Reply

Re: Continuing (worsening) problems with DNS resolution can be traced to the FVS336Gv2

vulogiccl2
Initiate

Continuing (worsening) problems with DNS resolution can be traced to the FVS336Gv2

Hi --

 

I'm having continued, and apparently worsening, problems on my network protected behind a FVS336Gv2 (v. 4.3.3-6) firewall. And it all has to do with DNS resolution.

Any device behind the firewall trying to access the Internet will chug along just fine for a while, then suddenly start to exhibit all manner of problems related to DNS resolution. Most notably, Web browsers will start timing out with DNS errors. Then, suddenly, the problem will clear itself for a short while, before recurring.

This has been an annoyance for some time, but recently the problem seems to have worsened significantly.

The PCs all have DNS servers set up on their network interfaces. I have tried five different sets of DNS servers, including the servers from the ISP, OpenDNS, and Google.

I have also tried setting up the FVS336Gv2 as a DNS proxy, and then trying it with proxying disabled. Whether or not it's set up in that way, the problem remains.

On any of the affected PCs, if I run DNS Query Sniffer the problem is made quite obvious. As the PC tries to move around the Internet, DNS Query Sniffer shows every DNS request the PC makes. A cluster of several dozen DNS queries will show as responded to and resolved. Then several screenfuls of DNS queries will show as not being responded to. You can clearly see the progression on the part of the PC of querying the DNS1 server, not getting a response, querying the DNS2 server, not getting a response, querying the DNS3 server (the proxy, if it is set up), not getting a response, and so on. After a while of this, though, seemingly by magic the DNS queries start getting responses again.

This is not a problem with a screwy PC. I can replicate this problem on any PC behind the firewall by running DNS Query Sniffer and checking its output.

 

In case this was related to PC-based malware protection or firewalls, I've disabled these on the PCs and have seen no difference. The PCs in question are running either Symantec Endpoint Protection or Microsoft Defender on either WIndows 7 or 10. I also have a half-dozen Android devces that get caught in the same DNS trap while they're on the WLAN, which have no such problems if they're running on their cellular connections or on someone else's WLAN.

 

Further, I can clearly see that it's the firewall causing the bottleneck if I reconfigure a PC to bypass the firewall and connect directly to the ISP's modem. With the firewall out of the way, DNS Query Sniffer shows almost every DNS query consistently resolved (with the odd miss here and there). The difference is dramatic. I can hammer the connection with DNS requests, as long as I'm hooked up directly to the ISP's gateway, and the PC won't miss a beat. But as soon as I connect the PC back behind the firewall, I can't get more than a few dozen DNS queries out before they start to get blocked (ignored, whatever).

 

I have read a smattering of posts mentioning similar problems, and none seems to have a resolution. The culprit mentioned most often is the Block UDP Flood setting. This firewall had the setting switched off already; the DNS problem still happens. I switched the setting on and set the threshold to 999 (the highest it will allow), just to see if I saw a difference; it did not affect the DNS problem one bit. I switched it back off, as well as the Block TCP Flood setting. This had no effect.

Otherwise, I have no problems with this firewall. It processes incoming traffic exactly as it's supposed to. It handles VPN connections properly. Outbound traffic from the PCs -- as long as it's not being encumbered by DNS resolution problems -- is OK.

I don't know if this is an indication of a problem or not, but in trying to troubleshoot this problem, I've navigated the firewall's entire Web interface. And boy, is it slow. It can take the firewall several seconds at least (sometimes 20 seconds or more) to move from one page to the next.

Is there a way to resolve this problem?

Thanks
CL

 

Model: FVS336Gv2|PROSAFE DUAL WAN GIGABIT FIREWALL WITH SSL & IPSEC VPN
Message 1 of 3
vulogiccl2
Initiate

Re: Continuing (worsening) problems with DNS resolution can be traced to the FVS336Gv2

 
Message 2 of 3
JohnC_V
NETGEAR Moderator

Re: Continuing (worsening) problems with DNS resolution can be traced to the FVS336Gv2

Hi vulogiccl2,

 

Welcome to our community!

 

I suggest you to open a chat / case online on NETGEAR support and please let them know the status of your firewall. We may need to isolate the issue with the latest hardware model which is the FVS336Gv3. If ever the device is still under warranty, an online replacement will be provided. 

 

Regards,

Message 3 of 3
Top Contributors
Discussion stats
  • 2 replies
  • 978 views
  • 0 kudos
  • 2 in conversation
Announcements