XG Blocking DNS Lookup - DNS Request Timeout Error

Hi,

please post your DNS rule for us to review.

Also where are you running the NSLOOKUP from?

Ian

Hi,

Please see the rule below. I've called it a DNS rule but it basically allows any device in the LAN access the WAN. I know this is not secure but it's for testing at present and I will lock the services and devices down once I can fix this issue.

Match known users is not ticked and the logging is enabled. I have run the nslookup from the DNS server and from a PC connected to the domain.

Thanks for the help again!

Hi,

No we don't use it as a DNS server. I checked the device access page and DNS was only ticked for LAN and not WAN so I ticked WAN and tested but still the same result.

Thanks

Hi,

Please disable DNS for WAN. Will open a DNS Server for WAN.

Now go on advanced Shell (SSH) and try a tcpdump -ni any port 53

It will show you the packets.

Post your Output, if you need help in the traffic flow.

Cheers

Hi,

I have disabled DNS for WAN. I ran the command tcpdump -ni an port 53 but it didn't work so I ran tcpdump 'port 53'. There was a lot of output so here is a sample below. Port 1 is the LAN and Port 2 is the WAN. 212.23.8.6, 212.23.3.100 and 212.23.6.100 are the DNS forwarders on the domain controllers to our ISP DNS servers. I tried an nslookup for www.cnn.com from the domain controllers which failed with DNS request timed out. I can see the requests flowing through to the ISP DNS forwarders but I'm not seeing any inbound traffic on Port2 for DNS:

01:13:31.154337 Port1, IN: IP 192.168.42.36.65125 > 212.23.6.100.53: 45368+ A? www.cnn.com.co.uk. (35)

01:13:31.154338 Port1, IN: IP 192.168.42.36.64425 > 212.23.6.100.53: 1015+ A? iprep2.t.ctmail.com. (37)

01:13:31.154340 Port1, IN: IP 192.168.42.36.49348 > 212.23.6.100.53: 29318+ A? iprep4.t.ctmail.com. (37)

01:13:31.154341 Port1, IN: IP 192.168.42.36.49571 > 212.23.8.6.53: 57282+ A? www.cnn.com. (29)

01:13:31.154342 Port1, IN: IP 192.168.42.36.49789 > 212.23.8.6.53: 36574+[|domain]

01:13:31.154426 Port2, OUT: IP 21*.***.***.***.64542 > 212.23.8.6.53: 827+ A? outlook.office365.com. (39)

01:13:31.154489 Port2, OUT: IP 21*.***.***.***.64875 > 212.23.6.100.53: 51225+ A? 4.sophosxl.net. (32)

01:13:31.154490 Port2, OUT: IP 21*.***.***.***.64425 > 212.23.6.100.53: 1015+ A? iprep2.t.ctmail.com. (37)

01:13:31.154491 Port2, OUT: IP 21*.***.***.***.49789 > 212.23.8.6.53: 36574+[|domain]

01:13:31.154550 Port2, OUT: IP 21*.***.***.***.49559 > 212.23.8.6.53: 36406+ A? resolver4.ast.ctmail.com. (42)

01:13:31.154552 Port2, OUT: IP 21*.***.***.***.65125 > 212.23.6.100.53: 45368+ A? www.cnn.com.co.uk. (35)

01:13:31.154553 Port2, OUT: IP 21*.***.***.***.49348 > 212.23.6.100.53: 29318+ A? iprep4.t.ctmail.com. (37)

01:13:31.154553 Port2, OUT: IP 21*.***.***.***.49571 > 212.23.8.6.53: 57282+ A? www.cnn.com. (29)

01:13:31.260369 Port1, IN: IP 192.168.42.36.65237 > 212.23.3.100.53: 51934+ A? 4.sophosxl.net. (32)

01:13:31.260490 Port2, OUT: IP 21*.***.***.***.65237 > 212.23.3.100.53: 51934+ A? 4.sophosxl.net. (32)

01:13:31.504525 Port1, IN: IP 192.168.42.51.50811 > 212.23.3.100.53: 20494+[|domain]

01:13:31.504705 Port2, OUT: IP 21*.***.***.***.50811 > 212.23.3.100.53: 20494+[|domain]

01:13:31.535149 Port1, IN: IP 192.168.42.36.50162 > 212.23.3.100.53: 50104+[|domain]

01:13:31.535231 Port2, OUT: IP 21*.***.***.***.50162 > 212.23.3.100.53: 50104+[|domain]

01:13:31.597616 Port1, IN: IP 192.168.42.51.52114 > 212.23.3.100.53: 26943+ A? autodiscover-s.outlook.com. (44)

01:13:31.597753 Port2, OUT: IP 21*.***.***.***.52114 > 212.23.3.100.53: 26943+ A? autodiscover-s.outlook.com. (44)

01:13:31.622890 Port1, IN: IP 192.168.42.36.50219 > 212.23.3.100.53: 59610+ A? autodiscover-s.outlook.com. (44)

01:13:31.623004 Port2, OUT: IP 21*.***.***.***.50219 > 212.23.3.100.53: 59610+ A? autodiscover-s.outlook.com. (44)

01:13:31.809281 Port1, IN: IP 192.168.42.51.53 > 192.168.42.254.35697: 38441 ServFail 0/0/0 (43)

01:13:31.809293 Port5, OUT: IP 192.168.42.51.53 > 192.168.42.254.35697: 38441 ServFail 0/0/0 (43)

01:13:31.809296 Port1, IN: IP 192.168.42.51.53 > 192.168.42.254.20734: 35533 ServFail 0/0/0 (42)

01:13:31.809330 Port1, IN: IP 192.168.42.51.53 > 192.168.42.254.43745: 36280 ServFail 0/0/0 (37)

01:13:31.809350 Port1, IN: IP 192.168.42.51.53 > 192.168.42.254.52980: 50970 ServFail 0/0/0 (37)

01:13:31.809352 Port5, OUT: IP 192.168.42.51.53 > 192.168.42.254.52980: 50970 ServFail 0/0/0 (37)

01:13:31.809352 Port1, IN: IP 192.168.42.51.51098 > 212.23.8.6.53: 6536+[|domain]

01:13:31.809421 Port2, OUT: IP 21*.***.***.***.51098 > 212.23.8.6.53: 6536+[|domain]

01:13:31.988743 Port1, IN: IP 192.168.42.115.54801 > 212.23.6.100.53: 6564+ A? 4.sophosxl.net. (32)

01:13:31.988759 Port1, IN: IP 192.168.42.115.54801 > 212.23.3.100.53: 6564+ A? 4.sophosxl.net. (32)

01:13:31.988856 Port2, OUT: IP 21*.***.***.***.54801 > 212.23.6.100.53: 6564+ A? 4.sophosxl.net. (32)

01:13:31.988879 Port2, OUT: IP 21*.***.***.***.54801 > 212.23.3.100.53: 6564+ A? 4.sophosxl.net. (32)

01:13:32.058907 Port1, IN: IP 192.168.42.36.49769 > 212.23.3.100.53: 55957+ A? resolver3.ast.ctmail.com. (42)

01:13:32.058931 Port1, IN: IP 192.168.42.36.50088 > 212.23.6.100.53: 15347+ A? outlook.ha.office365.com. (42)

01:13:32.058956 Port1, IN: IP 192.168.42.36.64675 > 212.23.6.100.53: 23774+ A? resolver.4.geo.ctmail.com. (43)

01:13:32.059037 Port2, OUT: IP 21*.***.***.***.50088 > 212.23.6.100.53: 15347+ A? outlook.ha.office365.com. (42)

01:13:32.059073 Port2, OUT: IP 21*.***.***.***.49769 > 212.23.3.100.53: 55957+ A? resolver3.ast.ctmail.com. (42)

01:13:32.059138 Port2, OUT: IP 21*.***.***.***.64675 > 212.23.6.100.53: 23774+ A? resolver.4.geo.ctmail.com. (43)

01:13:32.094047 Port5, IN: IP 21*.***.***.***.62134 > 8.8.8.8.53: 7022+ A? resolver3.ast.ctmail.com. (42)

01:13:32.094087 Port2, OUT: IP 21*.***.***.***.62134 > 8.8.8.8.53: 7022+ A? resolver3.ast.ctmail.com. (42)

01:13:32.103151 Port2, IN: IP 8.8.8.8.53 > 21*.***.***.***.62134: 7022 2/0/0[|domain]

01:13:32.103160 Port5, OUT: IP 8.8.8.8.53 > 21*.***.***.***.62134: 7022 2/0/0[|domain]

