DNS Resolution Extremely Slow, ISP or Server?

WORKS2011
WORKS2011 used Ask the Experts™
on
SBS2011 getting ready to replace the server, in the meantime DNS resolution is horrible however I'm not convinced it's the server I think it's on the ISP side. When I ping either DNS server from the ISP it has a lag well above 25ms to 35ms. This is not enough though to determine why DNS resolution is so slow and the reason for this post. How to proceed troubleshooting in this case.

SBS2011 doesn't use forwarders but I tried them anyway without any luck. I also added 8.8.8.8 for testing purposes and nothing changed. SBS2011 DNS/DHCP is configure, without forwarders and is using root hints. Firewall is using DNS from the ISP.

Something strange, when I make a VPN connection my resolution is fine. I may not be fully understanding DNS through a VPN connection, my understanding is I'm routed through the server so shouldn't I see the same issues? Note, I'm not using SBS routing and remote access using L2TP on the firewall. Maybe I just answers my question and I'm routing around the SBS2011 Server.

Also upgrade the bandwidth which is nice, much faster but the DNS resolution is still extremely slow and an issue.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Dr. KlahnPrincipal Software Engineer

Commented:
Try switching to one of the open DNS servers and see if there is an improvement.

1.1.1.1
208.67.220.220
208.67.222.222

I no longer recommend Google DNS servers as some results are incorrect.  (In specific, results from blacklist lookups which are results that you certainly do want to be correct.)
Director of Information Technology
Commented:
Can you go directly to the ip without any lag?  If you experience the same lag it's not your DNS, but more of a network issue.  
What is your current ISP stated bandwidth?
WORKS2011Managed IT Services, Cyber Security, Backup

Author

Commented:
@yo_bee I did nslookup for Amazon and Microsoft

Amazon:  https://205.251.242.103
Microsoft: https://191.239.213.197 

Both were instant, so there's a DNS issue.

ISP side or server? Any recommendations for isolating?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

WORKS2011Managed IT Services, Cyber Security, Backup

Author

Commented:
@DR Klahn trying your recommendations now.
WORKS2011Managed IT Services, Cyber Security, Backup

Author

Commented:
@Dr Klan, before I configure do you recommend I change these at the firewall or create a forwarder on the SBS2011 server?
WORKS2011Managed IT Services, Cyber Security, Backup

Author

Commented:
@Dr Klanh, creating a forwarder to the IP's 1.1.1.1, 208.67.220.220, 208.67.222.222 hasn't made much difference.

Changing them on the firewall will let you know.

Maybe the issue is when I add the firewall IP address as a forwarder it doesn't resolve the IP. Using a Sonic firewall, is there a way to allow the SBS2011 to see the firewall and pass DNS requests forward?
yo_beeDirector of Information Technology

Commented:
when you set the external DNS server was that a forwarder on your DNS server or set on the client end? I would bypass the internal DNS server to validate internal DNS if you have not already.
Dr. KlahnPrincipal Software Engineer

Commented:
do you recommend I change these at the firewall or create a forwarder on the SBS2011 server?

You got me.  That's one that a server expert would have to answer.
yo_beeDirector of Information Technology

Commented:
The forwarder is set at you DNS Server and not your firewall.  The firewall purpose is to control what traffic is allowed in or not depending on how you want to look at it.
WORKS2011Managed IT Services, Cyber Security, Backup

Author

Commented:
@yo_bee, yes the SBS2011 DNS forwarders are set to the IP's 1.1.1.1, 208.67.220.220, 208.67.222.222.

I just now put in the DNS IP 1.1.1.1 on the workstation on the LAN I'm testing from and it doesn't resolve at all. This seems strange to me.

I get the following error:
This site can’t be reached microsoft.com’s server IP address could not be found.
Try:
- Checking the proxy, firewall, and DNS configuration
- Running Windows Network Diagnostics

DNS_PROBE_FINISHED_BAD_CONFIG

Any ideas?
yo_beeDirector of Information Technology

Commented:
I would remove your forwarder and focus from the client out now. Remove all extra hops like your internal DNS server.
yo_beeDirector of Information Technology

Commented:
In response to the error you posted.

Was this error seen prior to setting the forwarder? If not I would remove the forwarder.
WORKS2011Managed IT Services, Cyber Security, Backup

Author

Commented:
Configured the forwarder and left it alone. Didn't help with resolution. I then entered 1.1.1.1 in the workstation DNS testing from and after doing so gave the error message.
yo_beeDirector of Information Technology

Commented:
Even though it was suggested not to use google I would try it on the workstation and see if you get or the same results as you did with your internal dns server.
WORKS2011Managed IT Services, Cyber Security, Backup

Author

Commented:
I messed up and accidentally put in 1.2.1.1 as DNS, 1.1.1.1 works from the test computer.

