dns fail

toscanatlctoscanatlc
in Firebox - Upgrade, Downgrade, Backup

Greetings,

after the last update of our clustered M370 to 12.7.1 we encounter numerous problems with DNS (site unreachable) and then soon become reachable does any of you have a similar experience?

Thank you

Comments

  • Bruce_BriggsBruce_Briggs

    Not offhand.

    Are you using DNSWatch?
    If not, are you using DNS proxies for outgoing DNS?
    Anything to help understand this in Traffic Monitor?

    Could your external DNS server IP addr sometimes end up on the temp Blocked Sites list? If so, you can add that/those IP addrs to the Blocked Sites Exceptions.
    And/or turn off the Default packet Handling option of "Auto-block source of unhandled external packets"

  • toscanatlctoscanatlc

    Hi Bruce,

    I used DNSwatch until 2 days ago, now I have disabled it thinking this was the problem but nothing, it persists, the thing is very strange it does not find the site and then after a few seconds yes, Saturday or I did the last upgarde to the firewall.

    Nothing unusual in the traffic monitor, no proxy dns, the strange thing is that the same thing happens in the other office always with a M370 latest update but only for the Watchguard forum.

  • Bruce_BriggsBruce_Briggs

    Explain what you mean by "but only for the Watchguard forum"

    So you are running V12.7.1 and the problems started soon thereafter?

    Consider opening a support incident on this if you have not already done so.

  • toscanatlctoscanatlc

    yes, that's right, this only happens in my office on the forum https://www.watchguard.com/Forum/login.aspx

    I haven't opened a ticket yet

  • toscanatlctoscanatlc

    in my office I have DNSWatch active

  • Bruce_BriggsBruce_Briggs

    So it is related to your DNS_PROBE_FINISHED_NXDOMAIN post?

  • toscanatlctoscanatlc

    Yes, right

  • toscanatlctoscanatlc

    usually first I update my firewall in the office and when I think everything is ok I also update the cluster in the other office, for me everything started from the last update on Saturday 25th, as regards DNS fail

  • Bruce_BriggsBruce_Briggs

    So again, this was your update to V12.7.1?

  • toscanatlctoscanatlc

    yes

  • Bruce_BriggsBruce_Briggs

    open a support incident

  • toscanatlctoscanatlc

    nothing to do, even the technical support has not found any problems on the DNS, I do not know where to turn my head, the only thing left to do is to downgrade the cluster to 12.7 but I would like to avoid .. sic sic

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @toscanatlc
    Please see my comment on your other post here:
    https://community.watchguard.com/watchguard-community/discussion/2094/dns-probe-finished-nxdomain#latest

    Based on what you've described both here, and in the case, I do not expect that downgrading will fix your issue. If the DNS response coming from an external server is NXDOMAIN, that issue lies outside of the firebox.

    I've left information on how to determine for sure, via packet capture, if that's what is happening. If the issue is external to the firebox, and is in fact a DNS issue, you'll need to troubleshoot the DNS issue, or contact the admin responsible for that DNS to proceed.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.