01:13:32.103310 Port5, IN: IP 192.168.42.254.22774 > 192.168.42.51.53: 59324+ A? resolver.3.geo.ctmail.com. (43)

01:13:32.103321 Port1, OUT: IP 192.168.42.254.22774 > 192.168.42.51.53: 59324+ A? resolver.3.geo.ctmail.com. (43)

01:13:32.103713 Port1, IN: IP 192.168.42.51.52763 > 212.23.3.100.53: 17703+ A? resolver.3.geo.ctmail.com. (43)

01:13:32.103810 Port2, OUT: IP 21*.***.***.***.52763 > 212.23.3.100.53: 17703+ A? resolver.3.geo.ctmail.com. (43)

01:13:32.121849 Port2, OUT: IP 21*.***.***.***.60690 > 8.8.8.8.53: 42981+ A? outlook.ha.office365.com. (42)

01:13:32.127672 Port2, IN: IP 8.8.8.8.53 > 21*.***.***.***.60690: 42981 14/0/0[|domain]

01:13:32.127782 Port1, OUT: IP 192.168.42.254.9400 > 192.168.42.51.53: 23575+[|domain]

01:13:32.128065 Port1, IN: IP 192.168.42.51.50508 > 212.23.3.100.53: 47236+[|domain]

01:13:32.128155 Port2, OUT: IP 21*.***.***.***.50508 > 212.23.3.100.53: 47236+[|domain]

01:13:32.185787 Port2, OUT: IP 21*.***.***.***.38791 > 8.8.8.8.53: 62901+ A? resolver.4.geo.ctmail.com. (43)

01:13:32.191965 Port2, IN: IP 8.8.8.8.53 > 21*.***.***.***.38791: 62901 1/0/0 (59)

01:13:32.192219 Port1, OUT: IP 192.168.42.254.18386 > 192.168.42.51.53: 31669+ A? resolver5.ast.ctmail.com. (42)

01:13:32.192536 Port1, IN: IP 192.168.42.51.51244 > 212.23.3.100.53: 15932+ A? resolver5.ast.ctmail.com. (42)

01:13:32.192625 Port2, OUT: IP 21*.***.***.***.51244 > 212.23.3.100.53: 15932+ A? resolver5.ast.ctmail.com. (42)

01:13:32.637852 Port2, OUT: IP 21*.***.***.***.18273 > 8.8.8.8.53: 20899+ A? iprep3.t.ctmail.com. (37)

01:13:32.647698 Port2, IN: IP 8.8.8.8.53 > 21*.***.***.***.18273: 20899 2/0/0[|domain]

01:13:32.647798 Port1, OUT: IP 192.168.42.254.60415 > 192.168.42.51.53: 7363+ A? ipres.3.geo.ctmail.com. (40)

01:13:32.648104 Port1, IN: IP 192.168.42.51.50400 > 212.23.3.100.53: 63735+ A? ipres.3.geo.ctmail.com. (40)

01:13:32.648228 Port2, OUT: IP 21*.***.***.***.50400 > 212.23.3.100.53: 63735+ A? ipres.3.geo.ctmail.com. (40)

01:13:32.714134 Port1, IN: IP 192.168.42.51.52786 > 212.23.8.6.53: 5444+ A? resolver3.ast.ctmail.com. (42)

01:13:32.714147 Port1, IN: IP 192.168.42.51.51530 > 212.23.8.6.53: 10357+ A? outlook.ha.office365.com. (42)

01:13:32.714177 Port1, IN: IP 192.168.42.51.52060 > 212.23.6.100.53: 60042+ A? resolver.4.geo.ctmail.com. (43)

01:13:32.714240 Port2, OUT: IP 21*.***.***.***.51530 > 212.23.8.6.53: 10357+ A? outlook.ha.office365.com. (42)

01:13:32.714257 Port2, OUT: IP 21*.***.***.***.52786 > 212.23.8.6.53: 5444+ A? resolver3.ast.ctmail.com. (42)

01:13:32.714277 Port2, OUT: IP 21*.***.***.***.52060 > 212.23.6.100.53: 60042+ A? resolver.4.geo.ctmail.com. (43)

01:13:32.718470 Port1, IN: IP 192.168.42.51.51389 > 212.23.6.100.53: 5852+ A? www.msftncsi.com. (34)

01:13:32.718575 Port2, OUT: IP 21*.***.***.***.51389 > 212.23.6.100.53: 5852+ A? www.msftncsi.com. (34)

