2 related DNS issues: a) advice on setup. b) DNS slows down until I restart it?

[howartp]

Good Morning everyone,

We've had generally slow internet access for ages, which we're sure (following various tests) is a result of something inside school. We do have what I believe to be a strange network/DNS setup (but it may be perfectly normal) so allow me to explain:

Our three DCs are normal DNS servers, each replicates etc etc. These are SCS1, SCS2 and SCS3 for the purposes of this thread. They resolve internal DNS fine. However nothing on our LAN has access to the county WAN/ISP feed other than our Censornet proxy server and mail server - these have two NICS, one on each. Thus no DNS request for an external domain will resolve from a workstation.

Censornet (linux based) has to have an internal DNS as its first DNS otherwise it fails to identify our workstations via reverse lookup. It does have second and third DNS pointing to County, but being Linux it always tries them in order whereas windows has specific DNS servers per NIC. Thus when the internal domain lookups timed out, Censornet then tried looking to county and immediately got a result and displayed the page.

Over christmas, I came up with a plan which seemed logical. I had our server support team install secondary DNS on the mail server (which has LAN and WAN nics). SCS1,2,3 now have a forwarder set so any external domain requests are forwarded immediately to Mail1. Censornet points directly at Mail1, so it can lookup external domains, but also can resolve internal stationnames.

Now, first set of questions:

a1): Does this seem ok as a DNS setup?
a2): Should Mail1 receive updates periodically from SCS1,2,3?

There are a couple of stations which don't have PTR records on Mail1 but do on SCS1,2,3 until I tell Mail1 to reload/transfer the zone from master.

a3): Which should I be doing - Reload or Transfer - in this situation?
a4): Is there something I should check to see why this isn't happening? SCS1,2,3 are set to notify all the NameServers listed, which I understood to mean Mail1 should therefore request an update when it is notified?

Secondly, when I set this up at Christmas our internet speeds soured through the roof (as Censornet no longer had to wait for internal DNS to timeout). However they have dwindled to a snails pace over the last two months. Until yesterday evening - I was reloading the zone from master and managed to crash DNS on Mail1, so I restarted the DNS service. I came in this morning and internet access is back to full steam ahead.

My thoughts go back to our old ISA server which we had to periodically restart to maintain internet speeds.

b1): Why does it appear that I need to restart the DNS service on mail1 periodically to maintain internet access speed?
b2): Is there something I can change to stop this happening?

I'm happy to schedule it every weekend or suchlike if neccessary but it strikes me as odd.

Sorry for the long post - I hope someone can cast some ideas in my direction.

TIA,

Peter

[HallX]

Where does mail1 forward to?

edit - And which is your default gateway?

[howartp]

Where does mail1 forward to?

edit - And which is your default gateway?

Our county ISP servers on a 10.*.*.* WAN.

Default gateway on the network is our core switch (192.168.*.254 depending on which VLAN you're in). It's a Cisco 3750.

Anticipating your next question, I've just copied the following two lines from the Cisco's backup which I took last week:

ip default-gateway 192.168.3.38
ip route 0.0.0.0 0.0.0.0 192.168.3.25

Now 192.168.3.38 no longer exists - it's our old ISA server. Should I point this to somewhere else? (I don't want any internet access for anyone without going through Censornet, hence why WAN is only connected to the proxy and mail servers)

192.168.3.25 is Censornet's internal IP.

Peter

[HallX]

Would it not be easier to get rid of the secondary DNS zone on mail1, and forward DNS requests from your AD integrated zones on DC's to your ISP DNS server.

Hope this makes sense.

Paul

[howartp]

Would it not be easier to get rid of the secondary DNS zone on mail1, and forward DNS requests from your AD integrated zones on DC's to your ISP DNS server.

Hope this makes sense.

Paul

Hi Paul,

It does make sense, but unfortunately as I mentioned, nothing on our LAN (apart from Censornet and Mail1) can see the WAN, so even if I set a forwarder to the county DNS servers, the traffic won't get there.

This is why we forward DNS from the LAN to Mail1, which in turn can forward out to County.

That specific aspect doesn't affect the browsing speed as such, because all browsing is done through Censornet which goes straight to Mail1.

Peter

[SYNACK]

First off if you no longer have the default gateway remove it from the config as there will be delays happening there, secondly are you not able to pass through DNS ports through censornet or does it not have that ability.

You should have one AD integrated zone for internal lookups all linked through AD (syncs between all servers). Do you really need three internal DCs? anyway those should all have fowarders to the mail server and the mail server should have a fowarder set to as close to an exernal DNS provider as you can manage.

This way requests will be serviced internally if possible and if not forwarded out to external servers, when this occours it will cache the request for quicker lookups in future.

Not sure about the speed issue but lowering the number of internal DCs may help. You could also look at pruning options to cut down on stale records in the DNS database.

[howartp]

Hi Synack,

I'll have a look at removing the default gateway - I'm not a Cisco person but I'll work it out.

Unfortunately Censornet deals purely with ports 80 and 443; it won't touch anything else.

I do have one AD integrated zone, and all three DCs have the forwarders set.

At the moment, we do need three DCs because our network runs a product called CC4 by RM Education - Inspiring Engaging Learning (UK schools will all have heard of it). Until recently, this required all user areas to be hosted from a DC, thus spreading the load of users accessing their data etc etc has meant three DCs. I'm looking to leave RM next summer (2012) so we'll stick with it for now.

