Firewall Losing DNS Settings?

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
ccmichaelson
New Member
Posts: 13
Joined: Wed Mar 23, 2011 12:40 pm

Firewall Losing DNS Settings?

Postby ccmichaelson » Sun Apr 17, 2016 2:50 pm

Issue
While connected to the firewall, I can ping an IP address with no issues. However, I can not ping any domain name like http://www.lds.org. I've tried this command from multiple machines (wireless and wired) within the building and/or directly connected to the firewall. It "appears" to only happen during peak traffic periods and when we hit peak/max bandwidth allotted to this building (which is nearly every week).

Context
While monitoring the usage stats on tm.lds.org on Sunday's, I see approx. 300 devices connecting to the WiFi and we approach or hit our allotted 8 Mbps download speeds. At some point, the Internet stops working for everyone but what I've found is that if I bypass the firewall all is good. When attached directly to the firewall, I can ping an IP address without issues but when I ping a DNS name like http://www.lds.org, I receive an unknown host error. I've contacted the Global Support Desk on multiple occasions as well as my broadband provider. From what we can tell, the firewall appears to lose its DNS settings such that it doesn't know where to route the traffic. The fix is for the GSD to point the DNS to their test server and then back to the standard meetinghouse DNS servers/settings. I've also been able to fix this issue but rebooting the firewalll but that doesn't always work.

Question
Anyone had or having a similar issue with their firewall?

russellhltn
Community Administrator
Posts: 20762
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Firewall Losing DNS Settings?

Postby russellhltn » Sun Apr 17, 2016 3:00 pm

Since it happens when the link gets swamped, my guess would be the DNS traffic is simply getting lost in the stampede. I haven't seen anything in your post that indicates that the settings itself is lost. As long as the client device knows the correct DNS, then the setting is correct.
Have you searched the Wiki?
Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

harddrive
Member
Posts: 445
Joined: Thu Jan 03, 2008 7:52 pm

Re: Firewall Losing DNS Settings?

Postby harddrive » Sun Apr 17, 2016 3:25 pm

Russellhtm,

You are on the right track with "lost in the stampede." Now, for everyone I will be getting deep into the OSI model, especially at layer 4, so if you want to learn, please keep reading.

On a network there are two main types of protocols that are used. One is TCP and the other is UDP. TCP is a connection protocol This means that the systems will talk to each other and if a packet is dropped along the way then the systems know which one needs to be retransmitted to complete the data transfer.

UPD, which DNS uses is connectionless protocol, which means that there is no checking to indicated that the packet was received at the server. So there is no retransmission of packets because the conversation doesn't know that the packet got dropped. So if you are pushing your eight meg limit and the UDP packet gets dropped, which it sounds like what is happening, the packets won't get retransmitted.

I"m sure the the 881W probably has a small cache for DNS, but It wouldn't have a lot of entries. So there is one thing that you can do and this would only be for the sites that you use frequently, such as LDS.ORG. You can create a hosts file that has the site location and the IP address associate with the site. This can be put locally so that you don't have to query the DNS server for the IP address.

The video stream will use UDP protocol and that is why you need to shut off the WIFI because the packet dropped and so they don't get retransmitted.

I hope this helps to understand what is going on with the DNS issue.

ccmichaelson
New Member
Posts: 13
Joined: Wed Mar 23, 2011 12:40 pm

Re: Firewall Losing DNS Settings?

Postby ccmichaelson » Sun Apr 17, 2016 6:03 pm

@Russllhtm - Appreciate the education but still not entirely sure I understand the exact issue and resolution. I took my macbook pro laptop in the attic and directly connected my laptop to the router (via CAT wired connection). I was able to ping any IP address (e.g. 8.8.8.8 or 4.2.2.2) but I couldn't ping any dns name (e.g. lds.org, walmart.com, etc.). However, as soon as I unplugged my laptop from the router and into the broadband POE adapter (Utah Broadband in this case) I could ping both IP and DNS.

