Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 9 replies
  • Subscribers 29 subscribers
  • Views 15117 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS / Name Resolution Timeouts on Clients

Greg Grotsky

I have a home network and I'm using the Sopohs XG Firewall to try to secure my home network. It works very well, but I've noticed something fairly annoying for the past several months. When I navigate to a web page after turning on my PC, it takes a while and usually fails within a few seconds, then fires up and works fine (Windows 7). When I run nslookup with a standard web server on this machine it shows me this:

C:\>nslookup www.microsoft.com
Server: sophos.localnet
Address: 192.168.0.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
Non-authoritative answer:
Name: e13678.dspb.akamaiedge.net
Addresses: 2600:1409:12:488::356e
2600:1409:12:48a::356e
23.44.161.156
Aliases: www.microsoft.com
www.microsoft.com-c-3.edgekey.net
www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net


C:\>nslookup www.google.com
Server: sophos.localnet
Address: 192.168.0.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
Non-authoritative answer:
Name: www.google.com
Addresses: 2607:f8b0:400a:807::2004
216.58.216.164

C:\>

 

Hunting through the knowledge base I found a couple of articles that seem related but I was unable to find anything helpful from them:

https://community.sophos.com/products/xg-firewall/f/sophos-xg-firewall-general-discussion/84658/sophos-xg-as-internal-dns#

https://community.sophos.com/products/xg-firewall/f/initial-setup/97172/new-setup-xg-16-5---local-dns-name-resolution-not-working

 

I think this is why my web pages timeout on first try and then recover. Anyone have ideas on how to solve the timeout errors?

 

Thanks,

-Greg



This thread was automatically locked due to age.
  • 0

    Hi Greg,

    please try changing your XG DNS  to 1.1.1.1 or 8.8.8.8 or one of the IPv6 DNS servers. Also check what DNS setting the XG has or is using?

    Ian

  • 0 in reply to rfcat_vk

    Currently, my DNS configuration is set up to use IPv4 as "Obtain DNS from DHCP" and it appears to be grabbing the proper IPs for the two servers.

    When I tried to force these values using the "Static DNS" option to 1.1.1.1, 8.8.8.8, and 8.8.4.4 it still looks like this:

    C:\>ipconfig /flushdns

    Windows IP Configuration

    Successfully flushed the DNS Resolver Cache.

    C:\>nslookup www.microsoft.com
    Server: sophos.mynet
    Address: 192.168.0.1

    DNS request timed out.
    timeout was 2 seconds.
    DNS request timed out.
    timeout was 2 seconds.
    Non-authoritative answer:
    Name: e13678.dspb.akamaiedge.net
    Addresses: 2600:1409:5000:299::356e
    2600:1409:5000:294::356e
    23.44.161.156
    Aliases: www.microsoft.com
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net


    C:\>

    This should be instant if it's working properly, right?

  • 0 in reply to Greg Grotsky

    Based on your nslookup data it looks like it is still trying to hit your XG first. Check the DHCP scope to make sure "Use Device's DNS Settings" is checked for DNS. Then from the client run ipconfig /release, then ipconfig /renew, then ipconfig /all to ensure the client is getting the correct DNS settings from the XG/DHCP server. 

  • 0

    Hi, try adding a trailing dot to the end i.e. nslookup www.microsoft.com.

     

  • 0 in reply to bNaCl

    bNaCl, that makes it come back immediately but the result looks weird:

    C:\>nslookup www.microsoft.com
    Server: c1dns.cableone.net
    Address: 24.116.0.53

    Non-authoritative answer:
    Name: www.microsoft.com.mynet
    Address: 92.242.140.68


    C:\>

    also, now I cannot ping machines on my local intranet using their computer names. :(

     

    Is there some way to make everything work?

  • 0 in reply to Pwc

    Hi Pwc, when I add the trailing dot to the fully qualified domain name it comes back instantly.

    C:\>nslookup www.microsoft.com
    Server: sophos.mynet
    Address: 192.168.0.1

    DNS request timed out.
    timeout was 2 seconds.
    DNS request timed out.
    timeout was 2 seconds.
    Non-authoritative answer:
    Name: e13678.dspb.akamaiedge.net
    Addresses: 2001:418:1401:18e::356e
    2001:418:1401:18b::356e
    23.48.24.229
    Aliases: www.microsoft.com
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net


    C:\>nslookup www.microsoft.com.
    Server: sophos.mynet
    Address: 192.168.0.1

    Non-authoritative answer:
    Name: e13678.dspb.akamaiedge.net
    Addresses: 2001:418:1401:18e::356e
    2001:418:1401:18b::356e
    23.48.24.229
    Aliases: www.microsoft.com
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net


    C:\>

     

    But why is that? Seems like either of these should return instantly, why would the one without a trailing dot fail twice, then work?

  • +1 in reply to Greg Grotsky

    This snippit from this URL describes it well: serverfault.com/.../dns-trailing-periods

    The trailing dot tells the DNS server that this is a fully qualified name. The dot is the root of the DNS heirarchy. If you don't use the dot, the DNS server will assume that it's a record in the current zone and will append it for you. For example, if you have a CNAME in exmaple.com that points to host.example.org, when you query for that, you'll get host.example.org.example.com, which probably isn't what you wanted.

    Basically, without the period it will look to the local DNS service on the XG first. Because the XG isn't designed to be a robust DNS server (and I don't think you want it to be), it just won't work the way you are describing. If you want name resolution on your internal networks you will need to run an internal DNS server (with forwarders to your external DNS services) and configure the XG to use it. 

    Hope this helps. 

  • 0 in reply to bNaCl

    Thank you bNaCl, that helps a lot. I'll try to configure my own local DNS server.

  • 0 in reply to Greg Grotsky

    Hi, I was writing a response but can see the bNaCl has replied with a good explanation. One option you could try is to configure the proxy settings in your browser as the website requests would then be passed to the XG box instead to resolve. Any DNS requests from outside the browser, or any sites in the browser site bypass list, would then be handled by the Windows DNS client instead.