Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 0 replies
  • Subscribers 27 subscribers
  • Views 196 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS configuration question

splarksop

Hi,

I'm wondering how others configure their DNS server settings in XG and how it behaves.

My issue is that XG never seems to realise that an upstream DNS server is down and will continue to attempt to use it for every query.

For example, all my clients have the XG set as their DNS server.

In DNS settings I have Static DNS with Server 1 and Server 2 filled in.   If server 1 stops responding, then every single DNS lookup of every client machine now takes over 4 seconds. Because the XG will not mark server 1 as "bad" and query server 2 first.

It's even worse if you use the option to configure 3 servers.  If server 1 and 2 are both down the XG now tries 1 and 2 twice each before attempting server 3.

That means that windows clients actually fail the lookup because they've waited 8 seconds for a response.  If you perform the lookup a second time immediately after you see the XG has finally got the response from server 3 and cached it, so it then works.

This behaviour just isn't what I would expect when you configure multiple static servers.  Other products realise the first server is down, and subsequent queries go to the alternatives.

What is even worse, if you see that the first DNS server has failed (because every web page load has slowed to a crawl for example)  changing the DNS server settings results in a long outage while the XG DNS service restarts (70 seconds on my XG 125).

I also find the "Test Name lookup" tool to be very misleading here as well.  If Server 1 is down,  the tool will indicate that all is well, the lookup was successful and just took a few msec.  Where actually, it doesn't tell you anything about timing out on the first server it tried and the whole process taking 4 seconds + the few msec of the successful lookup.

Is there something I'm missing configuring this? I don't feel this behaviour can be normal but it's what I've seen right back through every XG version on lots of different setups. 

Windows client using XG as DNS server - with "Server 1" unresponsive to the XG.

C:\Users\>nslookup ford.com
Server: UnKnown
Address: 10.10.10.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
Non-authoritative answer:
Name: ford.com
Addresses: 19.12.97.37
19.12.113.37

Windows client using XG as DNS server - with "Server 1 and 2" unresponsive to the XG.

C:\Users\>nslookup aldi.com
Server: UnKnown
Address: 10.10.10.1

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to UnKnown timed-out

C:\Users>nslookup aldi.com
Server: UnKnown
Address: 10.10.10.1

Non-authoritative answer:
Name: aldi.com
Addresses: 13.226.107.23
13.226.107.26
13.226.107.47
13.226.107.3



This thread was automatically locked due to age.