topic There really aren't many in Network Security

DNS server lookups and sh conn in ASA

mahesh18 — Tue, 12 Mar 2019 04:02:11 GMT

Hi Everyone,

We have Internal DNS server that goes to ISP via our Internet ASA for DNS lookups.

Recently physical connection between our Internal DNS server and Internet ASA broke due to bad cabling.

When users try to open website they get message page can not be displayed.

When I did sh conn on internet ASA it was showing number of connections that were established earlier.

I need to know if this happens again what troubleshooting command I should run in ASA to figure out DNS lookup is not working?

If I run sh conn should I look for some flag that tells me issue is with DNS?

Regards

MAhesh

There really aren't many

Marius Gunnerud — Sat, 05 Apr 2014 16:05:46 GMT

There really aren't many commands on the ASA to 100% confirm it is a DNS problem. However there are a few things you can check...among them the show conn protocol udp port 53 command. A quick way to define if it is DNS or not is to ping the DNS server private IP from the ASA.

You can also from a host machine ping an global DNS server on the internet such as 4.2.2.2 or 8.8.8.8. If you are able to ping that but are unable to browse to the internet using a URL then it is most likely a DNS resolution issue.

Please remember to rate and select a correct answer

Also, if you manually set a

Marius Gunnerud — Sat, 05 Apr 2014 16:09:27 GMT

Also, if you manually set a DNS server on the host machine to a public DNS and are able to browse to the internet then...but you are unable to do so using your local DNS server, then you have also identified it as a local DNS problem.

Please remember to rate and select a correct answer

During outage when i did

mahesh18 — Sat, 05 Apr 2014 16:27:56 GMT

During outage when i did nslookup to google.com

it was showing as request time out.

Also when now all is working fine i ran the command
show conn protocol udp port 53

it shows 152 in use.

So when DNS is not working what should above command show 0 in use?

Also traffic flow for DNS server is

Server ----Sw1---------sw2(server default gateway)--------------Sw1--------ASA.

Sp ping to server should be ok during the outage.

As ping is not allowed from the internal Network.

What i did during outage was to ping 4.2.2.2 from edge router and that ping worked fine.

Regards

MAhesh

There is an issue with using

Marius Gunnerud — Sat, 05 Apr 2014 17:13:02 GMT

There is an issue with using the show conn for troubleshooting DNS issues which i forgot to mention, and that is its default timeout of 1 hour. So eventually the connections will timeout and the output of the show conn protocol udp port 53 will be 0. You can also check to see if the number is gradually decreasing and not increasing. But this way can take a bit of time.

So if ping to the internet works but URLs are not accessible that is a clear indication that there is some kind of issue with DNS. Especially if you statically set the DNS on the client and are then able to reach the URL you try to browse to then you know 100% it is your DNS server.

Please remember to rate and select a correct answer

Many thanks for explaining

mahesh18 — Sat, 05 Apr 2014 20:16:30 GMT

Many thanks for explaining it in so detail.

Best reagrds

MAhesh