My FM group is unwilling to increase our broadband speeds...... they claim education is the best solution..... we've announced at the pulpit on many occasions to get off the LDS Access WiFi unless you are performing church-related activities but it falls on deaf ears and people don't really care (until they really need access and can't get it)..... While other stakes in my area have an order of magnitude faster speeds it's a hard pill to swallow and no matter how much I attempt to "educate" members the problem is only getting worse thanks to more and more devices we carry into our meetinghouses. Meanwhile clerks can't even perform actions cause a lot of the MLS functionality is moving to the Internet.

I have dozens of members (myself included) who are willing to pool together and purchase higher levels of broadband and planning to have that discussion soon with our FM group.

russellhltn
Community Administrator
Posts: 20762
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Firewall Losing DNS Settings?

Postby russellhltn » Sun Apr 17, 2016 6:25 pm

ccmichaelson wrote:@Russllhtm - Appreciate the education but still not entirely sure I understand the exact issue and resolution. I took my macbook pro laptop in the attic and directly connected my laptop to the router (via CAT wired connection). I was able to ping any IP address (e.g. 8.8.8.8 or 4.2.2.2) but I couldn't ping any dns name (e.g. lds.org, walmart.com, etc.). However, as soon as I unplugged my laptop from the router and into the broadband POE adapter (Utah Broadband in this case) I could ping both IP and DNS.

To plug into the modem, are you unplugging the router? If so, then there goes all the traffic. If the modem has more than one jack, then most likely it's also a router - and a potential issue. In that case, I'd look into getting "just a modem" that has but one working jack.

And what you describe still has nothing to do with "settings". When you plug your computer into the router and do a "ipconfig", is the "DNS Servers" blank? If not, then I'm not so sure it's the settings that are getting lost. What you are describing is the DNS lookup is failing, but a DNS lookup is additional traffic across an already busy network. Note that by bypassing the firewall, you're probably getting a different DNS server. The one the firewall is sending to the clients is part of the church filtering system. The one you get from your modem is one specified by your ISP.


ccmichaelson wrote:My FM group is unwilling to increase our broadband speeds...... they claim education is the best solution..... we've announced at the pulpit on many occasions to get off the LDS Access WiFi unless you are performing church-related activities but it falls on deaf ears

Odds are that much of the traffic is caused by devices automatically jumping onto the WiFi system. The user may be completely unaware of the traffic it's creating. (Such as checking email, FB notifications, etc.) At this point, I'd say the solution is to start unplugging access points. Limit coverage to the areas that really need it. If FM won't increase the bandwidth, see if they'll relocate the APs to limit the coverage to essential areas. Since use of the system falls under the stake president, talk with him about what "essential areas" would be.
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

ccmichaelson
New Member
Posts: 13
Joined: Wed Mar 23, 2011 12:40 pm

Re: Firewall Losing DNS Settings?

Postby ccmichaelson » Sun Apr 17, 2016 6:43 pm

russellhltn wrote:To plug into the modem, are you unplugging the router? If so, then there goes all the traffic. If the modem has more than one jack, then most likely it's also a router - and a potential issue. In that case, I'd look into getting "just a modem" that has but one working jack.


Yes I'm using the same CAT wire and unplugging from the Cisco firewall and then into Utah Broadband's POE device, which is not a router and it only has one jack.

russellhltn wrote:And what you describe still has nothing to do with "settings". When you plug your computer into the router and do a "ipconfig", is the "DNS Servers" blank? If not, then I'm not so sure it's the settings that are getting lost. What you are describing is the DNS lookup is failing, but a DNS lookup is additional traffic across an already busy network. Note that by bypassing the firewall, you're probably getting a different DNS server. The one the firewall is sending to the clients is part of the church filtering system. The one you get from your modem is one specified by your ISP.

