We recently installed our new RB1000 and since then we have started to experience some weird issues with DNS (at least I think they are DNS issues).
Most of my remote sites run an application that rely on resolving dns to the central office.
I’m getting calls, on a daily basis that the app stops working.
In my investigation, i have found that when they experience the issue, the clients cannot resolve to the domain controller.
nslookup to the domain controller returns server unknown, unable to resolve.
However, if i ping the DC by it’s host name the DC responds correctly.
After a successful ping the clients are able to authenticate again and the application resumes working properly.
So far I’ve tried disabling the “Allow remote request” on the RB1000 but the issue persist.
Any suggestions?
Sometimes, DNS gets “late” replies. Takes longer to process the request than the stateful firewall will keep the connection open. Try increasing UDP timeout a smidge.
Hi thanks for the tip. I’m still working on this issue.
Where is the UDP timeout option you are referring to?
I can’t seem to find it.
Thanks
Hi,
i’m still having issues with this. Can anyone provide assistance?
Here is a tipical scenario from my remote locations
C:\Documents and Settings\aloha>nslookup dnsserver
DNS request timed out.
timeout was 2 seconds.
*** Can’t find server name for address xxx.xxx.173.24: Timed out
*** Default servers are not available
Server: UnKnown
Address: xxx.xxx.173.24
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out
C:\Documents and Settings\aloha>ping dnsserver
Pinging dnsserver [xxx.xxx.173.24] with 32 bytes of data:
Reply from xxx.xxx.173.24: bytes=32 time=6ms TTL=125
Reply from xxx.xxx.173.24: bytes=32 time=5ms TTL=125
Reply from xxx.xxx.173.24: bytes=32 time=6ms TTL=126
Reply from xxx.xxx.173.24: bytes=32 time=6ms TTL=126
Ping statistics for xxx.xxx.173.24:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 5ms, Maximum = 6ms, Average = 5ms
C:\Documents and Settings\aloha>nslookup alohahq
Server: dnsserver.dpdomain.com
Address: xxx.xxx.173.24
Name: dnsserver.dpdomain.com
Address: xxx.xxx.173.24
As you can tell, the first dns lookup request fails. It can’t find the DNS server.
If i try to ping the server by it’s IP address the server replies to the PING request.
On my third attempt, I try to ping the DNS server by it’s host name, which in turn replies with the correct IP address.
After that, if i try to perform another nslookup, on the DNS server, it is able to resolve and all other DNS lookups are succesful.
This is driving me nust and it’s causing me operational issues. Most of my remote sites are on a Active Directory for which DNS is essential.
The issue started once I installed the RB1000.
Thanks
How does the traffic flow back to the central office? Are they connecting just to a straight public IP address or is this through a VPN connection between both locations? Does NAT get involved anywhere? Do you have any firewall filter rules? If so, how many rules do you have, and could any of those be affecting this traffic?
All the remote nodes are connected through our WISP. They have a gateway at each end that routes all the traffic through a Wireless Frame-Relay or WiMax (depending on the location).
The gateway at the main office connects directly to a switch on our LAN.
There are a couple of NAT rules configured for those segments but no filtering.
Below is a printout. FYI xxx.yyy.173.0/24 subnet is the central office, xxx.yyy.1-99.0/24 are the remote sites which are experiencing the issues.
0 ;;; Red Interna
chain=srcnat action=masquerade src-address=xxx.yyy.173.0/24
1 chain=srcnat action=masquerade src-address=xxx.yyy.174.0/24
2 ;;; TEST NAT 4: Corregir DNS Issues
chain=srcnat action=masquerade src-address=xxx.yyy.4.0/24
3 ;;; TEST NAT 45: corregir DNS Issues
chain=srcnat action=masquerade src-address=xxx.yyy.45.0/24
4 ;;; TEST NAT 67: Corregir DNS Issues
chain=srcnat action=masquerade src-address=xxx.yyy.67.0/24
5 ;;; Tiendas
chain=srcnat action=masquerade src-address=xxx.yyy.0.0/17
10 ;;; TEST NAT 69: Corregir DNS Issues
chain=srcnat action=masquerade src-address=xxx.yyy.69.0/24
I thought maybe these two chains might be conflicting
chain=srcnat action=masquerade src-address=xxx.yyy.0.0/17
chain=srcnat action=masquerade src-address=xxx.yyy.173.0/24
so I added some individual chains for a couple of the stores to see if it would make a difference but the issues persist.