Solved

Urgent TCPIP knowledge required please

Posted on 2011-03-04
11
392 Views
Last Modified: 2012-05-11
Sorry for the title of this topic but I'm under a lot of pressure to sort this quickly.

Could anyone explain how the DNS works in a small domain environment please? I have a situation where the presence of a Windows based DNS server is causing a slow ping to the internet. Even though a workstation might rely on the server for the DNS, removing the network connection from the server makes everything normal. I'm guessing the workstation doesn't require the server once it's resolved the IP address but I'm puzzled as to why the presence of the server makes things slow.

There is no apparent unusual network traffic which you might otherwise associate with these symptoms.

Is it feasible to suggest that a faulty DNS server service might cause this to happen?
0
Comment
Question by:edz_pgt
  • 4
  • 2
  • 2
  • +3
11 Comments
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility
Good morning,

DNS requirements for an Active Directory domain are fairly simple:

1. All clients must be able to reliably resolve names for the AD domain name in DNS
2. The DNS server must support service records (MS DNS does)

The first is perhaps the most critical, and it means that you should not, under any circumstances, feed clients DNS servers that know nothing about your AD domain (for example, your ISPs DNS servers).

Your Internal DNS server will be able to resolve public names on its own by default (using Root Hints), although using Forwarders (typically to ISPs DNS servers) is a popular choice.

On to Ping. What do you mean by slow ping? Because DNS cannot directly impact Ping, although it can cause a delay before Ping really gets going if you ping a name rather than IP.

Chris
0
 
LVL 8

Expert Comment

by:afthab
Comment Utility
what is the status of Antivirus on the DNS server ? updating to latest definition ?

AtB
0
 
LVL 8

Expert Comment

by:afthab
Comment Utility
Also see

* Check the events for any hint
* http://technet.microsoft.com/en-us/library/cc787724%28WS.10%29.aspx
* Check your DNS forwarder for unwanted entries ..
* Observe the nslookup timing

AtB
0
 

Expert Comment

by:Wycom
Comment Utility
Flush the DNS on the server
ipconfig /flushdns

It is probablt a fowarder.
Make sure that they are the same as your ISP.
Can also chuck in 8.8.8.8 which is googles public dns
0
 
LVL 1

Author Comment

by:edz_pgt
Comment Utility
Many thanks for all of your replies.

It seems that the notification emails have gone astray so I was unaware of your comments until a couple of minutes ago. Hence my delayed reply - sorry guys.

It now seems that DNS may have been a red herring. After a lot of investigation I've managed to narrow this down a lot. I've found that stopping the SMTP service brings the ping results back to normal.

To answer a previous question, I had been pinging www.google.com and getting replies at around 300ms - 600ms. Stop the SMTP service and these replies take around 50ms - 60ms.

So, my question I suppose is now related to email.

I've checked the queue, bad mail & pickup directories and they are empty. The UCEarchive folder has about 10 emails in it which appear quite normal.

Any ideas?

0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 1

Author Comment

by:edz_pgt
Comment Utility
A bit more information:

1. Stopping the default SMTP in Exchange stops the ping problem.
2. Disabling all inbound NAT ports at the router has no effect.
3. Disabling outbound mail in Exchange has no effect.

So, it appears to be smtp related but I can't see anything to explain it in the Exchange queues.

Not sure if this is relevant, but there's a lot of port 445 netbios activity on the network. Never really looked into this before so I'm not sure what levels of 445 traffic to expect.
0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 500 total points
Comment Utility
>Could anyone explain how the DNS works in a small domain environment please?

1. The client contacts AD DNs server (ADDNS01) with a recursive query for www.google.com. The server must now return
either the answer or an error message.

2. ADDNS01 checks its cache and zones for the answer, but does not find it, so it contacts a server authoritative
for the Internet (that is, a root server ) with an iterative query for www.google.com.

3. The DNS server at the root of the Internet does not know the answer, so it responds with a referral to a DNS server
authoritative for the .com domain.

600ms of RTT latency

4. ADDNS01 contacts a DNS server authoritative for the .com domain with an iterative query for www.google.com.

5. The DNS server authoritative for the .com domain does not know the exact answer, so it responds with a referral
to a server authoritative for the google.com. domain.

Additional 600ms of latency

6. ADDNS01 contacts the DNS server authoritative for the google.com. domain with an iterative query for www.google.com.

7. The DNS server authoritative for the google.com. domain does know the answer. It responds with the requested IP address.

Again, an additional 600ms of latency on the query time, with a total of 1.8 seconds for the entire query to complete from
a client prespective

8. ADDNS01 responds to the client query with the IP address for www.google.com.

==============

Stopping SMTP does appear to be the culprit; however by disabling outbound email and the NAT policy indicates that possibly internal client are filling up the SMTP queue causing congestion on the Ethernet link. I find  it hard to believe that SMTP traffic internally could be causing congestion on your internal network. Do you have the capability to log into the Ethernet switch and check the statistics of the switchport that the Exchange server is connected to. You could also install wireshark
on the Exchange server to analyze the packets and parse through the data to give you a better understanding what is going on from a packet level.

Billy
0
 
LVL 1

Author Comment

by:edz_pgt
Comment Utility
Thanks Billy.

While testing this afternoon the traffic suddenly stopped of it's own accord. The only thing I noticed was that the apparently empty outbound smtp queues had vanished.

All is still quiet but I suspect the issue may return on Monday when the office staff are back at work.

Is there a simple guide to running wireshark? I've read a lot of people suggesting it's good but it seems really complicated at first glance.
0
 
LVL 24

Expert Comment

by:rfc1180
Comment Utility
>Is there a simple guide to running wireshark? I've read a lot of people suggesting it's good but it seems really complicated at first glance.

There is a guide, but parsing through all the data will be a bit intimidating; If you are not very knowledge in TCP/IP, then your best bet is to run a packet capture and ask the Experts here at the exchange to assist.

Billy
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
You can filter traffic with Wireshark after you make the capture. Based on your comments I would filter out all but SMTP. I would also check to make sure your server is not exposed to being an open relay.
http://www.amset.info/exchange/smtp-openrelay.asp
Or use the Microsoft on-line test tool:
https://testexchangeconnectivity.com
0
 
LVL 1

Author Comment

by:edz_pgt
Comment Utility
Just for the record....

The problem was due to a 15MB email being continuously rejected by Yahoo.com and being continuously resent.

The message wasn't visible in the queue until I blocked port 25 outbound on the router. Once I could see it, I could then delete and problem solved.

Thanks everyone.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Dyndns Configuration 3 48
SBS 20011 to Office 365 7 49
PDC - DC Sync error 13 36
Manual DNS and blocking mapped drives 8 68
I wrote this article to explain some important DNS concepts that should be known to avoid some typical configuration errors I often see in forums. I assume that what is described here is the typical behavior of Microsoft DNS client. I don't know …
I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now