DNS is inital fast but SLOWS down

[caswcu]

just switched over to a t1 line from DSL. intitally DNS request are fast but over a period of time they start to lag. Im querying ATT's DNS. I have a windows 2003 server which i changed the enableednsprobe to 0 and I have a pix 506e.

What can be affecting this?

 

[NetworkGhost]

Have you tried changing the DNS Server? You could also do a capture on the Pix to determine what is happening to your traffic. Are you doing DNS queries or Zone Transfers? Do you have a internal DNS Server?

access-list 150 permit udp any any eq 53
capture capdns access-list 150 buffer 8000 interface inside circular-buffer

Make some queries and let the capture run. (Do this when the DNS Traffic seems to lag) Do the sho capture command like below to view the traffic. Post the results. It may be as simple as changing your DNS Server to a new server. What model Pix do you have? When you are done with the capture do a "no cap capdns"

sh cap capdns

 

[caswcu]

circular-buffer is an invalid option

 

[caswcu]

i just took out the invalid options.

here is a capture the 192.168.1.2 is my windows 2003 server.

12:35:32.860093 192.168.1.2.1033 > 216.175.203.50.53: udp 44(fragment-packet)
12:35:51.048154 192.168.1.2.1033 > 216.175.203.50.53: udp 31(fragment-packet)
12:35:53.278839 192.168.1.2.1033 > 216.175.203.50.53: udp 43(fragment-packet)
12:35:54.911329 192.168.1.2.1033 > 12.127.16.68.53: udp 31(fragment-packet)
12:35:55.337323 192.168.1.2.1033 > 216.175.203.50.53: udp 34(fragment-packet)
12:35:55.688959 192.168.1.2.1033 > 216.175.203.50.53: udp 36(fragment-packet)
12:35:55.707193 192.168.1.2.1033 > 216.175.203.50.53: udp 44(fragment-packet)
12:36:01.590759 192.168.1.2.1033 > 216.175.203.50.53: udp 33(fragment-packet)
12:36:04.910521 192.168.1.2.1033 > 12.127.16.68.53: udp 33(fragment-packet)

 

[caswcu]

sorry have to triple post myself. I inital suspected this might be a mTU issue with the pix 506e. I tested my mtu via my pc and see the number should be around 1372. right now my inside and outside mtu is 1500

Thans

 

[NetworkGhost]

Ok the packets are going out. Lets adjust the capture.

Do:

access-list 150 permit ip host 192.168.1.2 host 216.175.203.50
access-list 150 permit ip host 216.175.203.50 host 192.168.1.2
no access-list 150 permit udp any any eq 53


Then run the capture again. Looking for bidirectional traffic.

 

[caswcu]

here you go.. what do you think so far? anything about the MTU I said before?

14:28:16.056668 192.168.1.2.1033 > 216.175.203.50.53: udp 38(fragment-packet)
14:28:16.123223 216.175.203.50.53 > 192.168.1.2.1033: udp 291(fragment-packet)
14:28:16.227542 192.168.1.2.1033 > 216.175.203.50.53: udp 38(fragment-packet)
14:28:16.294143 216.175.203.50.53 > 192.168.1.2.1033: udp 291(fragment-packet)
14:28:20.662960 192.168.1.2.1033 > 216.175.203.50.53: udp 38(fragment-packet)
14:28:20.693811 192.168.1.2.1033 > 216.175.203.50.53: udp 38(fragment-packet)
14:28:20.699136 192.168.1.2.1033 > 216.175.203.50.53: udp 38(fragment-packet)
14:28:20.732170 216.175.203.50.53 > 192.168.1.2.1033: udp 291(fragment-packet)
14:28:20.762900 216.175.203.50.53 > 192.168.1.2.1033: udp 291(fragment-packet)
14:28:20.766119 216.175.203.50.53 > 192.168.1.2.1033: udp 291(fragment-packet)
14:28:21.673869 192.168.1.2.1033 > 216.175.203.50.53: udp 38(fragment-packet)
14:28:21.735557 216.175.203.50.53 > 192.168.1.2.1033: udp 291(fragment-packet)
14:28:21.838198 192.168.1.2.1033 > 216.175.203.50.53: udp 38(fragment-packet)
14:28:21.868103 216.175.203.50.53 > 192.168.1.2.1033: udp 291(fragment-packet)
14:28:26.991007 192.168.1.2.1033 > 216.175.203.50.53: udp 40(fragment-packet)
14:28:27.007461 216.175.203.50.53 > 192.168.1.2.1033: udp 124(fragment-packet)

