The other day I was configuring a new production system for a client and I ran into something I have never seen before. I was trying to test the SSL certificates on the new servers and since the old servers are still running in production I can’t change the DNS entries so I simply fired up UltraEdit and modified my hosts file to have the new server IP point to the new server SSL host name. This always works for me, except this time. I checked the logs and I am seeing all sorts of odd SSL revoked errors in the logs and I am seeing the OLD IP address instead of the new IP address.
I am completely puzzled, all I can see is that I am not picking up the new IP address from the hosts file. After running this by one of the server administrators he tells me that he has seen the problem before, and that I need to disable the DNS Client Service.
DNS Client Service: The DNS Client service is the client component that resolves and caches Domain Name System (DNS) domain names. When the DNS Client service receives a request to resolve a DNS name that it does not contain in its cache, it queries an assigned DNS server for an IP address for the name. If the DNS Client service receives the requested address, it stores the name and address in its cache to resolve future requests without having to query the DNS server. All computers that use DNS to resolve domain names (including DNS servers and domain controllers) use the DNS Client service for this purpose.
Sure enough once disabled, the host file is read and we are able to test the SSL certificate without an issue. I have done some reading on this and I am not completely sure that disabling the service is necessary, however, it did work in this case. From what I read it maybe a problem with the registry or with security on the hosts file. Some people were able to resolve the issue by simply deleting the hosts file and creating a new one which changed the security permissions on the hosts file, others have reported that there is a policy item and the registry is point to an incorrect policy.
Irregardless, for my testing needs, stopping the service and updating the hosts file then validating that the SSL certificates were in place was sufficient.