We are a group of volunteers for a non profit WISP in the Yorkshire Dales. We have intermittently but serious spasms of various clients' DNS requests blocked. Note we have only one Internet IP, the 50+ clients are all on fixed IPs served by various APs. To effect a cure, usually only temporarily, we allocate the offending device with a different IP address. This may work for two hours or two months before the problem reappears. What I/we need to do is track down where the DNS request is being blocked. Using Tracert with Wireshark doesn't seem to work, i.e. the request path doesn't appear. Can you help? asked 01 Aug '16, 07:16  fopetesl |
One Answer:
Where is the DNS server located that the clients send their requests to? Is it an internal server, or an external one? You should try to capture the packets at the server (if internal) or on the ISP uplink (if external) to check request/reply functionality. The idea is to find out what happens if the requests are not answered anymore. Also, check if there's a firewall that has a rate limit for connections - those settings are often too strict and start blocking too soon. answered 04 Aug '16, 02:39  Jasper ♦♦ |
We've tried different DNS (external) servers, Google, ISP and couple of other public servers. I like the idea of capturing packets at the VDSL modem if that's what you are suggesting. No idea how I might do that though. The Draytek modem doesn't seem to have that facility built in unfortunately. Note though, that in April 15 client's were affected but 35 clients weren't. All the clients have internal 192.168.32.xxx addresses which feed though one public Internet IP address. No incidents occurred until last weekend when eight of the original clients with DNS failures were re-affected plus three new ones. One of these new ones is a domestic router on fixed address because of a bridge route, so the problem is not down to the Ubiquti 5GHz links. There is a rate limit but not for connections I could find. The rate limit caps link speed if number of connections/sessions exceeds a preset number.
There is a moment which makes me cautious: you wrote you could not see the icmp requests sent by
traceroutewhich implies that the responses do come and that you can capture them. So I wonder what is your capture setup.Also, when you say that all your clients live in the same private subnet and you "have just one Internet IP", I deduce that there is a device which performs NAT. So from the internet facing interface of this device, there is no difference between the IP and UDP portions of the requests originally sent by different clients. Is your single public IP address assigned to the VDSL modem or the modem is a bridge and some routing (and NATing) device is located between the clients and the modem? A sketch of the complete network topology added to the original Question (not to any Comment) would be helpful.