slow internal dns - server 2008 R2

neathneathneath

I think we've got a DNS problem with regards slow web browsing - all client pc's take about 20 to 25 seconds to display a webpage on initial connection.

We have two Server 2008 R2 DC's which are also DNS servers.
Both servers are configured with forwarders to our ISP's DNS nameservers.

On a client PC, if I amend the DNS settings on the network card to point to the ISP's DNS servers (rather than our internal DNS) the internet browsing is almost instant, a huge improvement.

I have looked at this solution bit it did not cure the problem.

Some DNS name queries are unsuccessful after you deploy a Windows Server 2003 or Windows Server 2008 R2-based DNS server

It seems to be quite a common problem experienced by many, any tips as how to troubleshoot this - I'm sure its just a check-box somewhere, it driving us mad at present.

Any replies would be appreciated, spent hours trawling the net for a solution.

p.s. One DC is on a Hyper-V server and the other is a standard server box.

azjag

Are the internal clients having issues connecting an internal server. If not then look to how you are resolving to external DNS servers.

Check out opendns.com and look at a few of the tools.

try changing the default external DNS server from the ISP to google's
8.8.8.8
Using Google Public DNS

or OpenDns
208.67.220.220

How large is your organization?

Also, you can install and run spiceworks and use the dns checkup feature that comes with it. That may help you to narrow down the list of possible issues.

ccnxjr

You may have tried these, but just curious
Is it just for new sites?
or simply anytime they try to browse the web?
Considered setting one of those as a DNS caching server?
Any conditional forwarding defined?
Have you tried testing them one at a time, to see if one of them works well independently vs having them work together?

Asif Dasl

Yeah you wouldn't be able to make one of those a caching server cause active directory is hosted on it, just to correct an earlier suggestion.

If you go in to the properties of the DNS server, and go in to the Monitoring tab, how quick does the test respond (the screenshot is below)

undomiel

Are you sure that it is the DNS queries that are being slow? It may be that your browser is looking for a proxy. Go into IE's settings and uncheck Automatically detect settings. It would hurt to do some packet capturing from a client and a server as well to see if there really is some latency going on.

neathneathneath

thanks for the quick replies - quicker than our web browsing

undomiel - Good point about the proxy - although web page come up quickly if DNS on client pc is pointing to external DNS servers.

Asif Dasl - test on both DNS servers is instant with no errors.


azjag - some interesting options for fowarding DNS to
(our organisation, a school, has about 600 Pc's, 2 DC's and several other servers)

Asif Dasl

I take it that surfing the internet from the server itself is fast?

neathneathneath

Asif Dasl wrote: »

I take it that surfing the internet from the server itself is fast?

As its a school, we have a local authority broadband connection.
we also have our own ADSL broadband connection.

All internet goes via a Watchguard Firebox either to
1) local authority broadband connection
or
2) our own ADSL broadband connection

Our servers go via the Watchguard Firebox to our own ADSL broadband connection,
so browsing is instant.

Client Pc's go via the Watchguard Firebox to our local authority broadband connection,
browsing is slow for all first intances of web browsing. i.e. each new website is slow coming up.


As stated before: On a client PC, if I amend the DNS settings on the network card to point to the ISP's DNS servers (rather than our internal DNS) the internet browsing is almost instant, a huge improvement.

Very confusing

Asif Dasl

I am going to go out on a limb and suggest an MTU mismatch with the server. You'll need to do a packet capture to check that though.

azjag

neathneathneath wrote: »

thanks for the quick replies - quicker than our web browsing

undomiel - Good point about the proxy - although web page come up quickly if DNS on client pc is pointing to external DNS servers.

Asif Dasl - test on both DNS servers is instant with no errors.


azjag - some interesting options for fowarding DNS to
(our organisation, a school, has about 600 Pc's, 2 DC's and several other servers)

Well that changes the scope of troubleshooting a little. If you were a smaller company I would have recommended connecting directly to the router and run a test independent of your current infrastructure. This way you could rule out ISP slowness. Since you have a larger computer base that test may not be applicable.
Do you have any throttling or QOS setup on your network that could be configured incorrectly? I worked at a library and had this happen. We intended to block MMORPG's and other bandwidth intensive apps that were not conducive to a library environment. Does this happen on staff as well as student pc's?