 

[NetworkGhost]

It appears the packets are making it back to you. Try the capture again but like so

sh cap capdns detail

It will show alittle more info. Is this a problem for all hosts on your network? If you tried nslookups on another machine do you see the same problems. Don think MTU is a issue.

 

[caswcu]

yes the packets are making it out. when ever it does a DNS lookup, ping,nslookup to a new domain it is slow 5 seconds delay before a result.

for instance if I go to dos and type ping <newdomain.com> there is a 5 second delay before it shows the ip address. or if I do an nslookup on a new domain its a 5 second delay.

 

[NetworkGhost]

Try this from command line and see if you get the same behavior:

nslookup

lserver 4.2.2.1

http://www.newdomain.com

-- Domain you havent tried yet.

 

[caswcu]

ok I did jaguar.com

DNS request timed out
timeout was 2 seconds

Non-authoritive answer
name: jaguar.com
address: 138.8.154.18

 

[NetworkGhost]

same for me also:

> jaguar.com
Server: vnsc-pri.sys.gtei.net
Address: 4.2.2.1

DNS request timed out.
timeout was 2 seconds.
*** Request to vnsc-pri.sys.gtei.net timed-out
>
> jaguar.com
Server: vnsc-pri.sys.gtei.net
Address: 4.2.2.1

Non-authoritative answer:
Name: jaguar.com
Address: 136.8.154.18

>


I would suggest changing to another AT&T DNS Server. I know they have a few. You should be able to get them from
RM-dnschanges@ems.att.com -- No association

 

[caswcu]

I have changed them around. initally its fast then slows down..

 

[NetworkGhost]

Can you post another example from NSlookup. Im thinkg this isnt a FW issue.

 

[caswcu]

ok this time I found something that hasnt been queried yet tapplastics.com

DNS request timed out
timeout was 2 seconds
*** Request to vnsc-pri.sys.gtei.net timed-out

<SO I QUERY IT AGAIN>

server: vnsc-pri.sys.gtei.net
Address : 4.2.2.1

Non-authoritative answer

Name: tapplastics.com
Address: 66.220.6.157

 

[NetworkGhost]

Im getting the same results when querying 4.2.2.1. I dont think records stay in the cache very long. I dont think it is unusual for a timeout when you are querying a new domain name. Do you host an internal DNS server also?

 

[caswcu]

i do have a windows 2003 dns server.

thing is on another network I have outside of here the dns queries for new entries are rapid

 

[NetworkGhost]

Post a copy of your config for the Pix. Once the domain has been resolved do you continue to have problems with the same domain?

 

[caswcu]

nope once that domain has been resolved its fine... ill post the pix config on monday

 

[caswcu]

here she is:

Building configuration...
: Saved
:
PIX Version 6.2(2)
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password X/X encrypted
passwd X/X encrypted
hostname hostname
domain-name hostname.com
clock timezone
clock summer-time EDT recurring
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol ils 389
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol skinny 2000
names
name 192.168.1.3 Server
name x.x.x.224 ExternalIP ( this line needs to be removed as its not correct )
name 192.168.1.150 Ainside
access-list inside_outbound_nat0_acl permit ip any 192.168.1.176 255.255.255.240
access-list outside_cryptomap_dyn_20 permit ip any 192.168.1.176 255.255.255.240
access-list outside_cryptomap_dyn_40 permit ip any 192.168.1.176 255.255.255.240
access-list UPS_Outside permit tcp x.x.x.0 255.255.0.0 host x.x.x.35 eq 22011
access-list UPS_Outside permit tcp any host x.x.x.46 eq 88
access-list UPS_Outside permit tcp host x.x.x.29 host x.x.x.44 eq ssh
access-list UPS_Outside permit tcp host x.x.x.207 host x.x.x.35 eq 22011
access-list UPS_Outside permit tcp host x.x.x.163 host x.x.x.35 eq 22011
access-list UPS_Outside permit tcp any host x.x.x.37 eq www
access-list UPS_Outside permit tcp any host x.x.x.37 eq https
access-list UPS_Outside permit tcp any host x.x.x.42 eq 993
access-list UPS_Outside permit tcp any host x.x.x.42 eq smtp
pager lines 24
logging on
interface ethernet0 auto
interface ethernet1 auto
mtu outside 1500
mtu inside 1500
ip address outside x.x.x.x x.x.x.240
ip address inside 192.168.1.250 255.255.0.0
ip audit info action alarm
ip audit attack action alarm
ip local pool VPN 192.168.1.180-192.168.1.190
pdm location Server 255.255.255.255 inside
pdm location 192.168.1.0 255.255.255.0 inside
pdm location Ainside 255.255.255.255 inside
pdm location 192.168.1.201 255.255.255.255 inside
pdm location 192.168.1.16 255.255.255.255 inside
pdm location x.x.x.24 255.255.255.252 outside
pdm location x.x.x.0 255.255.0.0 outside
pdm location x.x.x.28 255.255.255.254 outside
pdm location 192.168.1.30 255.255.255.255 inside
pdm location 192.168.1.1 255.255.255.255 inside
pdm location x.x.x.50 255.255.255.255 outside
pdm location x.x.x.29 255.255.255.255 outside
pdm location x.x.x.207 255.255.255.255 outside
pdm location x.x.x.163 255.255.255.255 outside
pdm location 192.168.1.75 255.255.255.255 inside
pdm location 192.168.1.77 255.255.255.255 inside
pdm logging errors 100
pdm history enable
arp timeout 14400
global (outside) 10 interface
nat (inside) 0 access-list inside_outbound_nat0_acl
nat (inside) 10 0.0.0.0 0.0.0.0 0 0
static (inside,outside) x.x.x.35 192.168.1.201 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.46 192.168.1.30 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.44 192.168.1.1 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.37 192.168.1.75 netmask 255.255.255.255 0 0
static (inside,outside) x.x.x.42 192.168.1.77 netmask 255.255.255.255 0 0
access-group UPS_Outside in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.33 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server LOCAL protocol local
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
tftp-server inside 192.168.1.30 /tftp/running
floodguard enable
sysopt connection permit-ipsec
sysopt connection permit-pptp
no sysopt route dnat
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-DES-SHA
crypto dynamic-map outside_dyn_map 40 match address outside_cryptomap_dyn_40
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 1
isakmp policy 20 lifetime 86400
vpngroup a address-pool VPN
vpngroup a idle-time 1800
vpngroup a password ********
vpngroup M address-pool VPN
vpngroup M idle-time 120
vpngroup M password ********
vpngroup C address-pool VPN
vpngroup C dns-server 192.168.1.2 192.168.1.2
vpngroup C wins-server 192.168.1.2
vpngroup C default-domain M
vpngroup C idle-time 240
vpngroup C password ********
vpngroup M address-pool VPN
vpngroup MC idle-time 1800
vpngroup M password ********
telnet 192.168.0.0 255.255.0.0 inside
telnet timeout 5
ssh timeout 5
vpdn group PPTP-VPDN-GROUP accept dialin pptp
vpdn group PPTP-VPDN-GROUP ppp authentication chap
vpdn group PPTP-VPDN-GROUP ppp authentication mschap
vpdn group PPTP-VPDN-GROUP client configuration address local ADSVPN
vpdn group PPTP-VPDN-GROUP pptp echo 60
vpdn group PPTP-VPDN-GROUP client authentication local
vpdn username adsadmin password *********
vpdn enable outside
terminal width 80
: end
[OK]