Iis – Website returns 500 error when partially-qualified name is used

domain-name-systemiisiis-6windows-server-2003

I'm setting up an internal website to host a web service.

The website has the DNS entry service.test.company.local. The company uses company.local as its DNS zone for internal applications and this entry is suffixed silently on all DNS requests.

As such, a lookup for service.test resolves to the full name and the correct IP address.

The IIS 6 site is configured to listen on port 80 at the IP address service.test resolves to.

When trying to access this site via service.test.company.local, the address resolves and the service is displayed correctly.

When trying to access this site via service.test, an IIS error page is shown, reporting 500 – internal server error.

No entries are generated for this request in the website's log files or the application event log.

I can't understand where the error is coming from and it's really frustrating the lack of information IIS is giving me.

Any ideas to the problem or a solution? Any other sources of information I can check?

EDIT:

The unfriendly error from IIS is:

Unknown Host

Description: Unable to locate the server named "service.test" — the server does not have a DNS entry. Perhaps there is a misspelling in the server name, or the server no longer exists. Double-check the name and try again.

EDIT: 2

I suspect this has something to do with the way the organization has set up their DNS entries. I can add other prefixed entries into my hosts file and locally get correct resolution to the site.

I think this problem requires a DNS guru to suggest potential problems. Unfortunately, I don't have authority over the DNS entries, so I expect a lot of pain.

Best Answer

After getting my operations team involved, the answer has turned out to be that the proxy server has been trying to process requests, instead of them bypassing to the local network.

The error message being returned is from the proxy server, not the IIS server. This information was stumbled upon when a member of the ops team noticed HTTP requests weren't sending proxy-bypass information like they expected to.

The proxy bypass rules include *.company.local, which functions for addresses without any other suffixes and provides bypass for the fully-qualified name, but does not seem to apply when another suffix is used, such as .test.

From this, we've decided that the problem is too messy to fix, and we're going to use the fully-qualified names as a "good enough" workaround.

Related Solutions

Iis – Unexpected error 0x8ffe2740 occurred when trying to start an IIS6 website

Use netstat or ActivePorts to find if something is still holding on to port 80.

BIND – Overriding DNS Entries in BIND for Internal Networks

The best method is via the response policy zone in Bind 9.8.1 or newer. It allows you to override single records in arbitrary zones (and there's no need to create a whole subdomain for that, only the single record you want to change), it allows you to override CNAMEs, etc. Other solutions such as Unbound cannot override CNAMEs.

https://www.redpill-linpro.com/sysadvent/2015/12/08/dns-rpz.html

EDIT: Let's do this properly then. I will document what I've done based on the tutorial linked above.

My OS is Raspbian 4.4 for Raspberry Pi, but the technique should work without any changes on Debian and Ubuntu, or with minimal changes on other platforms.

Go to where your Bind config files are kept on your system - here it's in /etc/bind. Create in there a file called db.rpz with the following contents:

$TTL 60
@            IN    SOA  localhost. root.localhost.  (
                          2015112501   ; serial
                          1h           ; refresh
                          30m          ; retry
                          1w           ; expiry
                          30m)         ; minimum
                   IN     NS    localhost.

localhost       A   127.0.0.1

www.some-website.com    A        127.0.0.1

www.other-website.com   CNAME    fake-hostname.com.

What does it do?

it overrides the IP address for www.some-website.com with the fake address 127.0.0.1, effectively sending all traffic for that site to the loopback address
it sends traffic for www.other-website.com to another site called fake-hostname.com

Anything that could go in a Bind zone file you can use here.

To activate these changes there are a few more steps:

Edit named.conf.local and add this section:

zone "rpz" {
  type master;
  file "/etc/bind/db.rpz";
};

The tutorial linked above tells you to add more stuff to zone "rpz" { } but that's not necessary in simple setups - what I've shown here is the minimum to make it work on your local resolver.

Edit named.conf.options and somewhere in the options { } section add the response-policy option:

options {
  // bunch
  // of
  // stuff
  // please
  // ignore

  response-policy { zone "rpz"; };
}

Now restart Bind:

service bind9 restart

That's it. The nameserver should begin overriding those records now.

If you need to make changes, just edit db.rpz, then restart Bind again.

Bonus: if you want to log DNS queries to syslog, so you can keep an eye on the proceedings, edit named.conf.local and make sure there's a logging section that includes these statements:

logging {
    // stuff
    // already
    // there

    channel my_syslog {
        syslog daemon;
        severity info;
    };
    category queries { my_syslog; };
};

Restart Bind again and that's it.

Test it on the machine running Bind:

dig @127.0.0.1 www.other-website.com. any

If you run dig on a different machine just use @the-ip-address-of-Bind-server instead of @127.0.0.1

I've used this technique with great success to override the CNAME for a website I was working on, sending it to a new AWS load balancer that I was just testing. A Raspberry Pi was used to run Bind, and the RPi was also configured to function as a WiFi router - so by connecting devices to the SSID running on the RPi I would get the DNS overrides I needed for testing.