DNS Resolution Extremely Slow, ISP or Server?

SBS2011 getting ready to replace the server, in the meantime DNS resolution is horrible however I'm not convinced it's the server I think it's on the ISP side. When I ping either DNS server from the ISP it has a lag well above 25ms to 35ms. This is not enough though to determine why DNS resolution is so slow and the reason for this post. How to proceed troubleshooting in this case.

SBS2011 doesn't use forwarders but I tried them anyway without any luck. I also added 8.8.8.8 for testing purposes and nothing changed. SBS2011 DNS/DHCP is configure, without forwarders and is using root hints. Firewall is using DNS from the ISP.

Something strange, when I make a VPN connection my resolution is fine. I may not be fully understanding DNS through a VPN connection, my understanding is I'm routed through the server so shouldn't I see the same issues? Note, I'm not using SBS routing and remote access using L2TP on the firewall. Maybe I just answers my question and I'm routing around the SBS2011 Server.

Also upgrade the bandwidth which is nice, much faster but the DNS resolution is still extremely slow and an issue.
LVL 17
WORKS2011Managed IT Services, Cyber Security, BackupAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dr. KlahnPrincipal Software EngineerCommented:
Try switching to one of the open DNS servers and see if there is an improvement.

1.1.1.1
208.67.220.220
208.67.222.222

I no longer recommend Google DNS servers as some results are incorrect.  (In specific, results from blacklist lookups which are results that you certainly do want to be correct.)
yo_beeDirector of Information TechnologyCommented:
Can you go directly to the ip without any lag?  If you experience the same lag it's not your DNS, but more of a network issue.  
What is your current ISP stated bandwidth?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
WORKS2011Managed IT Services, Cyber Security, BackupAuthor Commented:
@yo_bee I did nslookup for Amazon and Microsoft

Amazon:  https://205.251.242.103
Microsoft: https://191.239.213.197 

Both were instant, so there's a DNS issue.

ISP side or server? Any recommendations for isolating?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

WORKS2011Managed IT Services, Cyber Security, BackupAuthor Commented:
@DR Klahn trying your recommendations now.
WORKS2011Managed IT Services, Cyber Security, BackupAuthor Commented:
@Dr Klan, before I configure do you recommend I change these at the firewall or create a forwarder on the SBS2011 server?
WORKS2011Managed IT Services, Cyber Security, BackupAuthor Commented:
@Dr Klanh, creating a forwarder to the IP's 1.1.1.1, 208.67.220.220, 208.67.222.222 hasn't made much difference.

Changing them on the firewall will let you know.

Maybe the issue is when I add the firewall IP address as a forwarder it doesn't resolve the IP. Using a Sonic firewall, is there a way to allow the SBS2011 to see the firewall and pass DNS requests forward?
yo_beeDirector of Information TechnologyCommented:
when you set the external DNS server was that a forwarder on your DNS server or set on the client end? I would bypass the internal DNS server to validate internal DNS if you have not already.
Dr. KlahnPrincipal Software EngineerCommented:
do you recommend I change these at the firewall or create a forwarder on the SBS2011 server?

You got me.  That's one that a server expert would have to answer.
yo_beeDirector of Information TechnologyCommented:
The forwarder is set at you DNS Server and not your firewall.  The firewall purpose is to control what traffic is allowed in or not depending on how you want to look at it.
WORKS2011Managed IT Services, Cyber Security, BackupAuthor Commented:
@yo_bee, yes the SBS2011 DNS forwarders are set to the IP's 1.1.1.1, 208.67.220.220, 208.67.222.222.

I just now put in the DNS IP 1.1.1.1 on the workstation on the LAN I'm testing from and it doesn't resolve at all. This seems strange to me.

I get the following error:
This site can’t be reached microsoft.com’s server IP address could not be found.
Try:
- Checking the proxy, firewall, and DNS configuration
- Running Windows Network Diagnostics

DNS_PROBE_FINISHED_BAD_CONFIG

Any ideas?
yo_beeDirector of Information TechnologyCommented:
I would remove your forwarder and focus from the client out now. Remove all extra hops like your internal DNS server.
yo_beeDirector of Information TechnologyCommented:
In response to the error you posted.

Was this error seen prior to setting the forwarder? If not I would remove the forwarder.
WORKS2011Managed IT Services, Cyber Security, BackupAuthor Commented:
Configured the forwarder and left it alone. Didn't help with resolution. I then entered 1.1.1.1 in the workstation DNS testing from and after doing so gave the error message.
yo_beeDirector of Information TechnologyCommented:
Even though it was suggested not to use google I would try it on the workstation and see if you get or the same results as you did with your internal dns server.
WORKS2011Managed IT Services, Cyber Security, BackupAuthor Commented:
I messed up and accidentally put in 1.2.1.1 as DNS, 1.1.1.1 works from the test computer.

