dns traffic dropping from wan to local domain controllers

sonicwall NSA 4500       SonicOS Enhanced 5.9.1.8-1 need help getting  wan traffic to pass through to local private 10/24 dns servers (suddenly getting ip sppof issues
d dAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
what IP spoof issues?

Is there any IP duplication?

OR network ports are blocked?
d dAuthor Commented:
no, wide open for now, has been in place for about five years, two hosts performing local dhcp/dns services....had an outage Monday, got everything back online, clients show "Internet" status, but the sonicwall doesn't seem to be passing dns queries through to the  local dns servers....I created a couple of ad hoc routes for the XO port to allow dns traffic , but not able to successfully query (nslookup provides IP addresses)

to clarify, local traffic submits dns queries through local DC, Local DC forwards request, this information is somehow getting spoofed
MaheshArchitectCommented:
so firewall won't pass client queries to dns or dns server unable to pass queries to internet dns server?
CompTIA Network+

Prepare for the CompTIA Network+ exam by learning how to troubleshoot, configure, and manage both wired and wireless networks.

d dAuthor Commented:
dns servers submit queries on behalf of clients, so servers unable to resolve
MaheshArchitectCommented:
so dns server to internet dns server traffic is getting blocked?

what dns forwarders you are using on dns servers?

and where firewall is pointed for internet name resolution?

Did you created root zone on dns servers?
d dAuthor Commented:
right, tried various forwarders (ISP, google, opendns...) ,

I believe it may possibly be related to routing as that dns traffic is dropping (indicating spoofed)
MaheshArchitectCommented:
try telnet google dns servers from domain controller, probably you can try tracert command and check if traffic is routed to wrong place
Polydore DracopoulosPrincipal EngineerCommented:
what you can do to bypass a potential issue, is to remove the firewall rules for DNS forward.
using Sonicwall as your DNS resolver from AD servers and have Sonicwall resolve to ISP or whatever DNS you want.  

in this scenario, port 53 can be closed, preventing any potential attacks.

Also what can look like a DDOS or attack on DNS could be outbound traffic not inbound.  
Had to deal with something similar recently, and it was all created by some local application spamming servers.
David Johnson, CD, MVPRetiredCommented:
One normally does not need to add a rule to allow DNS forwarding
If you have a dns server on your local network that you have forwarded port 53 from the wan then I as a malicious actor can start a dns amplification flood attack using your dns server to DDOS another ip address.

if your dns is set to forward dns queries to a forwarder then the router knows that it was sent from an internal address and will allow the reply packet to go to the correct device that initiated the query.
d dAuthor Commented:
Seems there was a route change for an old obscure voip setup, that was removed and seemed to affect traffic flow ( references a 172* network)

I turned out back on until I can fix and research, dns working....not a solution, but will buy time, thanks all

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DNS

From novice to tech pro — start learning today.