AFAIR (I'll look into it) scavenging is set correctly on all the DNS's on the DCs.

Peter

[howartp]

AFAIR (I'll look into it) scavenging is set correctly on all the DNS's on the DCs.

Yep, scavenging is all set to 7 days.

[GrumbleDook]

Just to double check ... your DNS on Mail1 ... does that have DNS forwarders set up to your LA DNS?

[howartp]

Just to double check ... your DNS on Mail1 ... does that have DNS forwarders set up to your LA DNS?

Yep, that's correct.

Peter

[GrumbleDook]

if all your external DNS queries are going via Mail1, whilst it may be secondary DNS for your zones, it is the principal DNS forwarder for all queries, whether from your servers or Censornet. You have made it a bit complicated for what is being done ...

Having a server time out on any service before looking elsewhere is never a good thing. you are effectively using censornet as a way of masking a possible problem.

My take on it would be as follows, working from the LA router / switch in to the school network.

Router is connected to the core switch. The default gateway of the core switch is the router, the default gateway of everything else is the core switch.
If you are not using the Censornet box as a proper firewall (managing all traffic and and out) then don't use it as such ... it just makes things messy.
You can block web traffic outbound by forcing the proxy settings in devices. If you are worried about other traffic then speak to you LA about how they restrict it.

If you are keeping things as they are then by all means keep MAIL1 as your internal DNS forwarder, but try the following.

Requests go to your DCs, they are forwarded to Mail1 and then to the outside world. Web traffic is forced via Censornet anyway due to proxy settings. Censornet looks back to your DCs, which then ask of Mail1, etc ... so no time out occurs. To be honest, you don't even really need Mail1 in this case ... but keep it in until you resolve you other problems about how you want to control traffic I suppose.

If you are still finding Mail1 is having a problem then look at the service ... is it having performance issues due to to many requests? Is it an issue with memory available?

If you do want to run a device to lock things down between the core switch and the router then I would recommend you go for a proper appliance. Simple is usually better.

[howartp]

Hi Tony,

Thanks for this concise response - see my comments below.

if all your external DNS queries are going via Mail1, whilst it may be secondary DNS for your zones, it is the principal DNS forwarder for all queries, whether from your servers or Censornet. You have made it a bit complicated for what is being done ...

Having a server time out on any service before looking elsewhere is never a good thing. you are effectively using censornet as a way of masking a possible problem.

AFAIK nothing is timing out anymore - that is how it used to be, before I installed DNS on Mail1. Previously censornet had SCS1 as it's DNS, which timed out not being able to locate external domains, then Censornet moved onto the county DNS servers. Now that I have DNS on mail1 with Censornet pointing at it, there is no timing out involved.

My take on it would be as follows, working from the LA router / switch in to the school network.

Router is connected to the core switch. The default gateway of the core switch is the router, the default gateway of everything else is the core switch.
If you are not using the Censornet box as a proper firewall (managing all traffic and and out) then don't use it as such ... it just makes things messy.
You can block web traffic outbound by forcing the proxy settings in devices. If you are worried about other traffic then speak to you LA about how they restrict it.

There is no pro-active intentions on my part to use Censornet as anything other than a proxy; Other than the "ip-route" command in the Cisco which I didn't know was there, there is no routing telling any traffic to go through Censornet other than the standard browser proxy settings. As far as I'm concerned, both the default gateway and ip-route commands can be removed.

I inherited the network 2 years ago, setup this way, from my predecessor who was well rated among those who knew him; I worked with him for 2-3 years before he left so it's not that I've come in cold to a network. In general I do like the way it is setup whereby there is no physical connection between the LAN and WAN as this immediately puts a stop to many forms of internet attack without needing a UTM or equivalent device(s). However I do appreciate it causes me one or two problems later down the line such as this DNS issue.

If you are keeping things as they are then by all means keep MAIL1 as your internal DNS forwarder, but try the following.

Requests go to your DCs, they are forwarded to Mail1 and then to the outside world. Web traffic is forced via Censornet anyway due to proxy settings. Censornet looks back to your DCs, which then ask of Mail1, etc ... so no time out occurs. To be honest, you don't even really need Mail1 in this case ... but keep it in until you resolve you other problems about how you want to control traffic I suppose.

Not sure how this makes any difference? General requests already go to DCs, forwarded to Mail1 then to outside. Is there any benefit (other than the zone update issue being bypassed) in Censornet looking to DCs, then forwarded to Mail1, then to outside - if anything it sounds like there would be added overhead of a few miliseconds per request whilst Censornet requests are forwarded from DCs to Mail1, compared with going straight to Mail1? Certainly don't see how I could do away with Mail1 as you suggest - as I mentioned twice above, the LAN cannot see the WAN so internal requests need forwarding to somewhere on the LAN which can ultimately see the WAN.

If you are still finding Mail1 is having a problem then look at the service ... is it having performance issues due to to many requests? Is it an issue with memory available?

If you do want to run a device to lock things down between the core switch and the router then I would recommend you go for a proper appliance. Simple is usually better.

Can you suggest what I should be looking at / doing specifically when you say "look at the service"?

Regarding devices between the core switch and the router, NYCC are currently looking at providing UTMs under their new ISP/Services tender as you'll probably know from John. I am awaiting the outcome of those discussions before considering my options on this front.

Cheers,

Peter