Solved

Very Slow DNS resolve and occational TCP error ?

Posted on 2008-10-14
31
924 Views
Last Modified: 2012-06-21
Having a DNS problem with a newly created SOHO domain. I'm having three issues:

1. Very Slow DNS resolves to websites
2. Occasional Network Error (tcp_error) A communication error occurred: "Connection refused" from the same specific websites
3. Stuck Cache on the DNS server (flushing/clearing the cache on the server and then on the client has no effect, has no effect, but evenutally pages are refreshed to the newest config)

Cisco 877 Router in the Office.
0
Comment
Question by:-Polak
  • 16
  • 12
  • 3
31 Comments
 
LVL 70

Accepted Solution

by:
Chris Dent earned 500 total points
ID: 22709518

Hey,

When you run "nslookup www.domain.com" do you get an immediate response? Or does it time-out a few times first?

Trying to see why you think it's a DNS error :)

Chris
0
 
LVL 10

Expert Comment

by:kyleb84
ID: 22709647
This is a very common issue,

Please make sure you've set your forwarders in your 2003/2008 Server's DNS Server configuration...

Goto:
http://support.microsoft.com/kb/323380
Look for heading: "How to Configure Forwarders"

--------------------------

If you have, make sure your clients have the correct DNS server in your network, and make sure that DNS server has the correct forwarders (Public DNS Servers, specific to your connection should be available on your ISP's support page)

---------------------------

If your network's DNS server is your 877 make sure you've got 2 or more DNS forwarders set:
ip name-server 1.1.1.1 2.2.2.2
0
 
LVL 1

Author Comment

by:-Polak
ID: 22709648
nslookup renders a timeout.

However you did clue me into the problem, we run 2VLANs here 192.168.1.1 and 10.0.0.1

The server does the routing between the 2VLANS with via RIP protocol between the two network card ports. (They don't have the password for the Cisco 877 router and you can't make two VLANs on the default firmware, without the pass you can't upgrade the firm)

However LAN2 had its default DNS server set to the wrong address it should have been 10.0.0.10 (domain server IP) not 192.168.1.10 (Old server's IP).

So when I ran nslookup I saw that it was using the old domain servers IP, not the new one, hence the problems.

Switch LAN2s Primary DNS to be 10.0.0.10; seems to have solved the tcp errors.

However resolution is still very slow, example comcast.net and facebook.com do not reliably load the css and images.  (1/2 of my problem is still here)
0
 
LVL 1

Author Comment

by:-Polak
ID: 22709716
more info:

ping www.google.com goes first to 192.168.1.1 (old router IP) then to the correct IPs with 200+ ms times

ping www.microsoft.com times out on all 4 tries

ping www.comcast.net works on all 4 tries with 200+ms times.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22709719

So DNS is responding quickly enough now? Does that include the two sites mentioned above?

If they're slow to load, but resolve to an IP quickly then we'll be looking at network level issues. That might be a bit tricky if you have no access to the router.

Chris
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22709723

I think MS drop ICMP requests anyway so ping timing out is expected.

For google, you mean you get a ping response from 192.168.1.1? I take it that isn't listed as the default gateway?

Chris
0
 
LVL 1

Author Comment

by:-Polak
ID: 22709838
No not fast enough.
I have access to the router just can't upgrade the firmware; QoS and all that shit is unavailable with base firmware.

192.168.1.1 is the IP address assigned to the second network card.

Let me explain again how these computers are set up on a "VLAN".

LAN 1 IP is 10.0.0.10 (domain server) with a gateway of 10.0.0.2 (router) and itself as the DNS server
LAN 2 IP is 192.168.1.1 with no gateway and DNS of 10.0.0.10

Old Domain Computer (neededed for accounting software)
IP is 192.168.1.10
Gateway is 192.168.1.1 (connecting to LAN2 essentially)
DNS is 10.0.0.10

In server 2008 there is a RIP version 2 Protocol installed on LAN1 via the RAS snap in. This allows the accountant (who need the old domain server) to access the accounting software.  
0
 
LVL 10

Expert Comment

by:kyleb84
ID: 22709840
Have you tried setting a workstation's DNS address directly to your ISP's DNS server?

Does the page load time improve?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22709877

Okay, we can probably ignore 192.168.1.10 entirely if that only consists of the accounting package system.

That means we only have to consider:

1. Any configuration that might bother the connection (including options like Policing on the router)
2. The route taken by clients
3. How quickly the DNS responds on 10.0.0.101

DNS is last because it will be impacted by 1 and 2. I seem to remember that Policing is available with the base firmware, could be wrong but it's worth checking for it. Perhaps:

sh ru | grep police

Chris
0
 
LVL 1

Author Comment

by:-Polak
ID: 22709905
More info:

if i set LAN2's primary DNS server to the ISPs DNS pinging from the server is fixed.

