• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 291
  • Last Modified:

DNS issues possibly as a result of removing a 2nd (disabled) NIC on primary DNS server

A couple of weeks ago, we removed a 2nd NIC from our primary DNS server that was disabled.  The IP address of this 2nd NIC was 10.0.16.21.  Since that day, internal DNS has been snappy as ever; but DNS to the internet (outside world if you will) has been slow.  For example, a ping to www.google.com will take 5-8 seconds to resolve&.but it eventually resolves. If I then hit the up arrow, and immediately ping Google a second time, the response is almost instantaneous.  Wait 15 minutes or so, ping Google again, and Im back to 5-8 second response time.

Also, around that same time, our Parking Garage began having issues with their credit card server.  Most of the transactions failed, but occasionally some would go through.  This could be because of the latency in DNS to the outside world.   Perhaps there is a time out value with the credit card system that if it doesnt resolve to netconnect1.paymentech.net or netconnect2.paymentech.net that the transactions fail.  Not too sure here, but they work at times, then fail at other times.

Also around this same time, our external emails began getting delivered with a delay.  Delay isnt noticeable in the AM (almost arrive at the time the sender sends it), but by mid afternoon, an email sent to me from someone outside at 2:30 would end up being delivered to me @ 3:00PM.  

Also, when this 2nd NIC, 10.0.16.21 was removed from our primary DNS server, I was no longer able to resolve internal DNS when connected in from home via VPN.  After looking on our firewall, I noticed there was a entry for the fully qualified domain name of our primary DNS server and it used 10.0.16.21 as the IP (which is the old IP of the 2nd NIC).  When I queried it to ask where used I discovered it was used in the VPN DNS srv.  Once I adjusted the VPN DNS setting, DNS once again returned to working fine from home.

It is only the slow web browsing, credit card issues and the delayed delivery of external email that still seem to be present.  Also, all 3 of these issues appear to have surfaced the same day that the 2nd NIC (10.0.16.21) was removed from our primary DNS server back on December 17, 2009.

Our ISP states that they do not have IP addresses for our internal DNS servers in the route statements, so at this point, theyre not on my list.  My coworker also checked bandwidth utilization, and were not even beginning to lay a dent into the bandwidth. So that too doesnt appear to be an issue.

At this point Im ready to re-add that 2nd NIC back to my primary DNS server and assign it the old 10.0.16.21 (i.e. put it back to the way it was 4 weeks ago) but am hesitant to do this because Im told its not best practice to have a DNS server with multiple NICs&even if 2nd NIC is disabled.

I've looked at DNS forwarders, and they look to be pointing to eachother for forwarding; and the number of seconds before the forward querie times out is set to 5 seconds (about the length of time it takes for pings to respond to web sites). Should I try lowering that value to 1 second?

Any help is greatly appreciated.
0
pgetchell
Asked:
pgetchell
  • 5
  • 4
1 Solution
 
Chris DentPowerShell DeveloperCommented:

> and they look to be pointing to eachother for forwarding;

Could you expand on that a bit? Do you mean you have something like...

DNS1 Forwarders: DNS2
DNS2 Forwarders: DNS1

If so, that will cause a bounce and add a significant delay to public name resolution.

Chris
0
 
pgetchellAuthor Commented:
Yes, our primary points to secondary and vice versa.  I have 2 DNS servers in our main site, then 4 others at remote sites in our WAN.  How should they be set to forward?  Should primary point to secondary; secondary point to another one on wan; another WAN point to another WAN one etc. Thanks for the response Chris, and please advise on how best for me to move forward.  For example, should I do the following:
Primary forwards to secondary; Secondary forwards to site 1; site 1 forwards to site 2; site 2 forwards to site 3; site 3 forwards to site 4; site 4 forwards back to primary??

Let me know.
Thanks!
0
 
Chris DentPowerShell DeveloperCommented:

They should point to servers that can provide answers for external names. One common option is to point them at your ISPs DNS servers.

I would avoid chains of forwarders because they do impact resolution time, although not as badly as loops do because you have to wait for the loop to timeout before a name is resolved.

It's perhaps best to think of this kind of set-up as hub and spoke, where the hub is responsible for resolving public names, and may well be your ISPs server.

Is there a reason you've needed them set up like this? I don't want to break anything without being able to suggest how it might be fixed :)

Chris
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
Chris DentPowerShell DeveloperCommented:

Oh, and just in case... you don't have to use Forwarders at all if you don't trust your ISP. Root Hints is the default name resolution method, and that's likely to be what your servers are doing after the forwarders timeout.

Chris
0
 
pgetchellAuthor Commented:
Thanks for your responses Chris, they're both very helpful.  

I'm basically just trying to speed up our DNS resolution to the internet. Maybe I'm having a DNS caching issue.  Pings to websites take @ 5 seconds to repond, then respond immediately when ping'd a second time. Problem surfaced when  a second NIC that was disabled was removed from our Primary DNS server.  This then got me looking at forwarders, and saw some of the forwarders on our remote sites were using a former ISPs DNS servers.  Good point about the root hints though.  I'm familiar with what root hints do, and it's good to know I can bypass "forwarders" if I choose to knowing the root hints will pick up the slack there.

One last question regarding the forwarders: should I at a minimum have my primary DNS server forward to my secondary DNS server?  I can then decide if I want to have my remote sites use my ISP DNS server or none and reply on root hints.  From here, I'll try to determine if issue is DNS caching. I think caching is working though because when I try to open the "COM" folder withn "Cached Lookups" it stops me at 10,000 objects and tells me to increase the limit to view all the objects.  So, it certainly appears to have cached info in the COM folder.
0
 
Chris DentPowerShell DeveloperCommented:

Nope, it wouldn't give you a benefit, it adds a single point of failure.

Essentially you need the Secondary up at all times for optimal name resolution performance. Rather defeats the point in providing fault tolerance by having multiple DNS servers in the first place.

If I were putting together a mutli-site network I would consider the following:

Main site (hub)
  DNS1 -> Either uses Root Hints, or Forwards to ISPs DNS servers
  DNS2 -> Either uses Root Hints, or Forwards to ISPs DNS servers

Remote site (spoke)
  DNS3 -> Either uses Root Hints, or Forwards to DNS1, DNS2 (if Internet traffic flows via hub), or uses ISPs DNS servers
  DNS4 -> Either uses Root Hints, or Forwards to DNS1, DNS2 (if Internet traffic flows via hub), or uses ISPs DNS servers

And so on.

This way, you have two DNS servers on the hub site that are able to act happily if the other is down. For remote sites I would typically follow the path the Internet connection takes, but they would never refer to another DNS on the same site.

Chris
0
 
pgetchellAuthor Commented:
So far my web surfing and pings are almost instant!!!  Thank you so much Chris. I'm going to let this sit over night, and assuming all seems well still tomorrow, I'll close this question and credit you with the points. I can't express enough how thankful I am!
0
 
Chris DentPowerShell DeveloperCommented:

I hope it continues working :) And if it does, you're most welcome :)

Chris
0
 
pgetchellAuthor Commented:
Thanks again Chris!
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 5
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now