This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNS request timed out (Again)

I've read other users posts who have experienced the dreaded "DNS request timed out" error and also DNS best practice and Rulz but still have no idea what causes this:

C:\Windows\system32>nslookup api.netatmo.com
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.0.1

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
Non-authoritative answer:
DNS request timed out.
    timeout was 2 seconds.
Name:    front-azure.netatmo.net
Address:  51.145.143.28
Aliases:  api.netatmo.com

192.168.0.0/24 has been added to DNS-Global-Allowed Networks

DNS-Forwarders have been configured with an Availability group containing Cloudflare Gateway DNS servers and 'Use forwarders assigned by ISP' is unchecked

DNS-Request Routing is empty. I'm not doing any reverse DNS for internal IPs

QoS is disabled for all networks

If I specify one of the Cloudflare DNS servers on the same host, instead of the UTM as the DNS server, no DNS time outs occur.

Here are some DNS logs:

2021:02:19-13:12:49 Hillary-1 named[4836]: client @0xa500680 127.0.0.1#41232 (220.0.168.192.in-addr.arpa): view no_rpz_dlz: RFC 1918 response from Internet for 220.0.168.192.in-addr.arpa
2021:02:19-13:17:52 Hillary-1 named[4836]: client @0xa4e9cd8 127.0.0.1#31441 (220.0.168.192.in-addr.arpa): view no_rpz_dlz: RFC 1918 response from Internet for 220.0.168.192.in-addr.arpa
2021:02:19-13:23:16 Hillary-1 named[4836]: client @0xa3cb150 127.0.0.1#26911 (220.0.168.192.in-addr.arpa): view no_rpz_dlz: RFC 1918 response from Internet for 220.0.168.192.in-addr.arpa
2021:02:19-13:28:10 Hillary-1 named[4836]: no valid RRSIG resolving '168.192.in-addr.arpa/DS/IN': 172.64.36.1#53
2021:02:19-13:29:04 Hillary-1 named[4836]: client @0xa76ea38 127.0.0.1#38483 (220.0.168.192.in-addr.arpa): view no_rpz_dlz: RFC 1918 response from Internet for 220.0.168.192.in-addr.arpa
2021:02:19-13:31:38 Hillary-1 named[4836]: validating plex.tv/A: no valid signature found
2021:02:19-13:31:39 Hillary-1 named: Last message 'validating plex.tv/A' repeated 1 times, suppressed by syslog-ng on Hillary
2021:02:19-13:31:39 Hillary-1 named[4836]: validating plex.tv/SOA: no valid signature found
2021:02:19-13:31:39 Hillary-1 named[4836]: validating plex.tv/NSEC: no valid signature found
2021:02:19-13:32:03 Hillary-2 named[4867]: no valid RRSIG resolving '168.192.in-addr.arpa/DS/IN': 172.64.36.1#53

What am I not understanding?

This thread was automatically locked due to age.

Parents

0 FormerMember over 3 years ago

Hi busthead,

What's an observation with 'DNS forwarders' as google DNS IP 8.8.8.8 or Cloudflare IP 1.1.1.1?

Which IPs are added in Cloudflare availability group?

Ensure to an exception for UDP port 53 service to skip UDP Flood Protection.
Cancel
Vote Up 0 Vote Down

Cancel
0 busthead over 3 years ago in reply to FormerMember

If the client is configured to use a public DNS server instead of my UTM, the issue is resolved.

I do not wish to use Google or 1.1.1.1

Cloudflare's Gateway DNS service addresses are 172.64.36.1 and .2

I don't know how to create:

Unknown said:
an exception for UDP port 53 service to skip UDP Flood Protection.
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 3 years ago in reply to busthead

If Anti-DoS/Flooding is enabled then add an exception list under Network Protection > Intrusion Prevention > Exceptions to skip UDP flood for DNS service.

You may also add a rule on top to allow DNS service.

You can also take a packet capture to know the response time for DNS queries from Cloudflare's Gateway DNS servers.

support.sophos.com/.../KB-000038909
Cancel
Vote Up 0 Vote Down

Cancel
0 busthead over 3 years ago in reply to FormerMember

I already have permit DNS at the top of my firewall rules.

Adding an exception under Network Protection > Intrusion Prevention > Exceptions to skip UDP flood for DNS service did not resolve the issue.
Cancel
Vote Up 0 Vote Down

Cancel
0 FormerMember over 3 years ago in reply to busthead

I would request you to open a support case on Sophos Portal to get this investigated. Also, please share the case ID via PM.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 FormerMember over 3 years ago in reply to busthead

I would request you to open a support case on Sophos Portal to get this investigated. Also, please share the case ID via PM.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data