Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 4 subscribers
  • Views 1746 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intermittent outages of web proxy due to high DNS query time?

asc_

Hi!

We're experiencing outages of the web proxy of a SOPHOS UTM 9.605-1 virtual appliance. During these outages, the web proxy seems to be unresponsive and does not deliver web pages. Sometimes the client browser displays a connection timed out error message.

I've had a glance at the web proxy logs and what strikes me is that we're having very high values for dnstime. For example yesterday we've had 464564 web queries and 170000 of them took over 10 ms for DNS resolution. Many requests have dnstime over 1000 ms as you can see in the following table.

I followed the DNS troubleshooting to no avail and did setup DNS according to best practices (one availibility group and checkbox at "use DNS provided by ISP"). But I also tried different DNS settings.

Is it possible that high dnstime values are cause for timeouts of the proxy?

Are dnstime values reflecting the actual time it took to query DNS servers?

Regards

Alex



This thread was automatically locked due to age.
Parents
  • 0

    Yes, DNS is very important for the smooth function of UTM. For a little background, you might want to read again through DNS best practice (Thanks to Bob).

    Can you show us your DNS config? How many users? What load does the system have?

    PS. The picture is too small to see anything.

    Best regards

    Alex

    -

  • 0 in reply to Alexander Busch

    Hey Alex,

    it's too small indeed. Here's a readable version - or so I hope.

    I've discovered bug NUTM-10897 (There can be a temporary disruption of network connectivity under one of the following conditions: 1. dns_group is configured with a specific interface instead of "Any" 2. Monitoring host is a DNS host) in SOPHOS-KIL and realized, that we were having DNS servers bound to a specific interface.

    I did read Bobs best practices, but I am going to check it again.

    We're currently handling traffic of about 60 users. I hope that the images are not scaled now...

    Thanks for the link.

  • 0 in reply to asc_

    My comments to this:

    • deselect forwarders by ISP, although there are none. Or do you have any reason for this?
    • don’t assign other than any to the definition of a DNS host. If the reason for that is the availability of specific host is related to a specific provider use multipath rules.

    Best regards 

    Alex 

    -

  • 0 in reply to asc_

    Servus Alex,

    I agree with Alex Busch about not selecting forwarders assigned by ISP.  Also, see #3 in Rulz (last updated 2019-04-17).

    I've seen situations where the WAN connection needed to be reset before DNS timeouts would stop.  Try unplugging the power on the modem for 50 seconds.  Any luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to asc_

    Servus Alex,

    I agree with Alex Busch about not selecting forwarders assigned by ISP.  Also, see #3 in Rulz (last updated 2019-04-17).

    I've seen situations where the WAN connection needed to be reset before DNS timeouts would stop.  Try unplugging the power on the modem for 50 seconds.  Any luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML