Raynovac
asked on
Load balancing and DNS
We have a sonicwall TZ170. We have 2 internet dsl lines and I want to do load balancing. I have set up the OPT port correctly. When I turn it on, it work great except for one problem. DNS resolution get all messed up.
Example: yahoo.com does not go to yahoo but if I type in their IP address, it works.
Any DNS lookup from firewall resolves correctly. The workstations on the network do not work correctly.
For the DNS Server on my main server, it forwards to:
66.80.130.23
66.80.131.5
207.178.128.20
207.178.128.21
192.168.1.1
1 and 2 go to my primary ISP's DNS servers
3 and 4 go to my secondary ISP's DNS servers
5 goes to my sonicwall. My sonicwall has its correct information for each ISP setup on each port. I turn on the Load Balancing and while a bandwidth test shows that it is working fast, my attempts to check webpages are stopped.
Any ideas on how to fix this problem? Maybe the fowarders are set incorrectly.
thanks
Example: yahoo.com does not go to yahoo but if I type in their IP address, it works.
Any DNS lookup from firewall resolves correctly. The workstations on the network do not work correctly.
For the DNS Server on my main server, it forwards to:
66.80.130.23
66.80.131.5
207.178.128.20
207.178.128.21
192.168.1.1
1 and 2 go to my primary ISP's DNS servers
3 and 4 go to my secondary ISP's DNS servers
5 goes to my sonicwall. My sonicwall has its correct information for each ISP setup on each port. I turn on the Load Balancing and while a bandwidth test shows that it is working fast, my attempts to check webpages are stopped.
Any ideas on how to fix this problem? Maybe the fowarders are set incorrectly.
thanks
ASKER
the error is that it could not resolve the domain name. I tried having it forward to the firewall only but ran into some problems. I will try again. Will having it forward to the firewall ony fix the overall problem?
ASKER
In my forwarder on my DNS server, I set my firewalls IP, 192.168.1.1, to be the only item.
It seems that my firewall might not be receiving the DNS requests or might not be forwarding them to the ISP's DNS server.
Any ideas on why this happen.
It seems that my firewall might not be receiving the DNS requests or might not be forwarding them to the ISP's DNS server.
Any ideas on why this happen.
It should. If your DNS server gets a request for a host in a domain that it is not authoritative for (say www.yahoo.com) it should, based on your current configuration and know default:
Forward the query to 66.80.130.23 and wait for up to 30 seconds for a response
If it gets a response it STOP. If it does not get a response:
Forward the query to 66.80.131.5 and wait for up to 30 seconds for a response
If it gets a response it STOP. If it does not get a response:
Forward the query to 207.178.128.20 and wait for up to 30 seconds for a response
If it gets a response it STOP. If it does not get a response:
Forward the query to 207.178.128.21 and wait for up to 30 seconds for a response
If it gets a response it STOP. If it does not get a response:
Forward the query to 192.168.1.1 and wait for up to 30 seconds for a response
If it gets a response it STOP. If it does not get a response is returns "can't resolve host name"
Now the problem is that when you forward to 192.168.1.1, your firewall, guess what it is going to do:
Forward the query to 66.80.130.23 and wait for up to 30 seconds for a response
If it gets a response it STOP. If it does not get a response:
Forward the query to 66.80.131.5 and wait for up to 30 seconds for a response
If it gets a response it STOP. If it does not get a response:
Forward the query to 207.178.128.20 and wait for up to 30 seconds for a response
If it gets a response it STOP. If it does not get a response:
Forward the query to 207.178.128.21 and wait for up to 30 seconds for a response
If it gets a response it STOP. If it does not get a response is returns "can't resolve host name"
The default DNS query timeout is 30 seconds, you may have lowered this. But you get the idea. If you don't get any responses, then you have sent two queries to each of your ISP's DNS servers, 8 queries in all.
By just forwarding to your firewall, you let it do all the work.
You may want to trace your DNS queries. It makes no since that you have two boxes sending the same query to the same DNS servers and one gets a valid response and the other does not. The only thing I can think of off hand is that you don't have the rules setup correctly to allow your Windows server to send DNS queries to your ISP's DNS servers and your desktop is waiting 30 seconds (the default) and giving up.
Based on the way you have your DNS server setup, it will take 2 minutes before it send the query to your firewall, which can reslove the names. By then your desktop has given up.
