I have DNS Issues with my UC560

I recently deployed a UC560 box for a client, the client uses a modem that assigns ip address and dns addresses to it automatically. Initially everything was fine, the PC's on the LAN were all browsing, but two days ago, i got a call and was told the PCs could no longer browse the internet, i did all the checks everything was fine, so i decided to ping the dns ip addresses, no replies. When i connected a laptop directly to the ISP modem, it browses fine. But i still could not ping the dns addresses from the laptop. Please what could be the issue?
SteveNetwork ManagerCommented:
Ping is not a definative tool for testing..

We block all ping (icmp) requests, so pinging our servers would also yield no results..

you're better off doing a nslookup against that IP address to see if DNS is actually working or not on that machine..


(there's heaps of them around)..

this will tell you is DNS is actually working or not.. if its not.. simply add or change to another DNS server ? or contact the host and report it..

if however the server IS working and responding correctly, then the issue could be many other things.. there could be a firewall in between that has been changed ?

TeshomaAuthor Commented:
I agree with you, apart from pinging, i did nslookup for the ip addresses on ping.eu and even telnetted into the dns server. The message was that it is not available. I tried using on the UC560 and it still did not work.
There are loads of free DNS server on the internet that will allow you to query them.

or look for the root nameservers (been a while but I think a.nic.uk was one)?
greg wardSystems EngineerCommented:
The modem is still working but the pc's are plugged into the uc560 and not working. < what i think the problem is.
on the router ping or .2
does that work?
if it does please post config without passwords.
if not reboot both devices and try again.

TeshomaAuthor Commented:

Yes it pings when i ping that ip address on the router, i can even ping www.yahoo.com, using the name and not the ip address. i am attaching the router config file.

thank you
greg wardSystems EngineerCommented:
Remove that
ip inspect name SDM_LOW https

and replace with tcp

see if that fixes it.

greg wardSystems EngineerCommented:
sorry thats wrong
you have dns server running so use this

just change the dns to point to your uc520 in dhcp and add
ip name-server
ip name-server another dns server.

TeshomaAuthor Commented:
Already did that. The dns is not showing here, because it obtains it automatically with the ip address from the isp. I will try now. i used and it did not work then, will try again.

greg wardSystems EngineerCommented:
ip dhcp pool data
   import all
dns-server  << add this

then your dns is all done by the router.

TeshomaAuthor Commented:
Okay, i will do that. Thank you so much, will let you know the outcome
greg wardSystems EngineerCommented:
if that does not work we will remove dns inspection and add udp inspection
then add a static allow for your dns server...
blocking all other dns

SteveNetwork ManagerCommented:
I'd be removing the inspection first to see if its causing the issue..

its a simple test (below)..

if it fixes the problem then it has to be an inspection ruleset that is triggering.. and you can move through the list disabling them one at a time..

interface GigabitEthernet0/0
 no ip inspect SDM_LOW out

TeshomaAuthor Commented:
The thing is, when i set it up initially, it worked fine, with all those rules in it. Can everything suddenly just change?
SteveNetwork ManagerCommented:
yep.. because they are inspect rules etc they 'react' to situations.. so for example if suddenly there is a flood of requests or in your case more likely a flood of dns responses due to many workstation requests the standard inspect rulesets get triggered.. what you might find is that it works sometimes and then for no reason stops working again ? thats the inspect rules in action..

personally.. unless you're getting a LOT of attacks a good set of ACLs will protect you better (except for DDOS attacks etc ) than the inspect rulesets.. i find them to be more trouble than their worth on small sites IMHO...

TeshomaAuthor Commented:
Okay, kool. I will try that as well and let you know the outcome.
TeshomaAuthor Commented:
Hello all, thanks so much for all the help yesterday, unfortunately it still wont work, so i am resetting everything to factory setting and starting all over again and hope no one tempers with the config when i am done, because i am beginning to suspect that, that was what happened.
greg wardSystems EngineerCommented:
what you might find is that it works sometimes and then for no reason stops working again ? thats the inspect rules in action..

I have to agree with the above statement.
You have to make sure you are up to date with the ios version and if that does not work use tricks to get round certain bits that dont work for you.

Good luck with the new config.

TeshomaAuthor Commented:
Hello, i did a fresh configuration, the systems browse now, but only if they are not connected to the windows domain on the network. Are there any know issues with running a windows domain on a network that has Cisco small business systems?
TeshomaAuthor Commented:
Hello, any new suggestion, the system was fine for a while, now it is having the same issues again. And this time it is not just this site, a deployed the same thing on another site, i got a call today that some users can connect to the  internet and others cannot. I will be there in a bit to find out exactly what the problem is this time. The phones are working great this time.
greg wardSystems EngineerCommented:
did you try my idea?
set the server up as dns
and set up specific allows for dns

SteveNetwork ManagerCommented:
can you post up your config now you have reset it ?
TeshomaAuthor Commented:

It was a different issue this time, i got the wrong report, so i went there to see things for myself, their internet went down.
The initial problems i think has been sorted out, it was a layer 1 issue, the cabling infrastructure had problems.


TeshomaAuthor Commented:
Fixing the layer 1 issues solved the problem.