01:13:32.718621 Port1, IN: IP 192.168.42.36.49968 > 212.23.3.100.53: 18948+ A? www.msftncsi.com. (34)

01:13:32.718672 Port2, OUT: IP 21*.***.***.***.49968 > 212.23.3.100.53: 18948+ A? www.msftncsi.com. (34)

01:13:32.950040 Port5, IN: IP 21*.***.***.***.29246 > 8.8.8.8.53: 27467+ A? ipres.4.geo.ctmail.com. (40)

01:13:32.950095 Port2, OUT: IP 21*.***.***.***.29246 > 8.8.8.8.53: 27467+ A? ipres.4.geo.ctmail.com. (40)

01:13:32.956574 Port2, IN: IP 8.8.8.8.53 > 21*.***.***.***.29246: 27467 1/0/0 (56)

01:13:32.956584 Port5, OUT: IP 8.8.8.8.53 > 21*.***.***.***.29246: 27467 1/0/0 (56)

01:13:32.956852 Port5, IN: IP 192.168.42.254.7854 > 192.168.42.51.53: 57658+ A? iprep5.t.ctmail.com. (37)

01:13:32.956867 Port1, OUT: IP 192.168.42.254.7854 > 192.168.42.51.53: 57658+ A? iprep5.t.ctmail.com. (37)

01:13:32.957196 Port1, IN: IP 192.168.42.51.50527 > 212.23.6.100.53: 30128+ A? iprep5.t.ctmail.com. (37)

01:13:32.957303 Port2, OUT: IP 21*.***.***.***.50527 > 212.23.6.100.53: 30128+ A? iprep5.t.ctmail.com. (37)

01:13:32.963662 Port1, IN: IP 192.168.42.36.53 > 192.168.42.254.57523: 61196 ServFail[|domain]

01:13:32.963673 Port1, IN: IP 192.168.42.36.49183 > 212.23.8.6.53: 6273+ AAAA? www.cnn.com.co.uk. (35)

01:13:32.963711 Port1, IN: IP 192.168.42.36.64479 > 212.23.6.100.53: 22460+ AAAA? www.cnn.com. (29)

01:13:32.963758 Port2, OUT: IP 21*.***.***.***.49183 > 212.23.8.6.53: 6273+ AAAA? www.cnn.com.co.uk. (35)

01:13:32.963760 Port1, IN: IP 192.168.42.36.49926 > 212.23.6.100.53: 36952+ A? iprep3.t.ctmail.com. (37)

01:13:32.963769 Port1, IN: IP 192.168.42.36.49318 > 212.23.6.100.53: 17440+ A? ipres.4.geo.ctmail.com. (40)

01:13:32.963822 Port2, OUT: IP 21*.***.***.***.64479 > 212.23.6.100.53: 22460+ AAAA? www.cnn.com. (29)

01:13:32.963855 Port2, OUT: IP 21*.***.***.***.49318 > 212.23.6.100.53: 17440+ A? ipres.4.geo.ctmail.com. (40)

01:13:32.969867 Port2, OUT: IP 21*.***.***.***.49926 > 212.23.6.100.53: 36952+ A? iprep3.t.ctmail.com. (37)

01:13:33.437354 Port1, IN: IP 192.168.42.155.63635 > 212.23.6.100.53: 38515+ A? outlook.office365.com. (39)

01:13:33.437365 Port1, IN: IP 192.168.42.155.63635 > 212.23.3.100.53: 38515+ A? outlook.office365.com. (39)

01:13:33.437485 Port2, OUT: IP 21*.***.***.***.63635 > 212.23.3.100.53: 38515+ A? outlook.office365.com. (39)

01:13:33.437490 Port2, OUT: IP 21*.***.***.***.63635 > 212.23.6.100.53: 38515+ A? outlook.office365.com. (39)

01:13:33.738661 Port1, IN: IP 192.168.42.51.51288 > 212.23.6.100.53: 25545+[|domain]

01:13:33.738817 Port2, OUT: IP 21*.***.***.***.51288 > 212.23.6.100.53: 25545+[|domain]

01:13:33.769352 Port1, IN: IP 192.168.42.36.49523 > 212.23.6.100.53: 12527+[|domain]

01:13:33.769501 Port2, OUT: IP 21*.***.***.***.49523 > 212.23.6.100.53: 12527+[|domain]

