| Failed to send DNS query to server [message #139158] |
Tue, 03 April 2018 17:33  |
ipsys
Messages: 38
Registered: March 2018
Location: Burkina Faso
|
|
|
|
below is a copy of the output from the 'error' log. this error seems to be random and never ending, and not version dependant (we have tried 9.2.2/4 and .5). please note that 192.168.18.2 is directly cabled to the kerio (its the ng500) and, consequently, is in the same subnet. the 206 is not a wonderful resolver, but it is local too us, and can provide faster dns resolution than using google or level3.
[03/Apr/2018 12:05:00] (11) Failed to send DNS query to server 192.168.18.2
[03/Apr/2018 12:05:01] Last message repeated 46 times
[03/Apr/2018 12:22:08] (11) Failed to send DNS query to server 8.8.8.8
[03/Apr/2018 12:22:10] Last message repeated 40 times
[03/Apr/2018 12:23:20] (11) Failed to send DNS query to server 206.82.130.195
[03/Apr/2018 12:23:21] Last message repeated 5 times
[03/Apr/2018 12:27:54] (11) Failed to send DNS query to server 8.8.8.8
[03/Apr/2018 12:27:55] Last message repeated 6 times
[03/Apr/2018 12:34:47] (11) Failed to send DNS query to server 8.8.8.8
[03/Apr/2018 12:34:49] Last message repeated 3 times
[03/Apr/2018 12:39:35] (11) Failed to send DNS query to server 8.8.8.8
[03/Apr/2018 12:39:36] Last message repeated 6 times
[03/Apr/2018 13:21:53] (11) Failed to send DNS query to server 206.82.130.195
[03/Apr/2018 13:21:54] Last message repeated 9 times
[03/Apr/2018 13:21:55] (11) Failed to send DNS query to server 206.82.130.195
[03/Apr/2018 13:21:56] Last message repeated 13 times
[03/Apr/2018 14:25:36] (11) Failed to send DNS query to server 8.8.8.8
[03/Apr/2018 14:25:37] Last message repeated 20 times
[03/Apr/2018 14:41:49] (11) Failed to send DNS query to server 8.8.8.8
[03/Apr/2018 14:41:50] Last message repeated 44 times
[03/Apr/2018 14:41:54] (11) Failed to send DNS query to server 192.168.18.2
[03/Apr/2018 14:41:55] Last message repeated 21 times
[03/Apr/2018 14:58:55] (11) Failed to send DNS query to server 8.8.8.8
[03/Apr/2018 14:58:57] (11) Failed to send DNS query to server 8.8.8.8
[03/Apr/2018 15:00:15] (11) Failed to send DNS query to server 4.2.2.2
[03/Apr/2018 15:00:17] Last message repeated 21 times
[03/Apr/2018 15:05:47] (11) Failed to send DNS query to server 8.8.8.8
[03/Apr/2018 15:05:48] Last message repeated 43 times
[03/Apr/2018 15:11:29] (11) Failed to send DNS query to server 8.8.8.8
[03/Apr/2018 15:11:31] Last message repeated 4 times
[03/Apr/2018 15:11:38] (11) Failed to send DNS query to server 4.2.2.2
[03/Apr/2018 15:11:40] Last message repeated 16 times
[03/Apr/2018 15:13:10] (11) Failed to send DNS query to server 206.82.130.195
[03/Apr/2018 15:13:11] Last message repeated 43 times
can anyone shed some light on the problem ? where i should start to look for the solution to this error? Our main dns server, which is on the lan, also cabled directly to the kerio, uses the same dns resolvers without throwing any errors (linux/bind). We dont use the kerio's ip's for dns lookups, so i am certain these errors are generated from the device itself.
thanks in advance ...
|
|
|
|
|
|
| Re: Failed to send DNS query to server [message #139160 is a reply to message #139159] |
Tue, 03 April 2018 18:50  |
ipsys
Messages: 38
Registered: March 2018
Location: Burkina Faso
|
|
|
|
thanks for the prompt response
we have the default firewall rules, with two additions: i have removed the nat from 'internet access' and created an incoming rule from the internet. we nat at the wan, and the kerio is only routing. i did try to nat the firewall traffic from the traffic rules, but there was no change in the output of the error log (Failed to send DNS query to server is still logged)
interestingly, the dns lookups work (nslookup and dig - below is output of dig), however one time its very slow.