For troubleshooting I put in the router IP as the DNS setting on the test computer and it did't work at all.
WORKS2011Managed IT Services, Cyber Security, BackupAuthor Commented:
The server is about to be replaced because it's sluggish, thinking about it maybe DNS on the server is sluggish as well. Is there a way to use the DNS server from the router and DHCP for that matter and turn if off on the server? My problem I see is logging in, if computers can't find the domain controller may resolve the DNS issue but have horribly long login times.
masnrockCommented:
 Is there a way to use the DNS server from the router and DHCP for that matter and turn if off on the server?
DHCP, not a problem. DNS is an integrative part of Active Directory, so that wouldn't work.
yo_beeDirector of Information TechnologyCommented:
Was your URL resolution any faster when you Hard coded 1.1.1.1 in the workstation?  

If you suspect the server is your root cause that would be the first thing to remove from the mix when troubleshooting. This holds true when trying to troubleshoot anything else and do not do more than one thing at a time so you can isolate the cause.
WORKS2011Managed IT Services, Cyber Security, BackupAuthor Commented:
@yo-bee no it wasn't any faster.

@masnrock - agree, good point.

nslookup resolves the IP's instantly, which means the server DNS is not slow, correct?

192.168.25.2 server DNS
 nslookup
masnrockCommented:
Depends. Look up for a domain that you'd never have reason to access. Also, have you checked to make sure that there are no connection or firewall related issues?
WORKS2011Managed IT Services, Cyber Security, BackupAuthor Commented:
Firewall has been looked over with a fine tooth comb. Also had Sonic tech support confirm and put a second set of eyes on it. There's always the option of swapping out the firewall for testing purposes but it doesn't make much sense to me this is causing the issue. We captured packets and traced routes which all looked good. Confirmed the DNS setting in the router is only used by the firewall to communicate back to Sonic for licensing.

nslookup is instant for domains that are being accessed for the first time, in other words not using any sort of cache to resolve IP's.
Joseph HornseyPresident and JanitorCommented:
Works - I know you just said the firewall has been over with a fine-toothed comb, but it feels like a firewall issue to me because of your comment about the VPN coming in via L2TP to the SBS server.  If that's the case, the DNS is resolving to the SBS server, but the DNS traffic is being tunneled, so it's not inspected by the firewall.

If you're using Windows DNS servers, they use large packets for DNS and some firewalls (most notably, Cisco ASA's) use DNS inspection on DNS packets larger than 512 bytes which completely messes up Windows DNS.

The policy map for Cisco ASA's looks like this:

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512

So, I'd check and see if the SonicWall is doing any kind of DNS packet length inspection.

Another thing I'd check is make sure it's allowing both TCP and UDP 53 traffic for DNS, and not just UDP-only.

It looks like you and everyone else have been pretty thorough, so I'd just make sure you've checked the DNS servers for:

- Forward lookup zones are correct
- Reverse lookup zones have been created
- The DNS server entries for each zone are correct
- No forwarders exist on any DNS server
- No conditional forwarders exist
- Refresh your root hints

I hope there's something there that someone else hasn't suggested. LOL
masnrockCommented:
How long has the slowness been an issue? Any recent changes at the time?
WORKS2011Managed IT Services, Cyber Security, BackupAuthor Commented:
@Joseph Hornsey, thank you for the post great info. There's allot going on with this network that relies on Spectrum which ultimately makes this 50  times more challenging to understand because their lack of skillset and their reply, "it's an old cable network if you go to fiber you won't experience this."

The main reason for this post is to determine what's causing latency issues when going to the internet from the LAN and if it's the servers DNS. The main issue is when users go to the internet pages are slow to come up. Once up they work fine. This appears to be DNS not resolving but DNS lookup is always >1ms and the server checks out fine. All traffic does go through the firewall it's not ruled out just not convinced yet.  

I mentioned VPN as extra information but the main concern is working on the LAN going to the internet websites take 5-10 seconds to come up then work perfect afterwards.
nociSoftware EngineerCommented:
In case of network problems (in general) start from the bottom up.
Is your local network clean & setup according to specs without any surprises...
(Either strict STAR topology, or STP enabled).
if speeds < 1Gbps are configured be sure no half duplex / full duplex conflicts exist on any one connection
(they won;t block traffic with low speeds and large intervals but will break higher speed traffic).
Automatic setup for speeds 100Mbps & 10Mbps can cause this when several manufacturers supplied the network equipment.
If all that is under yuor control is well then verify this with local testing.  (latency as well as throughput).
netio is nice tool for this: https://web.ars.de/netio/
(FTP transfer etc. are no good speed measuring tools as disk bandwidth might be lower than the network speed).
Tools like pchar ( http://www.kitchenlab.org/www/bmah/Software/pchar/ ) might be used for  estimating  network connections hop by hop.
giving some more insight on the external net.

Fiber can be better, but if the supplier just abandons current network they should care for than at least you know they are not interested in any network just in selling something else, in a few years also fibre networks need maintenance if it isn't done now that it won't be done by that time.
WORKS2011Managed IT Services, Cyber Security, BackupAuthor Commented:
Haven't posted in awhile regarding this thread but ran tests today that should help with this situation, you can view them here.
WORKS2011Managed IT Services, Cyber Security, BackupAuthor Commented:
Turns out network issues with a coax splitter at the Spectrum cable modem. Cleaned this area up and problem went away. Definitely was a network issue. Than you for all the assistance.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.