However it dawned on me that the clients would never use 192.168.1.1 as their first ping hop; so the problem remain that DNS response is very very slow.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22709921

Is it currently configured to use Forwarders? If so, remove them and try again. That will switch it to using Root Hints and is good for troubleshooting as it will either incriminate or eliminate the forwarders.

Chris
0
 
LVL 1

Author Comment

by:-Polak
ID: 22709939
tracert from clients renders a 1ms response time to 10.0.0.2 (router)
Then much slower response times once on the WAN.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22709996

That's to be expected, it is a WAN after all :)

Chris
0
 
LVL 1

Author Comment

by:-Polak
ID: 22710008
400-900ms to google.com is not normal.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22710012

Then you either have to check your router or raise it with your ISP. I can't do anything to help you with that.

Chris
0
Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

 
LVL 1

Author Comment

by:-Polak
ID: 22718708
Silly me, i forgot that i had WSUS server downloading 11GBs worth of updates... OOPPPSS!

How about the last portion of my problem:
3. Stuck Cache on the DNS server (flushing/clearing the cache on the server and then on the client has no effect, has no effect, but evenutally pages are refreshed to the newest config)

for example i'm building a website here:
http://development.time4design.com/aiap/index.shtml

The headers and content image rotate via a php script, this works fine when I'm not at the office but when at the office a refresh doesn't rotate the images their stuck on the original cache.
0
 
LVL 1

Author Comment

by:-Polak
ID: 22718826
never mind this is a Firefox only problem points assigned for the previous help.
0
 
LVL 1

Author Comment

by:-Polak
ID: 22718831
actually i take that back.

This is a firefox only problem when on the office domain, off the domain firefox works fine. Ideas?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22718855

Proxy Server?

DNS doesn't cache images or anything below "www.domain.com". If URLs aren't changing, or images aren't changing it must be a cache on the client or on a Proxy server.

If the domain naming is changing we'd have to look at Forwarders, if you use those you're reliant on their cache and clearing it locally will only mean you retrieve the value from there again.

Chris
0
 
LVL 1

Author Comment

by:-Polak
ID: 22718903
Well like I said this problem doesn't exist when I use Internet Explorer on the office domain.
and also the problem doesn't exist when I use Firefox at the hotel (yes the hotel uses a proxy).

I've encountered similar cache problems with Firefox on this domain for instance, when I make a change to the CSS it will not acknowledge until i flush the DNS on the client, clear Firefox history, close the browser, and flush the dns on the server. Then "usually" it accepts the change. IE doesn't exhibit this problem.
0
 
LVL 1

Author Comment

by:-Polak
ID: 22718910
also there seems to be a time element to this that I can't confirm.

If i let firefox sit long enough at the webpage before hitting refresh it will generate the rotating content.
0
 
LVL 70

Assisted Solution

by:Chris Dent
Chris Dent earned 500 total points
ID: 22718923

Weird...

It certainly won't be DNS, you'd have to change the IP a name points to for that to have an impact. I take it there's no documentation on Firefox's cache?

Chris
0
 
LVL 1

Author Comment

by:-Polak
ID: 22718958
I'm not sure if you one a domain administrated by a Windows server. But if your not and your not connected via a proxy could you verify the behavior I'm talking about at the link above
http://development.time4design.com/aiap/index.shtml

I'd like to know if it occurs on not managed networks, and networks not connected to a proxy like my hotel.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22719160

Images rotate correctly in Firefox 3.0.3 (build 2008092417), is that the same version you're using?

Chris
0
 
LVL 1

Author Comment

by:-Polak
ID: 22719213
yes, are you on a managed or unmanaged network?

Header and Content images change randomly nearly everytime? (same as IE)?
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22719233

Yep, both changed on each refresh with both IE and Firefox.

The network is our own, no external control beyond the usual provision of network connections for internet access.

It is entirely possible the managed part of your network includes a Proxy server, you wouldn't necessarily be aware of it but it would play a big part in any response from your webserver.

I guess you could get around it using JavaScript to load the images (as a different file each time), but that might not fit in with your design.

Chris
0
 
LVL 1

Author Comment

by:-Polak
ID: 22719253
Thanks for all your help chris.
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 22719260

I'm sorry it's not more conclusive, I can't see that you're doing anything wrong, just constrained a bit too much by the services you have.

Chris
0
 
LVL 1

Author Comment

by:-Polak
ID: 22719328
I am in the middle east, and there is a high degree of that sort of thing on the WAN, example sex.com will render you a Qtel errorpage saying the site has been blocked by the gov't
0
 
LVL 10

Expert Comment

by:kyleb84
ID: 22726506
If it's hosted on IIS/Apache, add a customer header to the web site to expire immediately.
0
 
LVL 1

Author Comment

by:-Polak
ID: 22755626
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now