+ Post New Thread
Results 1 to 6 of 6
Wired Networks Thread, NSLOOKUP vs. Sophos WS1000 in Technical; Hi folks, My struggling with NSLOOKUP and DNS, covered in other posts, relates back to a problem with our Sophos ...
  1. #1
    Gongalong's Avatar
    Join Date
    Oct 2011
    Location
    United Kingdom
    Posts
    927
    Thank Post
    845
    Thanked 20 Times in 18 Posts
    Rep Power
    11

    Question NSLOOKUP vs. Sophos WS1000

    Hi folks,

    My struggling with NSLOOKUP and DNS, covered in other posts, relates back to a problem with our Sophos WS1000 web appliance. I'm now after some help with this source problem.

    At the moment our main Internet connection is provided by the CC. All staff go directly through this, whereas students first go through the WS1000. Around 2-3 weeks ago, but possibly longer*, the Internet for students started performing oddly e.g. in a class of 30 some could open pages, and half often not at all.

    After some troubleshooting it was identified that the WS1000 was part of the problem, as redirecting the Internet to go directly to the CC connection resolved the performance issue. After a week or so of toing and front with Sophos Support it was identified that NSLOOKUP on the WS1000 is very slow, often taking several seconds to resolve a single address. Sophos Support said the problem is with our DNS, hence for us to resolve.

    The problem is that to get our CC Internet connection to work we have to go through a proxy, which is of course bypassing the internal DNS anyway, therefore isn't testing it. To try and get my head around where the problem lies I have used a command line programme called Dig (from BIND BIND | Internet Systems Consortium ) to carry out a timed NSLOOKUP from my PC, and the speed appears to be very quick (milliseconds). I also pointed the WS1000 gateway at a secondary connection we have on-site (a simple BT connection) and it was still problematic using our DNS server. I then switched it to Google DNS, and it was fine.

    I'm now stuck as to what to test further to try and resolve where the problem is. Sophos are saying it's us, yet it isn't clear whether our DNS is definitely at fault (Dig suggests not).

    Anyone have any ideas?

    *Teachers were a bit slow in reporting this, so I'm wondering if it dates back to Christmas. Over the Christmas holidays our old physical DNS servers were shutdown and replaced by a virtual server. I'm not sure whether this is related. Also none of our student PCs (coincidentally all those affected) are appearing in reverse lookup, albeit the DHCP lease was set to 8 days. Today I changed this to 1 day.
    Last edited by Gongalong; 3rd February 2012 at 02:59 PM.

  2. #2

    Join Date
    Apr 2009
    Location
    London
    Posts
    60
    Thank Post
    4
    Thanked 1 Time in 1 Post
    Rep Power
    0
    To test the DNS server on your WS1000 (your description implies that you may have one), you should run dig, pointed directly at the WS1000 address as DNS server (e.g. dig www.bbc.co.uk @10.97.90.2), but supply different DNS names to look up each time. Not only that, but you really need to be sure that noone else in the school has looked up those addresses through the WS1000. This is because, if the WS1000 is a fully-recursive resolver, it will cache successful lookup results locally for the duration of the time-to-live which the owner of that DNS name has chosen - and this is often set up to seven days ahead.

    What I'm really saying is that using dig against the WS1000 may produce spurious results.

    However I think that the clue to your problem may be in your footnote. It's quite possible that the WS1000 is doing a reverse lookup on client IP addresses when it receives an HTTP request. For example, it could be doing this so that you could partition the internet access which different PCs receive, based on a PC's name or domain. Clearly, not being able to resolve the reverse lookup could have deleterious effects. Since this post is a few days old, maybe you've found that this is the solution already?

  3. #3
    Gongalong's Avatar
    Join Date
    Oct 2011
    Location
    United Kingdom
    Posts
    927
    Thank Post
    845
    Thanked 20 Times in 18 Posts
    Rep Power
    11
    Ah, no the WS1000 doesn't have a DNS server. We're running one on a Win 2008 R2 server, which the WS1000 is using. I've been using Dig against our server.

    I watched Sophos support though running NSLOOKUPs which were taking several seconds. As soon as they switched to Google DNS it took milliseconds. I can't understand why when I run an NSLOOKUP from my Windows client it seems to be fine, whereas the WS1000 is so slow.

    To try and resolve the reverse lookup issue I'm going to disable the firewall on the client PCs. I've tried a few other things which haven't resolved it. This is covered in another thread http://www.edugeek.net/forums/networ...p-failing.html

  4. #4
    Gongalong's Avatar
    Join Date
    Oct 2011
    Location
    United Kingdom
    Posts
    927
    Thank Post
    845
    Thanked 20 Times in 18 Posts
    Rep Power
    11
    An update on this. The problem is with the CC provided name servers. Has been logged with the CC's IT support...

  5. #5
    Gongalong's Avatar
    Join Date
    Oct 2011
    Location
    United Kingdom
    Posts
    927
    Thank Post
    845
    Thanked 20 Times in 18 Posts
    Rep Power
    11
    OK, problem isn't with CC's name servers. Problem is with DC outside of Hyper-V cluster which has some replication issues. Paging consultant...

  6. #6
    Gongalong's Avatar
    Join Date
    Oct 2011
    Location
    United Kingdom
    Posts
    927
    Thank Post
    845
    Thanked 20 Times in 18 Posts
    Rep Power
    11
    Turns out this was caused by teaming being set to automatic on the DNS server (technically the host server, as the DNS server is a VM). Changing the team type to Network Fault Tolerance Only caused lookups to work. (Just in case anyone finds this via Google)

  7. Thanks to Gongalong from:

    robk (12th June 2012)



SHARE:
+ Post New Thread

Similar Threads

  1. Sophos WS1000 Replacement?
    By Gongalong in forum Internet Related/Filtering/Firewall
    Replies: 6
    Last Post: 26th January 2012, 11:24 AM
  2. Sophos WS1000
    By Liam_uk in forum Wireless Networks
    Replies: 6
    Last Post: 12th December 2008, 09:12 PM
  3. Trend Officescan Vs Sophos
    By ZeroHour in forum How do you do....it?
    Replies: 9
    Last Post: 12th January 2007, 05:48 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •