On Wed, 2005-08-10 at 11:50, Bryan J. Smith wrote:
> Are you sure it's the server?
>
> Most firewalls these days are BSD (including variants
> like VxWorks) and Linux network stacks and use BIND or
> another POSIX DNS service.
>
> As I mentioned in a previous post:
> http://lists.centos.org/pipermail/centos/2005-August/009553.html
>
>
> Windows NT5+ (2000+) client systems have a _flawed_,
> _default_ logic to "hold down" DNS resolution upon failure.
> That means if a DNS resolution fails, Windows clients will
> _not_ requery the server _until_ that timeout passes. There
> is a registry hack to change this as follows:
> [ From http://www.winguides.com/registry/display.php/1203/ ]
>
> 'To change the DNS cache timeout for negative responses
> (where a lookup failed).
> Windows 2000 - Create or modify the DWORD value called
> "NegativeCacheTime".
> Windows XP and .NET Server 2003 - Create or modify the
> DWORD value called "MaxNegativeCacheTtl".
> Set the value to equal the required timeout in seconds
> the default is 300 (5 minutes).
> Restart Windows for the changes to take effect.'
>
> It's my #1 recommendation until you resolve the problem.
> UNIX clients/resolvers _never_ (AFAIK) cache a "failure,"
> only Windows -- which I think is flawed, but there is a
> reason for it (that has to do with legacy SMB file/print).
>
> Regardless of what solution you come to on the server,
> consider doing the above.
