DNS Resolution Extremely Slow, ISP or Server?

Try switching to one of the open DNS servers and see if there is an improvement.

1.1.1.1
208.67.220.220
208.67.222.222

I no longer recommend Google DNS servers as some results are incorrect.  (In specific, results from blacklist lookups which are results that you certainly do want to be correct.)

@yo_bee I did nslookup for Amazon and Microsoft

Amazon:  https://205.251.242.103
Microsoft: https://191.239.213.197 

Both were instant, so there's a DNS issue.

ISP side or server? Any recommendations for isolating?

@DR Klahn trying your recommendations now.

@Dr Klan, before I configure do you recommend I change these at the firewall or create a forwarder on the SBS2011 server?

@Dr Klanh, creating a forwarder to the IP's 1.1.1.1, 208.67.220.220, 208.67.222.222 hasn't made much difference.

Changing them on the firewall will let you know.

Maybe the issue is when I add the firewall IP address as a forwarder it doesn't resolve the IP. Using a Sonic firewall, is there a way to allow the SBS2011 to see the firewall and pass DNS requests forward?

when you set the external DNS server was that a forwarder on your DNS server or set on the client end? I would bypass the internal DNS server to validate internal DNS if you have not already.

do you recommend I change these at the firewall or create a forwarder on the SBS2011 server?

You got me.  That's one that a server expert would have to answer.

The forwarder is set at you DNS Server and not your firewall.  The firewall purpose is to control what traffic is allowed in or not depending on how you want to look at it.

@yo_bee, yes the SBS2011 DNS forwarders are set to the IP's 1.1.1.1, 208.67.220.220, 208.67.222.222.

I just now put in the DNS IP 1.1.1.1 on the workstation on the LAN I'm testing from and it doesn't resolve at all. This seems strange to me.

I get the following error:
This site can’t be reached microsoft.com’s server IP address could not be found.
Try:
- Checking the proxy, firewall, and DNS configuration
- Running Windows Network Diagnostics

DNS_PROBE_FINISHED_BAD_CONFIG

Any ideas?

I would remove your forwarder and focus from the client out now. Remove all extra hops like your internal DNS server.

In response to the error you posted.

Was this error seen prior to setting the forwarder? If not I would remove the forwarder.

Configured the forwarder and left it alone. Didn't help with resolution. I then entered 1.1.1.1 in the workstation DNS testing from and after doing so gave the error message.

Even though it was suggested not to use google I would try it on the workstation and see if you get or the same results as you did with your internal dns server.

I messed up and accidentally put in 1.2.1.1 as DNS, 1.1.1.1 works from the test computer.

For troubleshooting I put in the router IP as the DNS setting on the test computer and it did't work at all.

The server is about to be replaced because it's sluggish, thinking about it maybe DNS on the server is sluggish as well. Is there a way to use the DNS server from the router and DHCP for that matter and turn if off on the server? My problem I see is logging in, if computers can't find the domain controller may resolve the DNS issue but have horribly long login times.

 Is there a way to use the DNS server from the router and DHCP for that matter and turn if off on the server?

DHCP, not a problem. DNS is an integrative part of Active Directory, so that wouldn't work.

Was your URL resolution any faster when you Hard coded 1.1.1.1 in the workstation?  

If you suspect the server is your root cause that would be the first thing to remove from the mix when troubleshooting. This holds true when trying to troubleshoot anything else and do not do more than one thing at a time so you can isolate the cause.

@yo-bee no it wasn't any faster.

@masnrock - agree, good point.

nslookup resolves the IP's instantly, which means the server DNS is not slow, correct?

192.168.25.2 server DNS
 

Depends. Look up for a domain that you'd never have reason to access. Also, have you checked to make sure that there are no connection or firewall related issues?

Firewall has been looked over with a fine tooth comb. Also had Sonic tech support confirm and put a second set of eyes on it. There's always the option of swapping out the firewall for testing purposes but it doesn't make much sense to me this is causing the issue. We captured packets and traced routes which all looked good. Confirmed the DNS setting in the router is only used by the firewall to communicate back to Sonic for licensing.

nslookup is instant for domains that are being accessed for the first time, in other words not using any sort of cache to resolve IP's.

Works - I know you just said the firewall has been over with a fine-toothed comb, but it feels like a firewall issue to me because of your comment about the VPN coming in via L2TP to the SBS server.  If that's the case, the DNS is resolving to the SBS server, but the DNS traffic is being tunneled, so it's not inspected by the firewall.

If you're using Windows DNS servers, they use large packets for DNS and some firewalls (most notably, Cisco ASA's) use DNS inspection on DNS packets larger than 512 bytes which completely messes up Windows DNS.

The policy map for Cisco ASA's looks like this:

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512

So, I'd check and see if the SonicWall is doing any kind of DNS packet length inspection.

Another thing I'd check is make sure it's allowing both TCP and UDP 53 traffic for DNS, and not just UDP-only.

It looks like you and everyone else have been pretty thorough, so I'd just make sure you've checked the DNS servers for:

- Forward lookup zones are correct
- Reverse lookup zones have been created
- The DNS server entries for each zone are correct
- No forwarders exist on any DNS server
- No conditional forwarders exist
- Refresh your root hints

I hope there's something there that someone else hasn't suggested. LOL

How long has the slowness been an issue? Any recent changes at the time?

@Joseph Hornsey, thank you for the post great info. There's allot going on with this network that relies on Spectrum which ultimately makes this 50  times more challenging to understand because their lack of skillset and their reply, "it's an old cable network if you go to fiber you won't experience this."

The main reason for this post is to determine what's causing latency issues when going to the internet from the LAN and if it's the servers DNS. The main issue is when users go to the internet pages are slow to come up. Once up they work fine. This appears to be DNS not resolving but DNS lookup is always >1ms and the server checks out fine. All traffic does go through the firewall it's not ruled out just not convinced yet.  

I mentioned VPN as extra information but the main concern is working on the LAN going to the internet websites take 5-10 seconds to come up then work perfect afterwards.

In case of network problems (in general) start from the bottom up.
Is your local network clean & setup according to specs without any surprises...
(Either strict STAR topology, or STP enabled).
if speeds < 1Gbps are configured be sure no half duplex / full duplex conflicts exist on any one connection
(they won;t block traffic with low speeds and large intervals but will break higher speed traffic).
Automatic setup for speeds 100Mbps & 10Mbps can cause this when several manufacturers supplied the network equipment.
If all that is under yuor control is well then verify this with local testing.  (latency as well as throughput).
netio is nice tool for this: https://web.ars.de/netio/
(FTP transfer etc. are no good speed measuring tools as disk bandwidth might be lower than the network speed).
Tools like pchar ( http://www.kitchenlab.org/www/bmah/Software/pchar/ ) might be used for  estimating  network connections hop by hop.
giving some more insight on the external net.

Fiber can be better, but if the supplier just abandons current network they should care for than at least you know they are not interested in any network just in selling something else, in a few years also fibre networks need maintenance if it isn't done now that it won't be done by that time.

Haven't posted in awhile regarding this thread but ran tests today that should help with this situation, you can view them here.

Turns out network issues with a coax splitter at the Spectrum cable modem. Cleaned this area up and problem went away. Definitely was a network issue. Than you for all the assistance.