I wasn't paying attention to what DNS servers the two systems were giving me. The Global Support Desk was able to remote into the firewall and they were not able to perform a DNS lookup either (directly on the firewall through ssh). At least not until they reassigned the firewall to use a different DNS server and then back to the original meetinghouse DNS servers. I completely understand that by switching between the firewall and Utah Broadband's devices I'm going to get different IP's and DNS Servers. I was just explaining what I did and the different behavior of each. I even unplugged all devices from the Cisco firewall so that I was the only one connected and I still couldn't ping a DNS name so it wasn't traffic related. The theory that the firewall lost its DNS settings was based on a comment from the Global Support Tech but he wasn't sure what happened.

This issue has happened multiple times so I'm just trying to find a solution...

russellhltn
Community Administrator
Posts: 20762
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Firewall Losing DNS Settings?

Postby russellhltn » Sun Apr 17, 2016 7:40 pm

At this point, I'd say your options are:
  • Keep working with the Global Support Desk.
  • Start limiting usage by disconnecting APs.
There really isn't much under your control.
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

RyanGard1977
New Member
Posts: 15
Joined: Sun Jul 19, 2015 9:26 pm

Re: Firewall Losing DNS Settings?

Postby RyanGard1977 » Sun Sep 25, 2016 2:28 pm

We've run into the same issue where we have 200+ devices trying to connect at the same time which has resulted in the system being overtaxed and becoming useless. I'm betting that 95% of the connections are non-legit, meaning kids playing games, people doing non-church related stuff/apps updating. Which means our clerks and teachers can't utilize the network/wifi for valid teaching/church business. The same SSID and password happens to be used for not only my Stake but 6 other nearby Stakes as well.. not a very smart idea in my opinion. I also am of the opinion that the passwords need to be changed at a minimum every 6 months, and better yet- the passwords not being given out so freely.

Jeffbpetersen
New Member
Posts: 2
Joined: Sun Dec 30, 2012 3:40 pm

Re: Firewall Losing DNS Settings?

Postby Jeffbpetersen » Sun Oct 30, 2016 3:16 pm

We are experiencing an almost identical problem. I have a continuous ping going to google.com and it pretty much never fails, yet DNS queries fail very frequently. Just trying to ping LDS.org or google.com from a command prompt will fail to resolve the dns name very frequently, but once the name is resolved it always pings successfully for as long as I let it run.

I tried temporarily configuring the computer to use Google public DNS to try and diagnose the problem, but it would appear using 3rd party dns is blocked (since it is against policy).

Is this a problem with the firewall router, or is the church having a problem with their dns sever generally, any advice would be appreciated. (I am the stake technology specialist btw)

yarrgh
Church Employee
Church Employee
Posts: 42
Joined: Mon Dec 23, 2013 1:54 pm

Re: Firewall Losing DNS Settings?

Postby yarrgh » Mon Oct 31, 2016 9:28 am

Jeffbpetersen wrote:Is this a problem with the firewall router, or is the church having a problem with their dns sever generally, any advice would be appreciated. (I am the stake technology specialist btw)

This is not a firewall issue. The firewall doesn't handle DNS lookups. It is only the means of telling end computers/devices which DNS servers they should be using. It's also the enforcer where it will block DNS lookups to any other non authorized DNS servers.

This may be an issue with the DNS servers themselves or with the ISP when trying to forward the lookups to the DNS servers.

What I suggest is that when this happens, try pinging 8.34.34.92 and 8.35.35.92 and make sure that they respond. While it does not exactly tell you whether the ISP is the problem or not, if you don't get a response, it may indicate an issue with the ISP. If they do respond. It may be an issue with the DNS servers.

It's hard to tell because unless everyone is having issues (including other buildings with different ISPs) at the same time, it is hard to tell if it is the DNS servers or not.


Return to “Meetinghouse Internet”

Who is online

Users browsing this forum: No registered users and 2 guests