AD Intigrated DNS Time outs



  • After installing PFSense I have been having problems with dns query's. My dns is AD integrated, and I have forwarders pointing to 4.2.2.2, 4.2.2.6, and 4.2.2.8, and I also updated all my root hints to reflect what they are now. When I perform a nslookup on any machine in my domain the first response is DNS Timeout and then the second query comes back successfully. I have looked around to make sure its not a DNS/ Microsoft AD issue but I don't think it is. Has anyone had this problem before? Are there any tricks or anything I can try on the firewall? I'm running pfsense 1.2-Release. Everything else seems to be OK though…. Its just an annoyance and I think it has slowed down dns look up times....

    
    Server:  mddc-cm11.domain.hq.domain.com
    Address:  10.121.8.5
    
    DNS request timed out.
        timeout was 2 seconds.
    Name:    google.com
    Addresses:  64.233.187.99, 209.85.171.99, 72.14.207.99
    

    Anyway Thanks in advance,
    cconk01



  • 4.2.2.8 doesn't seem to be a valid dns server, from what DiG is telling me.

    
    ; <<>> DiG 9.3.2 <<>> www.google.com @4.2.2.8
    ; (1 server found)
    ;; global options:  printcmd
    ;; connection timed out; no servers could be reached
    

    Here's what it should look like:

    
    ; <<>> DiG 9.3.2 <<>> www.google.com @4.2.2.1
    ; (1 server found)
    ;; global options:  printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1696
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
    
    ;; QUESTION SECTION:
    ;www.google.com.                        IN      A
    
    ;; ANSWER SECTION:
    www.google.com.         39579   IN      CNAME   www.l.google.com.
    www.l.google.com.       12      IN      A       209.85.171.104
    www.l.google.com.       12      IN      A       209.85.171.147
    www.l.google.com.       12      IN      A       209.85.171.99
    www.l.google.com.       12      IN      A       209.85.171.103
    
    ;; Query time: 74 msec
    ;; SERVER: 4.2.2.1#53(4.2.2.1)
    ;; WHEN: Fri Oct 31 23:32:34 2008
    ;; MSG SIZE  rcvd: 116
    

    I usually stick to .1 / .2 / .3 if I'm using those servers.  They're anycast across several networks and several physical boxes so I wouldn't worry about using something "less loaded."

    That said, best practice would be to either use your ISP/upstream's DNS servers (less traffic across the net) or just let your servers perform fully recursive lookups.

    I don't know how ANY of this has anything to do with your pfsense box though.  Your machines are talking to your AD servers for DNS, not pfsense.



  • I was just wondering if the dns timeouts were do to some odd firewall configurration and or if it may have been a known problem. Thanks!



  • I was just wondering if the dns timeouts were do to some odd firewall configurration and or if it may have been a known problem. Thanks!

    Not too sure, but from what the previous posted mentioned, 4.2.2.8 is not a valid ip to use for DNS queries.  Just for reference, you can use the following:

    4.2.2.1
    4.2.2.2
    4.2.2.3
    4.2.2.4
    4.2.2.5
    4.2.2.6

    Enjoy! :)



  • This is odd. I may have had a bad dns pointer in my forwarders but it still is timing out. I guess I need to look back at microsoft. Thank you



  • Found the issue or at least what I think the issue is. I was using the 4.2.2.1-6 DNS server. I was looking at some information regarding how Google can geographically locate your dns query and give a response based in this information, so I decided to change the forwarders to Comcast. It appears using the Comcast dns servers has fixed the issue. Is it possible Comcast slows or aggregates response times across their network to external dns servers? (This would conform to network neutrality would it?)

    Anyway just wanted to post it wasn’t a pfsense issue but rather a Comcast issue from the looks.

    Thanks to those who helped and inputted,
    Peter


Log in to reply