For troubleshooting I put in the router IP as the DNS setting on the test computer and it did't work at all.
WORKS2011Managed IT Services, Cyber Security, Backup

Author

Commented:
The server is about to be replaced because it's sluggish, thinking about it maybe DNS on the server is sluggish as well. Is there a way to use the DNS server from the router and DHCP for that matter and turn if off on the server? My problem I see is logging in, if computers can't find the domain controller may resolve the DNS issue but have horribly long login times.
Distinguished Expert 2018

Commented:
 Is there a way to use the DNS server from the router and DHCP for that matter and turn if off on the server?
DHCP, not a problem. DNS is an integrative part of Active Directory, so that wouldn't work.
yo_beeDirector of Information Technology

Commented:
Was your URL resolution any faster when you Hard coded 1.1.1.1 in the workstation?  

If you suspect the server is your root cause that would be the first thing to remove from the mix when troubleshooting. This holds true when trying to troubleshoot anything else and do not do more than one thing at a time so you can isolate the cause.
WORKS2011Managed IT Services, Cyber Security, Backup

Author

Commented:
@yo-bee no it wasn't any faster.

@masnrock - agree, good point.

nslookup resolves the IP's instantly, which means the server DNS is not slow, correct?

192.168.25.2 server DNS
 nslookup
Distinguished Expert 2018

Commented:
Depends. Look up for a domain that you'd never have reason to access. Also, have you checked to make sure that there are no connection or firewall related issues?
WORKS2011Managed IT Services, Cyber Security, Backup

Author

Commented:
Firewall has been looked over with a fine tooth comb. Also had Sonic tech support confirm and put a second set of eyes on it. There's always the option of swapping out the firewall for testing purposes but it doesn't make much sense to me this is causing the issue. We captured packets and traced routes which all looked good. Confirmed the DNS setting in the router is only used by the firewall to communicate back to Sonic for licensing.

nslookup is instant for domains that are being accessed for the first time, in other words not using any sort of cache to resolve IP's.
Joseph HornseyPresident and Janitor

Commented:
Works - I know you just said the firewall has been over with a fine-toothed comb, but it feels like a firewall issue to me because of your comment about the VPN coming in via L2TP to the SBS server.  If that's the case, the DNS is resolving to the SBS server, but the DNS traffic is being tunneled, so it's not inspected by the firewall.

If you're using Windows DNS servers, they use large packets for DNS and some firewalls (most notably, Cisco ASA's) use DNS inspection on DNS packets larger than 512 bytes which completely messes up Windows DNS.

The policy map for Cisco ASA's looks like this:

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512

So, I'd check and see if the SonicWall is doing any kind of DNS packet length inspection.

Another thing I'd check is make sure it's allowing both TCP and UDP 53 traffic for DNS, and not just UDP-only.

It looks like you and everyone else have been pretty thorough, so I'd just make sure you've checked the DNS servers for:

- Forward lookup zones are correct
- Reverse lookup zones have been created
- The DNS server entries for each zone are correct
- No forwarders exist on any DNS server
- No conditional forwarders exist
- Refresh your root hints

I hope there's something there that someone else hasn't suggested. LOL
Distinguished Expert 2018

Commented:
How long has the slowness been an issue? Any recent changes at the time?
WORKS2011Managed IT Services, Cyber Security, Backup

Author

Commented:
@Joseph Hornsey, thank you for the post great info. There's allot going on with this network that relies on Spectrum which ultimately makes this 50  times more challenging to understand because their lack of skillset and their reply, "it's an old cable network if you go to fiber you won't experience this."

The main reason for this post is to determine what's causing latency issues when going to the internet from the LAN and if it's the servers DNS. The main issue is when users go to the internet pages are slow to come up. Once up they work fine. This appears to be DNS not resolving but DNS lookup is always >1ms and the server checks out fine. All traffic does go through the firewall it's not ruled out just not convinced yet.  

I mentioned VPN as extra information but the main concern is working on the LAN going to the internet websites take 5-10 seconds to come up then work perfect afterwards.
nociSoftware Engineer
Distinguished Expert 2018

Commented:
In case of network problems (in general) start from the bottom up.
Is your local network clean & setup according to specs without any surprises...
(Either strict STAR topology, or STP enabled).
if speeds < 1Gbps are configured be sure no half duplex / full duplex conflicts exist on any one connection
(they won;t block traffic with low speeds and large intervals but will break higher speed traffic).
Automatic setup for speeds 100Mbps & 10Mbps can cause this when several manufacturers supplied the network equipment.
If all that is under yuor control is well then verify this with local testing.  (latency as well as throughput).
netio is nice tool for this: https://web.ars.de/netio/
(FTP transfer etc. are no good speed measuring tools as disk bandwidth might be lower than the network speed).
Tools like pchar ( http://www.kitchenlab.org/www/bmah/Software/pchar/ ) might be used for  estimating  network connections hop by hop.
giving some more insight on the external net.

Fiber can be better, but if the supplier just abandons current network they should care for than at least you know they are not interested in any network just in selling something else, in a few years also fibre networks need maintenance if it isn't done now that it won't be done by that time.
WORKS2011Managed IT Services, Cyber Security, Backup

Author

Commented:
Haven't posted in awhile regarding this thread but ran tests today that should help with this situation, you can view them here.
WORKS2011Managed IT Services, Cyber Security, Backup

Author

Commented:
Turns out network issues with a coax splitter at the Spectrum cable modem. Cleaned this area up and problem went away. Definitely was a network issue. Than you for all the assistance.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial