Skip to content

Grading Checklist

A good response must include:

  • Identifies the root cause: the internal DNS zone is missing an A record for payments.acme.com, causing the query to be forwarded to the external DNS which returns the public IP
  • Explains the split-horizon DNS concept and why internal clients must resolve to internal IPs
  • Demonstrates using dig against specific DNS servers to compare results (internal vs external)
  • Checks /etc/resolv.conf to confirm which DNS server the host is using
  • Identifies that the internal firewall blocks or does not support hairpin NAT, making the external IP unreachable from inside
  • Proposes adding the missing A record to the internal DNS zone as the fix
  • Mentions checking for DNS caching (nscd, systemd-resolved) and flushing if needed
  • Suggests verifying all records after the recent DNS consolidation to prevent similar issues
  • Tests direct connectivity to the internal IP to confirm the service is actually reachable internally
  • Considers whether a wildcard or CNAME could prevent future omissions
  • Does NOT suggest adding a static /etc/hosts entry as the permanent solution (acceptable only as temp workaround)