undomiel

The reason I bring up the proxy settings is that I've seen this before. 20-25 seconds for a page to load on the initial connection. We thought it was a DNS issue at first as well, but then came to find out that it was searching for a proxy after doing some Wireshark captures. Also 20-25 is longer than the default DNS query timeout period so rather than loading the page it should be timing out and not displaying the page.

neathneathneath

undomiel wrote: »

The reason I bring up the proxy settings is that I've seen this before. 20-25 seconds for a page to load on the initial connection. We thought it was a DNS issue at first as well, but then came to find out that it was searching for a proxy after doing some Wireshark captures. Also 20-25 is longer than the default DNS query timeout period so rather than loading the page it should be timing out and not displaying the page.

Thanks for all the replies, Proxy settings could well be the problem. will check further next week

blargoe

I had the exact same issue after upgrading my DNS to Windows 2008 R2; however, the article that you posted from the Microsoft KB was the fix for my issue... our firewall admin confirmed that DNS forward lookups were being dropped in some cases, due to the packet size being too large. The dnscmd workaround fixed the issue.

Try a straight up nslookup and see how long it takes to return the ip address of the web server on the outside that you're trying to access. If DNS is quick, it's probably your web filtering appliance.

I would get with your firewall admin and get them to look at the logs while you try to access sites and/or do the DNS nslookup test for lookups that are know to be very slow or error out.

it_consultant

Check to make sure that the watchguard has not shut off access to the internet from that server. I know it sounds a little crazy but I have had 2 watchguards block Domain Controllers from going out to the internet. You have to go into system manager and unblock them.

neathneathneath

it_consultant wrote: »

Check to make sure that the watchguard has not shut off access to the internet from that server. I know it sounds a little crazy but I have had 2 watchguards block Domain Controllers from going out to the internet. You have to go into system manager and unblock them.

I'm not very familiar with the Watchguard box yet.

However, the Watchguard box acts as a proxy server and internet can go via two different upstream routes: 1) our own ADSL connection 2) Local Authority Internet Connection

On servers our internet goes via 1) and is instant in displaying a web page
On other Pc's internet goes via 2) and takes 20-25 seconds to display a web page.

I would think that this rules out the watchguard box?

I have amended the GPO's that deal with: IE's settings and uncheck Automatically detect settings - will test out next week.

Forsaken_GA

neathneathneath wrote: »

On servers our internet goes via 1) and is instant in displaying a web page
On other Pc's internet goes via 2) and takes 20-25 seconds to display a web page.

I would think that this rules out the watchguard box?

I have amended the GPO's that deal with: IE's settings and uncheck Automatically detect settings - will test out next week.

Silly question, but are your internal firewalls allowing port 53 for both, UDP *and* TCP. There's something a popular myth that TCP/53 is only used for zone transfers, and so some firewall admins like to block TCP/53. TCP/53 does more than zone transfers, it's needed for large queries as well.

If it's not that, or the automatically detect proxy settings, it sounds an awful lot like the initial query isn't being answered, and the client is falling through to the secondary NS entry. That will cause some delay - if the primary sends out a query, and it never gets answered, it sits and waits, as opposed to immediately returning NXDOMAIN if it gets a negatory answer.

If those aren't the same box, you may want to investigate whether or not the primary actually can do queries. I've learned that lesson a few hard times when primary name servers went down for maint, and no one bothered to move it's IP beforehand. All of a sudden I get flooded with 'THE NETWORK IS SLOW' calls and tickets.

I've seen stupid stuff like the primary firewalled off on accident, so all the DNS resolution was waiting to fall through to the second. And not all apps fall through properly, and will stick to the primary for it's queries for a very long time (I'm looking at you, mysql...)

neathneathneath

undomiel wrote: »

The reason I bring up the proxy settings is that I've seen this before. 20-25 seconds for a page to load on the initial connection. We thought it was a DNS issue at first as well, but then came to find out that it was searching for a proxy after doing some Wireshark captures. Also 20-25 is longer than the default DNS query timeout period so rather than loading the page it should be timing out and not displaying the page.

Thanks to all for various suggestions.

It was IE settings in Group Policy. Unticked Automatic setting and its working

We also found a rougue DNS WPAD record in DNS pointing to a DNS server that did not exist



Many Thanks

Neathneathneath