01:13:33.868590 Port1, IN: IP 192.168.42.36.53 > 192.168.42.254.21010: 41302 ServFail 0/0/0 (43)

01:13:33.868603 Port5, OUT: IP 192.168.42.36.53 > 192.168.42.254.21010: 41302 ServFail 0/0/0 (43)

01:13:33.981847 Port1, OUT: IP 192.168.42.254.22904 > 192.168.42.36.53: 2583+[|domain]

01:13:33.982226 Port1, IN: IP 192.168.42.36.65443 > 212.23.6.100.53: 22861+[|domain]

01:13:33.982361 Port2, OUT: IP 21*.***.***.***.65443 > 212.23.6.100.53: 22861+[|domain]

01:13:34.523742 Port1, IN: IP 192.168.42.51.51681 > 212.23.3.100.53: 32010+ A? outlook.office365.com. (39)

01:13:34.523807 Port1, IN: IP 192.168.42.51.52392 > 212.23.8.6.53: 8910+ A? iprep3.t.ctmail.com. (37)

01:13:34.523814 Port1, IN: IP 192.168.42.51.50326 > 212.23.3.100.53: 10517+ A? ipres.4.geo.ctmail.com. (40)

01:13:34.523815 Port1, IN: IP 192.168.42.51.52347 > 212.23.8.6.53: 33700+ A? 4.sophosxl.net. (32)

01:13:34.523816 Port1, IN: IP 192.168.42.51.52617 > 212.23.3.100.53: 25989+ A? 4.sophosxl.net. (32)

01:13:34.523893 Port2, OUT: IP 21*.***.***.***.52392 > 212.23.8.6.53: 8910+ A? iprep3.t.ctmail.com. (37)

01:13:34.523921 Port2, OUT: IP 21*.***.***.***.52617 > 212.23.3.100.53: 25989+ A? 4.sophosxl.net. (32)

01:13:34.523970 Port2, OUT: IP 21*.***.***.***.51681 > 212.23.3.100.53: 32010+ A? outlook.office365.com. (39)

01:13:34.523971 Port2, OUT: IP 21*.***.***.***.50326 > 212.23.3.100.53: 10517+ A? ipres.4.geo.ctmail.com. (40)

01:13:34.523972 Port2, OUT: IP 21*.***.***.***.52347 > 212.23.8.6.53: 33700+ A? 4.sophosxl.net. (32)

^C

1193 packets captured

1341 packets received by filter

0 packets dropped by kernel

Thanks

Hi LeeBarron 

  How many ISP do you have? Is the DNS IP provided by your Port2 ISP? What is the Port5?

Regards, Ronak.

Hi Ronak,

We have one ISP. The DNS IP is statically assigned by us. We have 2 entries pointing to our internal DNS servers and one entry pointing to google DNS. Port 5 is for the DMZ which we have not configured yet. The port is configured but it has been assigned a separate subnet address. I was wondering why Port5 was shown in the tcpdump.

Thanks

Lee

Hi Leebtish 

I recommend you to use 8.8.8.8 as a forwarder. If you look at the tcp output request going out on 8.8.8.8 is getting resolved.

01:13:32.637852 Port2, OUT: IP 21*.***.***.***.18273 > 8.8.8.8.53: 20899+ A? iprep3.t.ctmail.com. (37)

01:13:32.647698 Port2, IN: IP 8.8.8.8.53 > 21*.***.***.***.18273: 20899 2/0/0[|domain]

I believe you are using wrong DNS server or the DNS server used by you doesnot support your ISP IP's

Regards, Ronak.

Hi Ronak,

I've been testing this all day but still no joy. The ISP forwarders we were using on our DNS servers were for the original ISP so I changed them to use the ISP DNS servers that the XG is connected to. I also included 8.8.8.8.

When I ran an nslookup I did not receive timeout errors so I thought I had resolved the issue, but name resolution still wasn't working. For some reason most domain names returned the same IP of 92.242.132.24 whichI don't understand at all.

I changed the DNS entries on the XP to use the same forwarders and 8.8.8.8. but still the same result. I then decided to change the forwarders on the DNS servers to use the XG, (so the route was client > dns server > XG > 8.8.8.8) but no difference.

As soon as I change the default gateway of our DNS servers to the old firewall nslookup results work fine.