Forward the query to 66.80.130.23 and wait for up to 30 seconds for a response
If it gets a response it STOP. If it does not get a response:
Forward the query to 66.80.131.5 and wait for up to 30 seconds for a response
If it gets a response it STOP. If it does not get a response:
Forward the query to 207.178.128.20 and wait for up to 30 seconds for a response
If it gets a response it STOP. If it does not get a response:
Forward the query to 207.178.128.21 and wait for up to 30 seconds for a response
If it gets a response it STOP. If it does not get a response:
Forward the query to 192.168.1.1 and wait for up to 30 seconds for a response
If it gets a response it STOP. If it does not get a response is returns "can't resolve host name"
Now the problem is that when you forward to 192.168.1.1, your firewall, guess what it is going to do:
Forward the query to 66.80.130.23 and wait for up to 30 seconds for a response
If it gets a response it STOP. If it does not get a response:
Forward the query to 66.80.131.5 and wait for up to 30 seconds for a response
If it gets a response it STOP. If it does not get a response:
Forward the query to 207.178.128.20 and wait for up to 30 seconds for a response
If it gets a response it STOP. If it does not get a response:
Forward the query to 207.178.128.21 and wait for up to 30 seconds for a response
If it gets a response it STOP. If it does not get a response is returns "can't resolve host name"
The default DNS query timeout is 30 seconds, you may have lowered this. But you get the idea. If you don't get any responses, then you have sent two queries to each of your ISP's DNS servers, 8 queries in all.
By just forwarding to your firewall, you let it do all the work.
You may want to trace your DNS queries. It makes no since that you have two boxes sending the same query to the same DNS servers and one gets a valid response and the other does not. The only thing I can think of off hand is that you don't have the rules setup correctly to allow your Windows server to send DNS queries to your ISP's DNS servers and your desktop is waiting 30 seconds (the default) and giving up.
Based on the way you have your DNS server setup, it will take 2 minutes before it send the query to your firewall, which can reslove the names. By then your desktop has given up.
ASKER
When I tested it, I removed the other DNS forwarders so there was only 192.168.1.1.
In theory it should have:
Forward the query to 192.168.1.1 and wait for up to 30 seconds for a response
If it gets a response it STOP. If it does not get a response is returns "can't resolve host name"
It should wait for the firewall to return the information. Quick peice of info, the setting "Number of seconds before foward quries time out" is set to 5 seconds.
With only the one IP in the list, it was still giving me the same results.
What can be tried next?
In theory it should have:
Forward the query to 192.168.1.1 and wait for up to 30 seconds for a response
If it gets a response it STOP. If it does not get a response is returns "can't resolve host name"
It should wait for the firewall to return the information. Quick peice of info, the setting "Number of seconds before foward quries time out" is set to 5 seconds.
With only the one IP in the list, it was still giving me the same results.
What can be tried next?
I did not see your last post until after I responding.
Does your firewall support being a DNS "server"?
Does your firewall support being a DNS "server"?
ASKER
DNS forwarding according to them. I realize now that forwarding has to be set to a DNS server, not to another forwarder.
I talked to sonicwall for a little bit and we changed some settings. On the DHCP server, I added our ISP's DNS info into our DHCP as a 2nd and 3rd DNS for the workstations when they request IP address.
My last question is: is there a way to have all the computer workstations renew its IP info from the DHCP server without having to go to every computer and type "ipconfig /renew"?
I talked to sonicwall for a little bit and we changed some settings. On the DHCP server, I added our ISP's DNS info into our DHCP as a 2nd and 3rd DNS for the workstations when they request IP address.
My last question is: is there a way to have all the computer workstations renew its IP info from the DHCP server without having to go to every computer and type "ipconfig /renew"?
DO NOT put your ISP's DNS servers in your DHCP list. This will CAUSE you MAJOR problems.
Your ISP does not know about your internal hosts. If you dekstop sends a requestion for host.inside.com, to your ISP they will return "does not exist" and your desktop won't be able to connect to your internal hosts.
On your firewall it should be setup to forward to:
66.80.130.23
66.80.131.5
207.178.128.20
207.178.128.21
However I would suggest setting them up as:
66.80.130.23
207.178.128.20
66.80.131.5
207.178.128.21
This way if one link is down, you don't waist time (10 seconds) waiting for nothing to come back from those DNS servers.
Your ISP does not know about your internal hosts. If you dekstop sends a requestion for host.inside.com, to your ISP they will return "does not exist" and your desktop won't be able to connect to your internal hosts.
On your firewall it should be setup to forward to:
66.80.130.23
66.80.131.5
207.178.128.20
207.178.128.21
However I would suggest setting them up as:
66.80.130.23
207.178.128.20
66.80.131.5
207.178.128.21
This way if one link is down, you don't waist time (10 seconds) waiting for nothing to come back from those DNS servers.
ASKER
I had it originally set to:
Internal DNS forwarder set to only firewall or firewall at the top of the list, and the firewall set to forward to ISP DNS. With this configuration, all external DNS goes down.
the original configuration does not work and causes alot of problems.
Also, in the DHCP, I set the internal DNS to the top of the list.
Internal DNS forwarder set to only firewall or firewall at the top of the list, and the firewall set to forward to ISP DNS. With this configuration, all external DNS goes down.
the original configuration does not work and causes alot of problems.
Also, in the DHCP, I set the internal DNS to the top of the list.
--> Also, in the DHCP, I set the internal DNS to the top of the list.
