Results 1 to 3 of 3
  1. #1
    Join Date
    Jul 2009
    Minneapolis/Saint Paul MN

    Exclamation DNS Server Fails To Resolve Categorization Queries

    Running the latest version... have Comcast Internet.... have WAN DNS configured with DNS1 and DNS2 getting the Sign Icon Error at the top right saying that the Web Filter can not use the DNS Servers for proper Web Filter categorization queries.

    Is this a known issue? Shouldn't Comcast Servers be able to resolve these? Suggestions for fix?... thank you in advance.
    Last edited by automationstation; 12-21-2016 at 11:39 AM.

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Sunnyvale, CA


    I use Comcast at home and see that time to time. The Alert is re-evaluated when the browser is refreshed. Either wait and see if it continues or use another DNS such as Google DNS.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email

  3. #3
    Join Date
    Nov 2013


    The error message is misleading. There is no such thing as a special "categorization DNS query" no such query exists in the DNS spec. There IS an EDNS query that is speced in RFC2671 more about this later.

    What the Untangle code is doing is making multiple DNS queries very rapidly. Some DNS servers particularly the ones on embedded DSL modem routers/Cable modems/etc. cannot respond quickly enough. In other cases slow and/or overloaded connections to the Internet will cause some DNS responses to be dropped. DNS is based on UDP packets and UDP is permitted to be dropped. The code MAY also be using EDNS queries which if used may cause problems also.

    To fix this error try the following:

    1) First make sure to use the DNS servers for your provider, do not use OpenDNS or Google public DNS or any of these. And make sure of course to use the right numbers. Comcast's are well known but other providers are not and smaller providers may change theirs. Do NOT use the DNS server on your cable modem (if running Untangle in bridged mode for example)

    2) If you are using an internal DNS server on the private network behind the firewall, (common on Windows networks) make sure that server is configured to use your provider's DNS servers in it's forwarders configuration. NEVER use root hints on a nameserver on a private network, ALWAYS forward queries for unknown domains to your ISPs namesevers.

    3) Use the best address translator available. Your untangle box is a better address translator than a cable modem router or dsl modem router. It's better to have your ISP's cable modem or dsl modem in bridged mode and then your Untangle system doing the PPP or DHCP to the ISP

    4) Make sure your connection to the Internet is perfect and is NOT dropping packets. Check the statistics in your cable modem or DSL router. You don't want errors. You also want good signal to noise. With Comcast cable the cable modem reports downstream and upstream signal to noise and so on, learn where these are in the customer interface and learn what good signal levels look like on these. (DSL reports has a lot to say about this) If your ISP allows you to use your own cable or DSL modem then do it and buy one that has good line diagnostics.

    5) Check for speed and duplex mismatches in the connection in between Untangle and your Internet connection. Does a run of show your getting the bandwidth you are paying for? Low bandwidth can be caused by errors on the line.

    PS I should also mention google public dns servers do not permit RBL queries that's why Untangle recommends against using them. Kind of hard to detect spam without RBL access.
    niwrik likes this.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts

SEO by vBSEO 3.6.0 PL2