DNS lookups failing somewhere between firewall and router
- by TessellatingHeckler
we have a setup of ADSL line - Cisco 837 ADSL router - Zyxel ZyWall 35 firewall/NAT - Switch == Intel load balanced NICS in a server.
It has been fine for years, suddenly DNS resolution stopped working on the server. No changes that I know of, so I can't work backwards from there. It was configured with the ISP's DNS servers, neither network device does DNS relaying. Wireshark shows the request go out but nothing comes back. The server networking stack seems OK though, because if we query an internal DNS server on a remote site, that works.
I can logon to the Cisco, and DNS resolves OK from the command line.
I can logon to the ZyWall, and DNS does not resolve from the command line.
So the problem seems to be the firewall, patch cable or router, yes?
On the router:
interface Ethernet0
ip address aaa.bbb.ccc.ddd 255.255.255.ddd
ip tcp adjust-mss 1450
hold-queue 100 out
On the firewall: DNS server set to 8.8.8.8 (Google's), DNS traffic allowed LAN-WAN.
What else should I look for?
Update: Following This guide I've got traffic logging on the Cisco. I have also got access to a public DNS server which I can run tcpdump on to see things from the other side. And as per the below comments, I've tested with Dig and see that DNS over TCP works, and over UDP does not. Currently:
DNS request from the server using TCP shows up in the firewall log, and in the Cisco log, and in tcpdump on the DNS server, the answer comes back, it works fine.
DNS request from the server using UDP shows up in the firewall log, and in the Cisco log, does NOT show in tcpdump on the DNS server, times out.
DNS request from the cisco (using UDP) does show up in tcpdump on the DNS server, answer received, works fine.
Ping requests from the server and the cisco to the DNS server show up in tcpdump on the DNS server.
DNS request from the server using UDP does show up on the firewall.
Summary: TCP seems fine throughought. UDP works over the ADSL and to the Cisco, and it works from the server to the Cisco, but it doesn't cross the Cisco properly, it seems.
I did see the Cisco showing as connected at 10Mb/full-duplex internally, and the firewall showing as 100Mb/full-duplex externally. I have forced the firewall to 10Mb and rebooted both devices. That seemed to help get UDP traffic (server-firewall-cisco) instead of (server-firewall), but did not fix it.
Update: Sanitized Cisco config:
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco
!
logging queue-limit 100
enable secret 5 {password}
enable password 7 {password}
!
ip subnet-zero
ip domain name example.org
ip name-server {nameserver_IP}
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
interface Ethernet0
ip address {Inside_public_IP} 255.255.255.248
ip tcp adjust-mss 1460
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer1
ip unnumbered Ethernet0
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer persistent
no cdp enable
ppp chap hostname {ADSL_Username}
ppp chap password 7 {ADSL_Password}
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
access-list 23 permit {IP}
dialer-list 1 protocol ip permit
no cdp run
snmp-server enable traps tty
!
{con, vty}
end
