Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » Failed to send DNS query to server
  •  
ipsys is currently offline ipsys

Messages: 30
Karma: 2
Send a private message to this user
below is a copy of the output from the 'error' log. this error seems to be random and never ending, and not version dependant (we have tried 9.2.2/4 and .5). please note that 192.168.18.2 is directly cabled to the kerio (its the ng500) and, consequently, is in the same subnet. the 206 is not a wonderful resolver, but it is local too us, and can provide faster dns resolution than using google or level3.


[03/Apr/2018 12:05:00] (11) Failed to send DNS query to server 192.168.18.2
[03/Apr/2018 12:05:01] Last message repeated 46 times
[03/Apr/2018 12:22:08] (11) Failed to send DNS query to server 8.8.8.8
[03/Apr/2018 12:22:10] Last message repeated 40 times
[03/Apr/2018 12:23:20] (11) Failed to send DNS query to server 206.82.130.195
[03/Apr/2018 12:23:21] Last message repeated 5 times
[03/Apr/2018 12:27:54] (11) Failed to send DNS query to server 8.8.8.8
[03/Apr/2018 12:27:55] Last message repeated 6 times
[03/Apr/2018 12:34:47] (11) Failed to send DNS query to server 8.8.8.8
[03/Apr/2018 12:34:49] Last message repeated 3 times
[03/Apr/2018 12:39:35] (11) Failed to send DNS query to server 8.8.8.8
[03/Apr/2018 12:39:36] Last message repeated 6 times
[03/Apr/2018 13:21:53] (11) Failed to send DNS query to server 206.82.130.195
[03/Apr/2018 13:21:54] Last message repeated 9 times
[03/Apr/2018 13:21:55] (11) Failed to send DNS query to server 206.82.130.195
[03/Apr/2018 13:21:56] Last message repeated 13 times
[03/Apr/2018 14:25:36] (11) Failed to send DNS query to server 8.8.8.8
[03/Apr/2018 14:25:37] Last message repeated 20 times
[03/Apr/2018 14:41:49] (11) Failed to send DNS query to server 8.8.8.8
[03/Apr/2018 14:41:50] Last message repeated 44 times
[03/Apr/2018 14:41:54] (11) Failed to send DNS query to server 192.168.18.2
[03/Apr/2018 14:41:55] Last message repeated 21 times
[03/Apr/2018 14:58:55] (11) Failed to send DNS query to server 8.8.8.8
[03/Apr/2018 14:58:57] (11) Failed to send DNS query to server 8.8.8.8
[03/Apr/2018 15:00:15] (11) Failed to send DNS query to server 4.2.2.2
[03/Apr/2018 15:00:17] Last message repeated 21 times
[03/Apr/2018 15:05:47] (11) Failed to send DNS query to server 8.8.8.8
[03/Apr/2018 15:05:48] Last message repeated 43 times
[03/Apr/2018 15:11:29] (11) Failed to send DNS query to server 8.8.8.8
[03/Apr/2018 15:11:31] Last message repeated 4 times
[03/Apr/2018 15:11:38] (11) Failed to send DNS query to server 4.2.2.2
[03/Apr/2018 15:11:40] Last message repeated 16 times
[03/Apr/2018 15:13:10] (11) Failed to send DNS query to server 206.82.130.195
[03/Apr/2018 15:13:11] Last message repeated 43 times


can anyone shed some light on the problem ? where i should start to look for the solution to this error? Our main dns server, which is on the lan, also cabled directly to the kerio, uses the same dns resolvers without throwing any errors (linux/bind). We dont use the kerio's ip's for dns lookups, so i am certain these errors are generated from the device itself.

thanks in advance ...
  •  
Kerio/GFI Brian is currently offline Kerio/GFI Brian

Messages: 852
Karma: 90
Send a private message to this user
It seems like the system is not able to query your DNS servers. Is it possible you have a traffic policy rule that is blocking (or not permitting) requests from the firewall? Normally there is a default traffic rule called "Firewall Traffic" that would allow traffic initiated by the firewall system.
In the IP Tools screen you can generate DNS queries and ping requests to other hosts. Use this tool to confirm connectivity with those name servers.
In the debug log you can right click and choose 'messages'. There are two log events for DNS messages that will provide more details regarding these failed lookups. Make sure to disable the logging after you have captured enough log data. Based on the output here I guess it should only take a few seconds to capture enough details.