the debug log shows queries are resolving correctly, at least this output doesnt return an error, or the page is loading too fast that i cannot read it correctly - i can save a full copy of the log if you would like (i can let it run for a while to generate more data if this isnt sufficient?)
|
|
|
|
|
|
| Re: Failed to send DNS query to server [message #139164 is a reply to message #139161] |
Tue, 03 April 2018 20:25 |
ipsys
Messages: 38
Registered: March 2018
Location: Burkina Faso
|
|
|
|
Our inside network is all routed to our exit points, where we apply nat. In kerio there are 442 active devices and you see we are pushing 150mb at the time of my last post/screenshots. so the internet/etc is working. this is not my issue, only the dns error. one click in xx clicks while browsing the internet is slow and i am assuming its due to this error (as we dont see any other major errors in the kerio device - that being said, i didnt know about the additional logging in debug. i will start to look at these). for the multiple firewall rules, when we look to the individual device's traffic, the rules help indicate the flow of the traffic, and where a potential problem may be.
with or without nat on the kerio itself, the dns lookup should still work? ie: the ip address on the 'wan' of kerio is in the same subnet as the nat device, and the nat device acts as a dns server, also the cable is directly connected between these two devices (192.168.18.1 is kerio, 192.168.18.2 is where nat is applied). in this situation, i wouldnt expect to see "Failed to send DNS query to server"?? Also, as per my screenshot (i did only post one, but verified them all with various domain names), the dns lookup to all dns server entries is succeeding from the ip tools with nslookup and dig, however one time in xx clicks its very slow. if i set my computer (behind kerio) to use 192.168.18.2, i have no issues resolving dns.
i have tested natting at the rule for the firewall - as im assuming this error is from the firewall itself (maybe its origin is the localhost?)?? - from the debug log, my assumptions may be incorrect? i dont know what the error means or indicates as there is a lack of detail as to what failed or why it failed - only that it failed, and 'failed to send' generally relates to connectivity? however, the internet/etc is working as expected.
|
|
|
|
|
|
| Re: Failed to send DNS query to server [message #139198 is a reply to message #139169] |
Wed, 04 April 2018 16:15 |
ipsys
Messages: 38
Registered: March 2018
Location: Burkina Faso
|
|
|
|
please see the file for more detail on the debug log with dns errors enabled. i do see more detail, and a lot of 'attempts', but no real 'failure to send' what does this error 'failed to send' specifically indicate? what failed to send? the kerio? a client inside the network? is there anyway to increase the detail of this specific error so i can better diagnose the problem to resolve it?
https://ufile.io/92r0b
the routing table and interfaces. please note we do not use dhcp.
im not sure this is the issue here as the kerio is directly cabled to its next hop's (on both sides of the device) and consequently its direct host to host communication. we have never promoted the use of 192.168.18.2 to users inside the network, so the only device using this ip for dns resolution will be the kerio and the router on the lan.
i have disabled the http log with no real change to cpu consumption. cpu use seems directly related to the 'inspector' setting. as per my screenshot above, inspector is set to none for mostly everything except internet http (part of the reason for the multiple rules. limiting inspector to http only for http only seems to reduce cpu consumption. web browsing seems directly related to cpu consumption. high cpu = slow web browsing  ).
|
|
|
|
|
|
| Re: Failed to send DNS query to server [message #139216 is a reply to message #139207] |
Wed, 04 April 2018 20:59 |
ipsys
Messages: 38
Registered: March 2018
Location: Burkina Faso
|
|
|
|
i have disabled reverse dns lookups and the error appears to have stopped.
please note: the nat device's connection limitation is 1,000,000 concurrent connections. We currently hit 200,000+ concurrent connections during peak periods as seen by the router on the lan of the kerio.
|
|
|
|
|
|
| Re: Failed to send DNS query to server [message #139234 is a reply to message #139220] |
Thu, 05 April 2018 16:00 |
ipsys
Messages: 38
Registered: March 2018
Location: Burkina Faso
|
|
|
|
i haven't noticed any real difference/change, but i did hope too..
behind kerio, a website like ping.eu takes 15 seconds to load, whereas when we are not behind kerio it takes 4 seconds (as timed from the web browser).
after letting this run overnight, the dns error has stopped, so i can confirm that disabling reverse dns lookups solves the issue.
as you can see, the cpu use is quite high, maybe i should open another thread about this ?
|
|
|
|
|
|
Members
Search
Help
Register
Login
Home
