Re: Changed IP - DNS strangely cached?

From: Jared Mauch (
Date: Fri Feb 15 2002 - 15:00:23 EST

On Fri, Feb 15, 2002 at 02:47:49PM -0500, David Croft wrote:
> Hi,
> I have a config file which specifies each object's 'ip' field as a
> hostname rather than an IP address.
> A few weeks ago I changed the IP address of one of the monitored machines
> in the DNS. I can confirm that this successfully propagated to the
> secondary DNS.
> However I still get e-mail alerts from sysmon stating "DNS CRITICAL - No
> response from server" and "Network is unreachable" on the two services
> that are monitored on that machine (dns and smtp). The e-mail shows it is
> trying to monitor the OLD ip address.

        Hmm. Is this machine running solaris?

> Interestingly, these services never appear on the sysmon status display,
> neither in the curses interface, java client nor html page. The only
> problem is the e-mail sent.
> I have killed sysmon repeatedly and restarted it. I have confirmed that a
> nslookup from that machine returns the correct address. There is nothing
> in /etc/hosts. I have tried setting the dnsexpire to 1.
> My only guess at this point is that sysmon has a DNS cache file hidden
> somewhere but I can't find anything like that.

        There is no such file.

> The only other noteworthy point is that this was previously a /24 network
> but it has now been subnetted, so the old address for this machine
> (x.x.x.16) is actually now a subnet address. I don't see how this would
> affect sysmon keeping the old IP address across a restart.

        i assume the netmasks on all the machines are
correct now also.

> Any ideas?

        if you are running solaris or any other operating system
that has "nscd" you may be running into a situation whereby
this caches information.

        here's how it works:

process->libc->nscd->dns query

        but nslookup just does

process->dns query

        does "ping" report the correct ip address? what about
telnet X ?

        these all use the libc gethostbyname function call to get
the remote systems ip instead of a direct dns query based off
of the first resolver in /etc/resolv.conf

        - jared

> Thanks.
> David
> --
> |> /+\ \| | |>
> David Croft
> Infotrek

Jared Mauch  | pgp key available via finger from
clue++;      |  My statements are only mine.

This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:14:07 EDT