Brian Carmichael
Instructional Content Architect
  •  
ipsys is currently offline ipsys

Messages: 30
Karma: 2
Send a private message to this user
thanks for the prompt response

we have the default firewall rules, with two additions: i have removed the nat from 'internet access' and created an incoming rule from the internet. we nat at the wan, and the kerio is only routing. i did try to nat the firewall traffic from the traffic rules, but there was no change in the output of the error log (Failed to send DNS query to server is still logged)

https://preview.ibb.co/h7HF9x/Screen_Shot_2018_04_03_at_4_25_23_pm.png

interestingly, the dns lookups work (nslookup and dig - below is output of dig), however one time its very slow.

https://image.ibb.co/d3atUx/Screen_Shot_2018_04_03_at_4_38_14_pm.png

the debug log shows queries are resolving correctly, at least this output doesnt return an error, or the page is loading too fast that i cannot read it correctly - i can save a full copy of the log if you would like (i can let it run for a while to generate more data if this isnt sufficient?)

https://preview.ibb.co/iJZgGc/Screen_Shot_2018_04_03_at_4_40_39_pm.png


https://preview.ibb.co/mKkJUx/Screen_Shot_2018_04_03_at_4_47_49_pm.png
https://preview.ibb.co/c7S42H/Screen_Shot_2018_04_03_at_4_48_36_pm.png
  •  
Kerio/GFI Brian is currently offline Kerio/GFI Brian

Messages: 852
Karma: 90
Send a private message to this user
If I understand, you have another NAT device in front of Kerio Control, and you are routing the connections without address translation. This can work but you would need to add routes on your WAN router to forward to the Internet interface of Kerio Control for all subnets behind it. Otherwise, enable NAT on your Internet rules.

So I believe those errors occur because Kerio Control is forwarding the DNS requests but is not receiving the replies because it is not performing address translation.

Note that based on your current traffic rules, you have an open policy. Essentially you can accomplish the same with a single rule that allows any to any, although I presume this is not your intent.


Brian Carmichael
Instructional Content Architect
  •  
ipsys is currently offline ipsys

Messages: 30
Karma: 2
Send a private message to this user
Our inside network is all routed to our exit points, where we apply nat. In kerio there are 442 active devices and you see we are pushing 150mb at the time of my last post/screenshots. so the internet/etc is working. this is not my issue, only the dns error. one click in xx clicks while browsing the internet is slow and i am assuming its due to this error (as we dont see any other major errors in the kerio device - that being said, i didnt know about the additional logging in debug. i will start to look at these). for the multiple firewall rules, when we look to the individual device's traffic, the rules help indicate the flow of the traffic, and where a potential problem may be.

with or without nat on the kerio itself, the dns lookup should still work? ie: the ip address on the 'wan' of kerio is in the same subnet as the nat device, and the nat device acts as a dns server, also the cable is directly connected between these two devices (192.168.18.1 is kerio, 192.168.18.2 is where nat is applied). in this situation, i wouldnt expect to see "Failed to send DNS query to server"?? Also, as per my screenshot (i did only post one, but verified them all with various domain names), the dns lookup to all dns server entries is succeeding from the ip tools with nslookup and dig, however one time in xx clicks its very slow. if i set my computer (behind kerio) to use 192.168.18.2, i have no issues resolving dns.

i have tested natting at the rule for the firewall - as im assuming this error is from the firewall itself (maybe its origin is the localhost?)?? - from the debug log, my assumptions may be incorrect? i dont know what the error means or indicates as there is a lack of detail as to what failed or why it failed - only that it failed, and 'failed to send' generally relates to connectivity? however, the internet/etc is working as expected.
  •  
Kerio/GFI Brian is currently offline Kerio/GFI Brian

Messages: 852
Karma: 90
Send a private message to this user
So 192.168.18.2 is the Internet gateway and DNS resolver, correct? I didn't see any queries to this host in your first post. Try to update the DHCP settings to assign this host exclusively as the DNS resolver for your local networks. I think this would also help to debug the issues with the DNS queries. Note that Kerio Control is simply routing the DNS queries, so the logging in this case is going to be fairly limited. If the devices are directing queries to Kerio Control's DNS forwarder then we can get more detailed logging in the DNS messages event under Kerio Control services in the debug log.
Would you be able to share a screenshot of your routing table and interfaces? When you look in the Active Hosts, if you are seeing both send and receive data for each host, then your routing should be ok. As you noted, the traffic charts are showing send and receive data so most likely the routing is working.
Regarding the CPU usage, one possibility is to disable some of the logs. Particularly I suggest to disable the HTTP log. It's quite verbose and the web log captures the same type of information but in a more human readable format.
Please confirm also whether you are using VPN (either Kerio VPN or IPsec).

