Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Answers 2 answers
  • Subscribers 28 subscribers
  • Views 11892 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS query problem

fla sh09

Hello,

I have some problem with my XG Firewall and resolving DNS. I have set the internal IP of my XG Firewall as DNS Server for my Clients. Inside the XG i have set 3 external DNS Server (Networking - DNS) for IPv4 and one for IPv6. The setting for DNS query is "Choose server based on incoming requests record type". I have tried "Choose IPv6 if request originator address is IPv6, else IPv4" and "Choose IPv6 DNS server over IPv4" too but without major change. On my LAN i don't using IPv6

Sometimes it happens that i cant resolve dns queries from inside. I get only a information page that the server is not reachable because the DNS is not found. If this happens and i try to test it with nslookup from same client i get no answer from server (XG Firewall). The same test with nslookup against one of the three DNS Server which i have typed in inside the XG work without any problems. Sometimes it happen, that i read a Page, go to another and go back to the last after some minutes and theni get this dns error to. For now i have never get this error with test under Diagnostic - Name Lookups

If this happens, i repeat the query a lot of times until it work, most of times after 2-3 times, sometimes i need 10 or more.

I use SFOS 17.0.1 MR-1 on XenServer 7.2 but with SFOS 16 it was the same behavior only without the information page. 

Any hints to resolve that? I want to close my outgoing TCP/DNS 53.

Regards



This thread was automatically locked due to age.
Parents
  • 0

    Hello,

    It looks you have enabled DoS under Intrusion Prevention. To test  you can disable DoS for some time, ensure DoS is disable for UDP as DNS works on UDP protocol.  If this work you can create DoS bypass rule as following

    Src IP:  Any - Dst IP: XG LAN IP - Src Port: Any - Dst Port: 53 - Protocol: UDP.

    Regards, Ronak.

Reply
  • 0

    Hello,

    It looks you have enabled DoS under Intrusion Prevention. To test  you can disable DoS for some time, ensure DoS is disable for UDP as DNS works on UDP protocol.  If this work you can create DoS bypass rule as following

    Src IP:  Any - Dst IP: XG LAN IP - Src Port: Any - Dst Port: 53 - Protocol: UDP.

    Regards, Ronak.

Children
  • 0 in reply to Ronak Sheth

    Hi and thank you,

    I have had that DOS UDP enabled for sometime and not had any issues. I am not seeing any packets being dropped by the UDP flood, but changed it any way.

    I will watch and see what happens over the next hour or so. The issues appears to be random, because sometimes the responses aare very fast and and other times extremely slow.

    Ian

    Your generalisation of how to configure a DOS bypass does not work, you need to supply specific values eg source IP range and mask, destination IP range and mask, specific source port and specific destination port. You cannot use port ranges for your source  port. You would have to create a DOS bypass rule for each external DNS, but what the internal port would is anyone's guess. While you can cover all protocols, you cannot cover all IP address ranges. Internal is fine, but external you will need to setup the DNS to be fixed and create a rule for each of your internal networks.

  • 0 in reply to Ronak Sheth

     Lan,

    What is the DNS configured on you XG device Open DNS 8.8.8.8, 4.2.2.2, 4.2.2.1 or DNS provided by your IPS?

     

    Regards, Ronak.

  • 0 in reply to Ronak Sheth

    Hi,

    I use the ISP DNS, while the DNS is fixed the external address is variable. If I used the google dns the issue would be no different.

    Ian

  • 0 in reply to Ronak Sheth

    Hello Ronak,

     

    Thanks for your hint.

    I have never changed the settings for DoS. Thats my settings:

     

    I think that DoS for UDP is not active on my XG. The Counter do not show any dropped packet.

    Regards

  • +1 in reply to rfcat_vk

    Hi Lan,

     

    If you are using multiple IPS, I will recommend you to user OPEN DNS 8.8.8.8, 4.2.2.2,  4.2.2.1 else you need to have a static route for your DNS server to ensure your DNS request is routed to the correct ISP 

  • 0 in reply to Ronak Sheth

    Hi Ronak,

    changed all my DNS settings to open DNS which seems to have fixed a lot of my performance issues. Now to get faster lines to be able to utilise the lookup speed improvement.

    Thank you

    Ian