dns fail


after the last update of our clustered M370 to 12.7.1 we encounter numerous problems with DNS (site unreachable) and then soon become reachable does any of you have a similar experience?

Thank you


  • Options

    Not offhand.

    Are you using DNSWatch?
    If not, are you using DNS proxies for outgoing DNS?
    Anything to help understand this in Traffic Monitor?

    Could your external DNS server IP addr sometimes end up on the temp Blocked Sites list? If so, you can add that/those IP addrs to the Blocked Sites Exceptions.
    And/or turn off the Default packet Handling option of "Auto-block source of unhandled external packets"

  • Options

    Hi Bruce,

    I used DNSwatch until 2 days ago, now I have disabled it thinking this was the problem but nothing, it persists, the thing is very strange it does not find the site and then after a few seconds yes, Saturday or I did the last upgarde to the firewall.

    Nothing unusual in the traffic monitor, no proxy dns, the strange thing is that the same thing happens in the other office always with a M370 latest update but only for the Watchguard forum.

  • Options

    Explain what you mean by "but only for the Watchguard forum"

    So you are running V12.7.1 and the problems started soon thereafter?

    Consider opening a support incident on this if you have not already done so.

  • Options

    yes, that's right, this only happens in my office on the forum https://www.watchguard.com/Forum/login.aspx

    I haven't opened a ticket yet

  • Options

    in my office I have DNSWatch active

  • Options

    So it is related to your DNS_PROBE_FINISHED_NXDOMAIN post?

  • Options

    Yes, right

  • Options

    usually first I update my firewall in the office and when I think everything is ok I also update the cluster in the other office, for me everything started from the last update on Saturday 25th, as regards DNS fail

  • Options

    So again, this was your update to V12.7.1?

  • Options


  • Options

    open a support incident

  • Options

    nothing to do, even the technical support has not found any problems on the DNS, I do not know where to turn my head, the only thing left to do is to downgrade the cluster to 12.7 but I would like to avoid .. sic sic

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @toscanatlc
    Please see my comment on your other post here:

    Based on what you've described both here, and in the case, I do not expect that downgrading will fix your issue. If the DNS response coming from an external server is NXDOMAIN, that issue lies outside of the firebox.

    I've left information on how to determine for sure, via packet capture, if that's what is happening. If the issue is external to the firebox, and is in fact a DNS issue, you'll need to troubleshoot the DNS issue, or contact the admin responsible for that DNS to proceed.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.