Results 1 to 10 of 10
  1. #1
    Master Untangler johndball's Avatar
    Join Date
    Apr 2008
    Location
    Virginia
    Posts
    174

    Default Windows DNS server errors, slow name resolution through Untangle

    I've been using two Windows AD-integrated DNS servers for well over a year in my lab without issue. The primary DNS server forwards unresolved requests to OpenDNS' servers at 208.67.222.222 and 208.67.220.220.

    I recently deployed a dedicated Untangle box in my lab in front of my DNS servers. I configured this Untangle box like I have done with so many other Untangle boxes to forward any DNS requests from my two DNS servers to ANY DNS server but block any DNS requests coming from any other computer on the internal network (to prevent bypassing OpenDNS' filtering by inputting a public DNS server on the local machine).

    Up until this point there was no problem with name resolution but since deploying UT, I'm getting a lot of errors in my DNS servers' logs that are all pretty much "the DNS server received a bad packet from (OpenDNS IP). The header was an incorrect length". I'm also seeing really bad resolution times to the point it times out.

    I'm almost certain this has something to do with UT seeing the problems only started once I deployed UT. I'm not seeing this in my work lab (same setup as my house but older UT version) and I'm not seeing this at a non-profit where I deployed UT (same setup but again, older UT version).

  2. #2
    Master Untangler johndball's Avatar
    Join Date
    Apr 2008
    Location
    Virginia
    Posts
    174

    Default

    I enabled bypass DNS traffic in packet filter rules.. solved the delayed resolution and timeout problem, now I can't filter outgoing DNS traffic.

    Ideas?

  3. #3
    Master Untangler johndball's Avatar
    Join Date
    Apr 2008
    Location
    Virginia
    Posts
    174

    Default

    Double post

  4. #4
    some dude hlarsen's Avatar
    Join Date
    Jul 2010
    Location
    sfba
    Posts
    1,385

    Default

    have you tried narrowing the problem down to a specific app?

  5. #5
    Master Untangler johndball's Avatar
    Join Date
    Apr 2008
    Location
    Virginia
    Posts
    174

    Default

    Quote Originally Posted by hlarsen View Post
    have you tried narrowing the problem down to a specific app?
    I disabled all apps with the exception of the firewall app and it is still doing it. DNS packet filter bypass solved it but, in doing so, created a new problem.

    Any way to pull up sys logs without console access or something to see what is going on in the background for name resolution?

  6. #6
    some dude hlarsen's Avatar
    Join Date
    Jul 2010
    Location
    sfba
    Posts
    1,385

    Default

    i'd suggest a bit more testing to determine if it's a specific issue with OpenDNS and/or your local DNS servers and if not file a ticket with support so engineering can take a look or try to reproduce.

  7. #7
    Master Untangler johndball's Avatar
    Join Date
    Apr 2008
    Location
    Virginia
    Posts
    174

    Default

    Alright, I'll see what other data I can pull up and reproduce while documenting everything and follow up.

  8. #8
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,414

    Default

    Details on how Untangle is installed?

    Open the terminal of Untangle,
    Stop the UVM with this command : /etc/init.d/untangle-vm stop
    Test DNS, if the issue is still present then either the DNS service is broken, or your Untangle hardware has an issue.
    Start the UVM with this command : /etc/init.d/untangle-vm start

    If you aren't comfortable doing that, call support, and have them do it for you while testing.

    I suspect you've actually got a problem with your DNS configuration.

    Assuming you're using an Untangle router, at the edge of your network. The firewall module should have a rule that blocks traffic TCP or UDP destined to port 53. That will halt all egress DNS resolution.

    Then, you make a bypass rule for stuff destined to TCP/UDP port 53 and source address list of DC servers IPs. This will bypass DNS resolution from the DCs, allowing them through the firewall as well as exempting them from UVM inspection and the associated performance delays.

    Your DCs should be forwarding to OpenDNS.
    Untangle should have its DNS service disabled in most cases.
    Untangle should be using your ISP's DNS on it's External interface, or you'll kill spam blocker's effectiveness.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  9. #9
    Master Untangler johndball's Avatar
    Join Date
    Apr 2008
    Location
    Virginia
    Posts
    174

    Default

    Any way to do this remotely? Although I can access the console, it isn't done easily from where I have my server mounted.

  10. #10
    Master Untangler johndball's Avatar
    Join Date
    Apr 2008
    Location
    Virginia
    Posts
    174

    Default

    I ran DNSlint (DNS testing utility from MS) and queried OpenDNS using their DNS servers. Both TCP and UDP are showing as open using the utility so Untangle isn't blocking any particular protocol.

    *Update: Resolved. I disabled EDNS on my 2k8 DNS server and nothing changed.

    I went into Untangle, removed all modules except for firewall (due to lengthy custom rules and I'm not a fan of export/import), reinstalled all modules with default values. Queries resolve quickly. Everything is working fine. Not sure which module it was but default values seem to have made the difference... for now.
    Last edited by johndball; 05-16-2013 at 07:08 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2