I'm going to raise a support call with Sophos as this is becoming too hard. I'm considering contacting our reseller to see if we can return the XG devices as it should not be this difficult to get simple name resolution working through a firewall.

Thanks to everyone on this forum for their suggestions. If Sophos support resolve the issue I will post again.

Thanks

Lee

Hi,

can only confirm the same results as Ronak,

XG is forwarding everything correctly.

But does not get any reply by the DNS. 

Is your WAN IP correct? Is the WAN Interface correct? 

Cheers

Hi,

I think it is time for a network diagram because if you can change the gateway to your old box that means somewhere in the path to the internet there is a box not passing traffic correctly?

ian

Hi Ronak,

Looks like you were on the money :) So I just got off the phone with Sophos support and whilst troubleshooting I changed the forwarder on the DNS server to 8.8.8.8. I had done this before but only as a secondary entry. The primary entry was our ISP DNS. This time I added only 8.8.8.8 and it's working fine.

For some reason our ISP's DNS (Virgin Media Business) does not work which I find odd. Their DNS is returning incorrect IPs for nslookups.

Anyway, thanks very much to the community for the help and the quick responses.

Cheers

Lee

Hi Ronak,

Looks like you were on the money :) So I just got off the phone with Sophos support and whilst troubleshooting I changed the forwarder on the DNS server to 8.8.8.8. I had done this before but only as a secondary entry. The primary entry was our ISP DNS. This time I added only 8.8.8.8 and it's working fine.

For some reason our ISP's DNS (Virgin Media Business) does not work which I find odd. Their DNS is returning incorrect IPs for nslookups.

Anyway, thanks very much to the community for the help and the quick responses.

Cheers

Lee

Hi Lee,

Seem to be we are the same problem with XG firewall. I am a newbie of XG Firewall.

Currently, I'm using XG310 (SFOS 17.5.5 MR-5). I have 2 DNS server local running on Windows Server 2016, all the client machine are pointing to that DNS server.

After changing to XG Firewall from the old firewall Kerio Control, client reports me that sometimes they cannot access the website since their machine cannot resolve DNS, waiting for 30 seconds then they can access website normally. This issue did not happen overall, it just happens on some client and seems to be the random client.

On the XG Firewall DNS, I've set 2 DNS server local, it can resolve DNS and work fine.

The issue sometimes still happens at the client side so far. Actually, I didn't know how to finger-out the way to get it fixed.

The old firewall is work normally without this issue. DNS server local are the same config after a change to XG Firewall.

@Lee: Is your problem solved?

Can you show me the DNS config on your DNS server local and XG Firewall also?

Appreciated and thank you.

Jacky

So I recently discovered I'm having the same issue; sometimes certain DNS queries would time out.  I've got the same setup as the others, Windows servers running DNS, using forwarders to well known DNS servers.  What "fixed" it for me was disabling DNSSec on the DNS servers.  

Yeah, We are on the same boat. Actually, this issue really annoying.....

Is it your problem solved? or still, happen?

yeah, we are on the same boat. No hope!....

I did a little experimentation today on a hunch that *seems* to have resolved it, but it is too early to be sure.  I created a firewall rule for just the DNS servers, LAN to WAN, and only the DNS service.  I set Intrusion Protection to NONE.

After doing that, DNS resolution that was failing consistently immediately began working. 

I should add that the IPS log did not show any denials related to DNS but I have learned that doesn't necessarily mean anything.  

Bill, have you had more issues with this DNS problem?

I've created the rule and changed my DNS servers. Apparently it is all ok now.

Before it was awful.

XG85w_AM02_SFOS 17.5.9 MR-9# nslookup
> server
Default server: 127.0.0.1
Address: 127.0.0.1#53

> ebay.com

Domain Name Server# 127.0.0.1
Domain Name # (null)
Resolved Address 1# 66.135.195.175
Resolved Address 2# 66.135.196.249
Total query time # 3050.35 msec

> ebay.de

Domain Name # (null)
Resolved Address 1# 66.135.196.249
Resolved Address 2# 66.135.195.175
Total query time # 3119.64 msec

I'm still not sure if the rule is the correct solution.

I have read the best practices as described on the board and really the only thing we're not doing that is recommended is to deliver the OpenDNS servers as secondary and tertiary DNS servers through DHCP prepaidgiftbalance

Still having issues..

more tcpdump:

Anyone else having issues with DNS?