Link to home
Start Free TrialLog in
Avatar of tjwo94
tjwo94

asked on

DNS resolving slowly after isp change and new firewall

Alright im in a dumb situation. One of my customers has had  their main software provider install a new fiber connection at their office and this company has installed their own router on site. we have removed our sonicwall firewall and pointed our PDC to this as the new gateway as well as all the static machines. this software company which is now their new ISP also firewalls and filters traffic on their end in the cloud.

we have changed the DNS forwarders to point to the new ISP DNS servers, which interestingly, i cant point to any others like google or cloudflare as they dont resolve. im sure thats because of the way they are locked down by the ISP.

Essentially, we point to them for dns now and theres no weird entries in dns for them. im under almost no control of the rest. my customer is now experiencing slow resolution on at least one website which happens to be their own site unfortunately. the new ISP is pointing fingers at me now as the problem. where else can i look to make sure that dns is working as efficiently as it can on my end???

now that we have changed so much on the network, do i need to like delete the roothints and let it rebuild or anything like that to flush dns. since we changed paths to everything on the internet as far as its path through the internet, it seems like we need to flush something.

Server 2011 SBS
Workstations are all windows 7 Pro

Any help is greatly appreciated!
Avatar of John
John
Flag of Canada image

It is hard to know with the ISP locking things down.

I would try (in a slow period) disconnecting everything from the ISP modem/router, connect one single machine to it, and check DNS resolution.  Is it better / very good?  If not, contact the ISP.  

If it does resolve better, connect the server, reset TCP/IP on the server and see if that works.

Open cmd.exe with Run as Administrator
Then: netsh int ip reset c:\resetlog.txt
Then: ipconfig /flushdns
Now: restart the Server
Avatar of noci
noci

You need to find the latency (distance in time between request & answer).
Dig (not a native Windows tool i am told), does give you this.
If you happen to have a Unix/Linux system it will be there. (at least it will be available).

OTOTH CygWin should have it as well as part of the bind-tools / bind-utils package.

You will also need to do this for Ping, traceroute to some public location. (google, cloudflare... are good candidates ).
And try to get similar traceroutes etc. from other location not using this ISP.

Try to get predictable timing using tools like curl / wget  to use "specific queries"  you define to find out.
And try this on a variety of systems through this ISP and on other locations.

ie. investigate factors that could explain the added delay that people experience.
And esp. when using interactive websites with a lot of traffic to and from the website a smal latency can add up because of the multitude of requests.
Can you plug a machine directly into their router, outside of your primary domain and see if the dns resolution is improved? This could tell you if your system is the bottleneck or if it is actually their issue. (Edit: actually it looks like this is basically what John suggested -- I too recommend this)

Since you aren't able to use your own DNS, their router may be enforcing itself as a post resolver to prevent dns rebind attacks.
Are you in a position to break the contract with the ISP? Ideally less than 30 days or however many days the contract states. I've had many run-ins with ISP companies that try to hijack a client and have the firewall situation reversed. Unfortunately your client was given bad information and it needs to be reversed.

this software company which is now their new ISP also firewalls and filters traffic on their end in the cloud.
You don't have a firewall or DNS issue you have an ISP issue. You pay for a service, I would demand they provide a detailed list of ports and traffic they filter and why. It's your business you have a right to know. Bring this to your client and tell them you can't do business this way. Reinstall the Sonic firewall. Ask the ISP what they need for their software app(s) to run. Ideally the Sonic should be enough. If they have to have their firewall in the network have them place it in full bridge mode (allows passthrough traffic).
now that we have changed so much on the network, do i need to like delete the roothints and let it rebuild or anything like that to flush dns. since we changed paths to everything on the internet as far as its path through the internet, it seems like we need to flush something.

Being a SBS it wouldn't hurt to run the Internet Connection Wizard. SBS love the wizards. You'll likely find out how the SBS see's itself connected to the router. It will also test DNS.
Avatar of tjwo94

ASKER

WORKS2011, we cant get rid of the ISP. they setup a new fiber connection at both branches and with their onsite routers, they have created a VPN tunnel between branches and themselves for the cloud hosted software. they kind of do everything software wise for this bank so were stuck with them. we literally have no equipment doing anything but the 2011 SBS. i will try some wizards and see what they say.
Run the SBS Fix My Network Wizard, go to SBS Console / Network / Connectivity / on the right under Tasks you'll see "Fix My Network."

This will only report what you already know. It won't make any changes on the firewall and if the wizard shows closed ports then you can bring this to your manager and explain better how your affected with no access to the firewall. I would make the case too what exactly is the ISP doing that the customer can't have his IT have access to. I'd also mention if you're responsible for security you can't perform this function without access to the firewall.
Did you actualy try to do some check using the low level tools mentioned before:
dig / ping / traceroute / tcptrace etc.
Those will return timeing information about the network.

If the Network has issues ANYTHING built on that network layer will suffer... by definition.
If the network layer is fast then it might be higher in the stack.
Avatar of tjwo94

ASKER

I have tried running tracert and ping out to several servers that i normally do....i cant even ping out it appears so thats dumb and unhelpful. i tried pointing my DC to google or cloudflare as dns and they coudnt resolve and the internet went down in the process of course. The ISP firewall is actually remotely located on their end and managed by them. they do this professionally too so i wasnt too worried about them being an issue. when they came in, we went from 5 meg down to 20. we also went from a 10/100 to a gigabit switch that they installed. the lag in resolution is worse now than it was. i was told it took 45 seconds to load up their website the other day. i will try running the SBS network tests and see what i come up with.

the weirdest part is, to my knowledge, theres only a small handful of sites that arent resolving correctly. i thought that maybe i could make a forwarder in DNS to paint to the site host but since all data has to first hit this ISP firewall, im not sure that would make any difference would it?
Any feedback on what you did try always helps....
Try using bare IP addresses:   Q: ping 1.1.1.1   or ping 8.8.8.8  fails?  then there is an ICMP filter,  No DNS involved there.
if you do ping google.com then you need to rely on the server you use has ICMP enabled and DNS working etc. etc. . not all their server answer to ICMP.
tcptrace / tcptraceroute should work for at least port 80 & 443 as you should be able to access websites...
(you may need to install those, as they are not standard tools).

If you want to test a network, then get anything from the equation that is not network...
DNS resolution is not directly a network test unless you only use NSLOOKUP or better DIG.
Try from a laptop to directly access the internet and test from there.  (you have no idea if the SBS server has or doesn't have troubles, so for network testing it should be parked until the other stuff is working).

Is it a managed switch? if so can you get access to the port statistics?
This question needs an answer!
Become an EE member today
7 DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.