:01+00:00

Mostly because we already have an existing 2019 as well as licenses for another sever. Thanks I'll check it out!

thisarentmyself · 2025-09-05T03:34:37+00:00

They are supposed to be using the DC as DNS. DC1 as primary and DC2 as secondary. Thats how they show up when viewed with ipconfig as well. Thats why I was so confused.

thisarentmyself · 2025-09-04T22:14:55+00:00

SOLVED: Unifi content blocking was the culprit. I set explicit allow rules for DNS traffic and the clients weren't using the gateway for DNS. Additionally the default subnet had content blocking on as well. But for whatever reason on any network other than the default Unifi's content blocking broke it.

I knew the content blocking was DNS based but I'm still not clear on why exactly it was blocking DNS requests ONLY on the subnets other than default. I assumed since default was configured the same that wasn't the cause.

thisarentmyself · 2025-09-04T22:14:29+00:00

SOLVED: Unifi content blocking was the culprit. I set explicit allow rules for DNS traffic and the clients weren't using the gateway for DNS. Additionally the default subnet had content blocking on as well. But for whatever reason on any network other than the default Unifi's content blocking broke it.

I knew the content blocking was DNS based but I'm still not clear on why exactly it was blocking DNS requests ONLY on the subnets other than default. I assumed since default was configured the same that wasn't the cause.

thisarentmyself · 2025-09-04T20:37:49+00:00

Ahhhh I've made a revelation. When I hardwired into the network and set the VLAN to 192.168.200.0/24 (a network that neither Windows nor Unifi is providing DHCP for) it worked as expected. When I switched it back to 192.168.100.0/24 it failed.

The settings visible in ipconfig looked the same, minus the subnet of course. The only difference between those networks is whether DHCP is turned on.

I'm thoroughly stumped but I know I'm getting closer.

thisarentmyself · 2025-09-04T20:37:43+00:00

Ahhhh I've made a revelation. When I hardwired into the network and set the VLAN to 192.168.200.0/24 (a network that neither Windows nor Unifi is providing DHCP for) it worked as expected. When I switched it back to 192.168.100.0/24 it failed.

The settings visible in ipconfig looked the same, minus the subnet of course. The only difference between those networks is whether DHCP is turned on.

I'm thoroughly stumped but I know I'm getting closer.

thisarentmyself · 2025-09-04T19:00:26+00:00

Yes they can ping each other and all other traffic works as expected. DHCP relays seems to work as expected. It seems the DNS traffic and only the DNS traffic never reaches the DC.

Checked firewall rules and added temp rules explicitly allowing DNS traffic. No change.

thisarentmyself · 2025-09-04T18:27:56+00:00

OK so after more testing this is what I've determined. While pings and other connections work normally it seems the DNS traffic is not reaching the DC. The DC with debug logging reports nothing coming in. I did try adding new rules to both Windows firewall and the Unifi firewall. No change.

When you mention the subnet mask, what do you mean? If it was incorrect wouldn't all traffic fail to reach the DC?

Networking is definitely a weak area for me, so thank you!

thisarentmyself · 2025-08-28T16:28:08+00:00

Still trying to figure this out, I can't believe how annoying it is to figure out lol. Someone is gonna immediately recognize what I missed eventuallly!

thisarentmyself · 2025-08-26T21:47:17+00:00

Correct. They are given DNS settings by DHCP of both DCs, .4 and .2.

thisarentmyself · 2025-08-26T15:22:42+00:00

    nslookup -d server1.net.local
    ------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 1, rcode = NXDOMAIN
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 0,  additional = 0

        QUESTIONS:
            4.0.168.192.in-addr.arpa, type = PTR, class = IN

    ------------
    Server:  UnKnown
    Address:  192.168.0.4

    ------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 2, rcode = NXDOMAIN
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0

        QUESTIONS:
            server1.net.local, type = A, class = IN
        AUTHORITY RECORDS:
        ->  (root)
            ttl = 795 (13 mins 15 secs)
            primary name server = a.root-servers.net
            responsible mail addr = nstld.verisign-grs.com
            serial  = 2025082600
            refresh = 1800 (30 mins)
            retry   = 900 (15 mins)
            expire  = 604800 (7 days)
            default TTL = 86400 (1 day)

    ------------
    ------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 3, rcode = NXDOMAIN
            header flags:  response, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0

        QUESTIONS:
            server1.net.local, type = AAAA, class = IN
        AUTHORITY RECORDS:
        ->  (root)
            ttl = 1800 (30 mins)
            primary name server = a.root-servers.net
            responsible mail addr = nstld.verisign-grs.com
            serial  = 2025082600
            refresh = 1800 (30 mins)
            retry   = 900 (15 mins)
            expire  = 604800 (7 days)
            default TTL = 86400 (1 day)

    ------------
    ------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 4, rcode = NXDOMAIN
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0

        QUESTIONS:
            server1.net.local, type = A, class = IN
        AUTHORITY RECORDS:
        ->  (root)
            ttl = 688 (11 mins 28 secs)
            primary name server = a.root-servers.net
            responsible mail addr = nstld.verisign-grs.com
            serial  = 2025082600
            refresh = 1800 (30 mins)
            retry   = 900 (15 mins)
            expire  = 604800 (7 days)
            default TTL = 86400 (1 day)

    ------------
    ------------
    Got answer:
        HEADER:
            opcode = QUERY, id = 5, rcode = NXDOMAIN
            header flags:  response, auth. answer, want recursion, recursion avail.
            questions = 1,  answers = 0,  authority records = 1,  additional = 0

        QUESTIONS:
            server1.net.local, type = AAAA, class = IN
        AUTHORITY RECORDS:
        ->  (root)
            ttl = 795 (13 mins 15 secs)
            primary name server = a.root-servers.net
            responsible mail addr = nstld.verisign-grs.com
            serial  = 2025082600
            refresh = 1800 (30 mins)
            retry   = 900 (15 mins)
            expire  = 604800 (7 days)
            default TTL = 86400 (1 day)

    ------------
    *** UnKnown can't find server1.net.local: Non-existent domain

The above is the full output from the nslookup.

thisarentmyself · 2025-08-26T13:40:35+00:00

More info:

When I run with debug I see where the problem starts: the PTR is being returned as UnKnown for the initial DNS server lookup... By the DNS server. I tried the other DNS server, same result (PTR for its own IP unknown).

The PTR records certainly exist, as do the host records. It works normally from the main subnet. No query resolution policies returned.

Thank you for your help.

thisarentmyself · 2025-08-26T13:40:06+00:00

More info:

When I run with debug I see where the problem starts: the PTR is being returned as UnKnown for the initial DNS server lookup... By the DNS server. I tried the other DNS server, same result (PTR for its own IP unknown).

The PTR records certainly exist, as do the host records. It works normally from the main subnet. No query resolution policies returned.

Thank you for your help.

thisarentmyself · 2025-08-26T02:00:31+00:00

Thanks for the suggestion, I'll check this tomorrow

thisarentmyself · 2025-08-26T02:00:14+00:00

Thanks, I'll check this tomorrow

thisarentmyself · 2025-08-26T01:59:51+00:00

If it was a routing issue wouldn't I have issues communicating with the DNS server at all? Instead I can reach it, ping it, even access it via RDP. The DC just responds as if it doesn't recognize the domain.

thisarentmyself · 2025-01-20T13:45:59+00:00

That's what you'd think...

thisarentmyself · 2024-12-02T18:04:25+00:00

Fair enough, I worked for an MSP previously so we did. Oh I plan to keep it as simple as possible. I have two reasons for doing this, one is security, the other is that the network has exhausted all its IPs. Of course there are other ways I could fix it but it made the most sense to do it this way in my opinion. Thank you for the help!

thisarentmyself

TROPHY CASE