Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    AD Intigrated DNS Time outs

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 2.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cconk01
      last edited by

      After installing PFSense I have been having problems with dns query's. My dns is AD integrated, and I have forwarders pointing to 4.2.2.2, 4.2.2.6, and 4.2.2.8, and I also updated all my root hints to reflect what they are now. When I perform a nslookup on any machine in my domain the first response is DNS Timeout and then the second query comes back successfully. I have looked around to make sure its not a DNS/ Microsoft AD issue but I don't think it is. Has anyone had this problem before? Are there any tricks or anything I can try on the firewall? I'm running pfsense 1.2-Release. Everything else seems to be OK though…. Its just an annoyance and I think it has slowed down dns look up times....

      
      Server:  mddc-cm11.domain.hq.domain.com
      Address:  10.121.8.5
      
      DNS request timed out.
          timeout was 2 seconds.
      Name:    google.com
      Addresses:  64.233.187.99, 209.85.171.99, 72.14.207.99
      

      Anyway Thanks in advance,
      cconk01

      1 Reply Last reply Reply Quote 0
      • Z
        ZPrime
        last edited by

        4.2.2.8 doesn't seem to be a valid dns server, from what DiG is telling me.

        
        ; <<>> DiG 9.3.2 <<>> www.google.com @4.2.2.8
        ; (1 server found)
        ;; global options:  printcmd
        ;; connection timed out; no servers could be reached
        

        Here's what it should look like:

        
        ; <<>> DiG 9.3.2 <<>> www.google.com @4.2.2.1
        ; (1 server found)
        ;; global options:  printcmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1696
        ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
        
        ;; QUESTION SECTION:
        ;www.google.com.                        IN      A
        
        ;; ANSWER SECTION:
        www.google.com.         39579   IN      CNAME   www.l.google.com.
        www.l.google.com.       12      IN      A       209.85.171.104
        www.l.google.com.       12      IN      A       209.85.171.147
        www.l.google.com.       12      IN      A       209.85.171.99
        www.l.google.com.       12      IN      A       209.85.171.103
        
        ;; Query time: 74 msec
        ;; SERVER: 4.2.2.1#53(4.2.2.1)
        ;; WHEN: Fri Oct 31 23:32:34 2008
        ;; MSG SIZE  rcvd: 116
        

        I usually stick to .1 / .2 / .3 if I'm using those servers.  They're anycast across several networks and several physical boxes so I wouldn't worry about using something "less loaded."

        That said, best practice would be to either use your ISP/upstream's DNS servers (less traffic across the net) or just let your servers perform fully recursive lookups.

        I don't know how ANY of this has anything to do with your pfsense box though.  Your machines are talking to your AD servers for DNS, not pfsense.

        1 Reply Last reply Reply Quote 0
        • C
          cconk01
          last edited by

          I was just wondering if the dns timeouts were do to some odd firewall configurration and or if it may have been a known problem. Thanks!

          1 Reply Last reply Reply Quote 0
          • R
            razor2000
            last edited by

            I was just wondering if the dns timeouts were do to some odd firewall configurration and or if it may have been a known problem. Thanks!

            Not too sure, but from what the previous posted mentioned, 4.2.2.8 is not a valid ip to use for DNS queries.  Just for reference, you can use the following:

            4.2.2.1
            4.2.2.2
            4.2.2.3
            4.2.2.4
            4.2.2.5
            4.2.2.6

            Enjoy! :)

            1 Reply Last reply Reply Quote 0
            • C
              cconk01
              last edited by

              This is odd. I may have had a bad dns pointer in my forwarders but it still is timing out. I guess I need to look back at microsoft. Thank you

              1 Reply Last reply Reply Quote 0
              • C
                cconk01
                last edited by

                Found the issue or at least what I think the issue is. I was using the 4.2.2.1-6 DNS server. I was looking at some information regarding how Google can geographically locate your dns query and give a response based in this information, so I decided to change the forwarders to Comcast. It appears using the Comcast dns servers has fixed the issue. Is it possible Comcast slows or aggregates response times across their network to external dns servers? (This would conform to network neutrality would it?)

                Anyway just wanted to post it wasn’t a pfsense issue but rather a Comcast issue from the looks.

                Thanks to those who helped and inputted,
                Peter

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.