Really does not matter. What Windows does now (as of Windows 2000) is that on the 1st DNS query it does it will send out DNS query to all DNS servers in the list at about the same time (with 0.1 seconds of each other). It will then re-order the list based on who responded in what order. So if you have:
inside
outside1
outside2
It will send it to inside, wait 0.1 seconds, if no respond send t outside1, wait 0.1 seconds, if no response still from inside or ouside1, it will send to outside2.
If by chance outside2 responded first, it will the reorder so that the next query it will send them out in
outside2
inside or outside1
outside1 or inside
If outside2 continues to respond before the others it will continue to be used 1st. So if your internal DNS server is also used for other purposes and gets busy and can't respond for 1 second, you may end up querying the outside guys for internal hosts and getting back the respond, no such host.
To tell the truth the way I am reading the Sonicwall documentation it does not seem to act as a DNS server. So I will take back what I was saying and suggest that you configure:
All your computers to query your DNS server.
Your DNS server should be setup to forward to:
66.80.130.23
207.178.128.20
66.80.131.5
207.178.128.21
and your firewall should actually be setup to forward to your internal DNS server (that way it can resolve your internal names). If you don't care about the firewall resolving your internal names, you can leave it pointing to your ISP's DNS servers.
The reason I believe that the Sonicwall CAN'T act as a DNS server is that on page 61 of the admin guide, where you are configuring its DNS servers, it has a small note that basically says that if you want the Sonciwall to pass these addresses to clients that you must have the Sonicwall setup as a DHCP server. Based on that, it tells the DHCP clients to use the same DNS servers it is using. IF, it could act as a DNS server, it would pass its IP address as the DNS server.
Really does not matter. What Windows does now (as of Windows 2000) is that on the 1st DNS query it does it will send out DNS query to all DNS servers in the list at about the same time (with 0.1 seconds of each other). It will then re-order the list based on who responded in what order. So if you have:
inside
outside1
outside2
It will send it to inside, wait 0.1 seconds, if no respond send t outside1, wait 0.1 seconds, if no response still from inside or ouside1, it will send to outside2.
If by chance outside2 responded first, it will the reorder so that the next query it will send them out in
outside2
inside or outside1
outside1 or inside
If outside2 continues to respond before the others it will continue to be used 1st. So if your internal DNS server is also used for other purposes and gets busy and can't respond for 1 second, you may end up querying the outside guys for internal hosts and getting back the respond, no such host.
To tell the truth the way I am reading the Sonicwall documentation it does not seem to act as a DNS server. So I will take back what I was saying and suggest that you configure:
All your computers to query your DNS server.
Your DNS server should be setup to forward to:
66.80.130.23
207.178.128.20
66.80.131.5
207.178.128.21
and your firewall should actually be setup to forward to your internal DNS server (that way it can resolve your internal names). If you don't care about the firewall resolving your internal names, you can leave it pointing to your ISP's DNS servers.
The reason I believe that the Sonicwall CAN'T act as a DNS server is that on page 61 of the admin guide, where you are configuring its DNS servers, it has a small note that basically says that if you want the Sonciwall to pass these addresses to clients that you must have the Sonicwall setup as a DHCP server. Based on that, it tells the DHCP clients to use the same DNS servers it is using. IF, it could act as a DNS server, it would pass its IP address as the DNS server.
ASKER
I set it up like that with forwarders set and firewall pointing to the internal DNS and I still get the same problem of users not being able to resolve domain names.
I tried adding it to the desktops and it work but I understand why that would be a problem and removed that setting.
Sonicwall told me that since the DNS resolution bypassed the firewall, it wasn't their problem.
Anything else we can try
I tried adding it to the desktops and it work but I understand why that would be a problem and removed that setting.
Sonicwall told me that since the DNS resolution bypassed the firewall, it wasn't their problem.
Anything else we can try
Umm, no DNS resolution does not bypass the firewall, it goes through it as long as the rules allow DNS queries and responses return.
I'll need to read the manual a bit more. Which exact model do you have:
TZ 170
TZ 170 SP
TZ 170 Wireless
TZ 170 SP Wireless
How does the TZ170 decide which DSL connection to send the traffic out on?
I'll need to read the manual a bit more. Which exact model do you have:
TZ 170
TZ 170 SP
TZ 170 Wireless
TZ 170 SP Wireless
How does the TZ170 decide which DSL connection to send the traffic out on?
Also which OS are you running? V2 enhanced?
Yep more questions. Which load balacing option are you choosing?
ASKER
it is a spill over of 800. so anything over 800kbps gets sent to the opt connection.
the version is SonicOS Enhanced 3.1.0.14-49e on a regular TZ 170
the version is SonicOS Enhanced 3.1.0.14-49e on a regular TZ 170
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Firmware did it
If you enter "ping www.yahoo.com" do you get back a valid IP address?
I would suggest that your DNS server should only forward to your firewall. Your firewall should then forward to your ISP's DNS servers. I would also suggest that you choose 2 or 3 of your ISP's DNS servers. My strong suggestion is one from each ISP.
The way resolution works, forwarding to 4 DNS servers does nothing but waste network traffic.