Brian Carmichael
Instructional Content Architect
  •  
ipsys is currently offline ipsys

Messages: 30
Karma: 2
Send a private message to this user
please see the file for more detail on the debug log with dns errors enabled. i do see more detail, and a lot of 'attempts', but no real 'failure to send' what does this error 'failed to send' specifically indicate? what failed to send? the kerio? a client inside the network? is there anyway to increase the detail of this specific error so i can better diagnose the problem to resolve it?

https://ufile.io/92r0b

the routing table and interfaces. please note we do not use dhcp.

https://preview.ibb.co/ckwTgc/Screen_Shot_2018_04_04_at_2_03_01_pm.png
https://preview.ibb.co/cW5RZx/Screen_Shot_2018_04_04_at_2_03_08_pm.png

im not sure this is the issue here as the kerio is directly cabled to its next hop's (on both sides of the device) and consequently its direct host to host communication. we have never promoted the use of 192.168.18.2 to users inside the network, so the only device using this ip for dns resolution will be the kerio and the router on the lan.

i have disabled the http log with no real change to cpu consumption. cpu use seems directly related to the 'inspector' setting. as per my screenshot above, inspector is set to none for mostly everything except internet http (part of the reason for the multiple rules. limiting inspector to http only for http only seems to reduce cpu consumption. web browsing seems directly related to cpu consumption. high cpu = slow web browsing Sad ).



  •  
Kerio/GFI Brian is currently offline Kerio/GFI Brian

Messages: 852
Karma: 90
Send a private message to this user
It seems that the firewall is generating a large volume of reverse lookups, which is caused by the high volume of HTTP traffic. Since Kerio Control is behind another NAT device, this volume of queries may be causing issues where the Kerio Control host is exhausting it's connection limit set by the NAT gateway at 192.168.18.2 (most NAT devices have this type of protection to prevent denial of service caused by a single host).

So my suggestion is to disable reverse lookups by the firewall to reduce the amount of connections originating from that system. This topic describes how to modify settings that are not in the UI https://manuals.gfi.com/en/kerio/control/content/server-conf iguration-kerio-control/modifying-parameters-in-kerio-contro l-configuration-1745.html
The specific command would be "update Misc set ReverseDNSLookupType=0".

Brian Carmichael
Instructional Content Architect
  •  
ipsys is currently offline ipsys

Messages: 30
Karma: 2
Send a private message to this user
i have disabled reverse dns lookups and the error appears to have stopped.

please note: the nat device's connection limitation is 1,000,000 concurrent connections. We currently hit 200,000+ concurrent connections during peak periods as seen by the router on the lan of the kerio.

https://image.ibb.co/fV2JxH/Screen_Shot_2018_04_04_at_5_14_20_pm.png
  •  
Kerio/GFI Brian is currently offline Kerio/GFI Brian

Messages: 852
Karma: 90
Send a private message to this user
So this resolves the error message. The next question is whether this improves the latency of page loads. I imagine it should because the web categorization relies on DNS.

Brian Carmichael
Instructional Content Architect
  •  
ipsys is currently offline ipsys

Messages: 30
Karma: 2
Send a private message to this user
i haven't noticed any real difference/change, but i did hope too..

behind kerio, a website like ping.eu takes 15 seconds to load, whereas when we are not behind kerio it takes 4 seconds (as timed from the web browser).

after letting this run overnight, the dns error has stopped, so i can confirm that disabling reverse dns lookups solves the issue.

as you can see, the cpu use is quite high, maybe i should open another thread about this ?

https://image.ibb.co/kKMN9x/Screen_Shot_2018_04_05_at_1_56_21_pm.png
  •  
Kerio/GFI Brian is currently offline Kerio/GFI Brian

Messages: 852
Karma: 90
Send a private message to this user
Yes, I think opening a new thread would be best. As a preemptive measure, I suggest connecting via SSH and run the 'top' command and send the output with your new post.

Brian Carmichael
Instructional Content Architect
Previous Topic: Now Available: Kerio Control 9.2.5 Patch 3
Next Topic: kerio box 1120 ver 8.1.X upgrade to 9.X
Goto Forum:
  

 ] [ PDF ]

Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Aug 21 12:05:28 CEST 2018

Total time taken to generate the page: 0.94284 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.