Slow DNS resolution Cisco 857

sirec2005 · ‎05-13-2011

Installed new Router. Web site resolve takes ~ 10 seconds. We are running domain. The local DNS is on 192.168.6.2. When the dns is resolved browsing the website is fast. But after few min it gets slow again.

Any help would be appreciated!

Running ping from Local PC

Pinging google.com [209.85.229.104] with 32 bytes of data:

Request timed out.

Reply from 209.85.229.104: bytes=32 time=290ms TTL=54

Reply from 209.85.229.104: bytes=32 time=226ms TTL=54

Reply from 209.85.229.104: bytes=32 time=329ms TTL=54

Ping statistics for 209.85.229.104:

Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),

Approximate round trip times in milli-seconds:

Minimum = 226ms, Maximum = 329ms, Average = 281ms

Running ping from router

Translating "google.com"...domain server (195.8.69.7) [OK]

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 209.85.229.104, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 348/373/397 ms

----Cisco Config-----

Using 4191 out of 131072 bytes

!

! Last configuration change at 08:47:29 PCTime Fri May 13 2011 by admin

! NVRAM config last updated at 08:47:30 PCTime Fri May 13 2011 by admin

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

description $ES_WAN$

no ip redirects

no ip unreachables

no ip proxy-arp

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$

ip address 192.168.6.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname *****************

ppp chap password 0 *******

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

ip flow-export destination 192.168.6.2 2055

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 192.168.6.2 25 interface Dialer0 25

ip nat inside source static tcp 192.168.6.2 80 interface Dialer0 80

ip nat inside source static tcp 192.168.6.2 443 interface Dialer0 443

ip nat inside source static tcp 192.168.6.2 3101 interface Dialer0 3101

ip nat inside source static tcp 192.168.6.2 5666 interface Dialer0 5666

ip nat inside source static tcp 192.168.6.2 110 interface Dialer0 110

ip nat inside source static tcp 192.168.6.2 143 interface Dialer0 143

ip nat inside source static tcp 192.168.6.2 21 interface Dialer0 21

ip nat inside source static tcp 192.168.6.2 3389 interface Dialer0 3389

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.6.0 0.0.0.255

dialer-list 1 protocol ip permit

no cdp run

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you

want to use.

-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

end

Calin C. · ‎05-16-2011

I don't see in the NAT table port 53 UDP and TCP (if you use zone transfer in DNS) to be forwarded to your DNS server. Try forwarding that ports and let us know if it's working better.

Cheers,

Calin

sirec2005 · ‎05-16-2011

Thanks for replay!

This did not resolve the problem. Any Ideas?

GBixaconill · ‎08-03-2011

Hello!

I have de same problem and can not find the solution anywhere.

This my conf.

Current configuration : 12151 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname XXX

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

aaa session-id common

clock timezone Paris 1

clock summer-time Paris date Mar 30 2003 2:00 Oct 26 2003 3:00

!

crypto pki trustpoint TP-self-signed-362216192

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-362216192

revocation-check none

rsakeypair TP-self-signed-362216192

!

crypto pki certificate chain TP-self-signed-362216192

certificate self-signed 01

30820257 308201C0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33363232 31363139 32301E17 0D303230 33303130 30303634

315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3336 32323136

31393230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

C3891BEF 39354AEC 78BF3E38 47A18CE1 5A5C2108 E5ADF8D0 FB9CAB3E A26200C8

DA3DB95F 793FE387 E7FA020D A6B71CAC CE667CEC 1AE106C0 E70FF256 EACA76D8

D4B5D994 19AA0EC2 64173960 5093C7CC 8AEB39B0 FE59BB4B 12300D32 C8072A3B

FF024281 9A8347C6 7390EEDE 35564975 013223FB 15327BD5 EC98AE40 9D2E751B

02030100 01A38180 307E300F 0603551D 130101FF 04053003 0101FF30 2B060355

1D110424 30228220 454C4C49 4E475F54 474E2E61 6C717569 6C657265 732E656C

6C696E67 2E696E74 301F0603 551D2304 18301680 1469679F 6B51B673 C4A35E94

6AF7371C D04D388A 50301D06 03551D0E 04160414 69679F6B 51B673C4 A35E946A

F7371CD0 4D388A50 300D0609 2A864886 F70D0101 04050003 8181007F 1D3217BA

0EC4E5AC 445E4D01 1398E21A ED6784C0 87F8F83A 8211578B 485D7727 356841B7

4A0B2661 153E1763 48C83D42 E9462539 B1128035 CFB19145 0E0D41E1 2AAF7F8C

00A64ECC ED7259AA 82823B33 DF95651C 5291EA53 F9EF698C 6685D17C 8F88632B

ED509D1E 605CEE46 B5A92437 6D8990BC AD809D69 BD9102FA FBDE45

quit

dot11 syslog

no ip subnet-zero

!

ip cef

ip inspect log drop-pkt

ip inspect name CCP_MEDIUM appfw CCP_MEDIUM

ip inspect name CCP_MEDIUM cuseeme

ip inspect name CCP_MEDIUM dns

ip inspect name CCP_MEDIUM ftp

ip inspect name CCP_MEDIUM h323

ip inspect name CCP_MEDIUM sip

ip inspect name CCP_MEDIUM https

ip inspect name CCP_MEDIUM icmp

ip inspect name CCP_MEDIUM imap reset

ip inspect name CCP_MEDIUM pop3 reset

ip inspect name CCP_MEDIUM rcmd

ip inspect name CCP_MEDIUM realaudio

ip inspect name CCP_MEDIUM rtsp

ip inspect name CCP_MEDIUM esmtp

ip inspect name CCP_MEDIUM sqlnet

ip inspect name CCP_MEDIUM streamworks

ip inspect name CCP_MEDIUM tftp

ip inspect name CCP_MEDIUM tcp

ip inspect name CCP_MEDIUM udp

ip inspect name CCP_MEDIUM vdolive

ip domain name xxx.int

ip name-server 80.58.61.254

ip name-server 80.58.61.250

!

appfw policy-name CCP_MEDIUM

application im aol

service default action allow alarm

service text-chat action allow alarm

server permit name login.oscar.aol.com

server permit name toc.oscar.aol.com

server permit name oam-d09a.blue.aol.com

application im msn

service default action allow alarm

service text-chat action allow alarm

server permit name messenger.hotmail.com

server permit name gateway.messenger.hotmail.com

server permit name webmessenger.msn.com

application im yahoo

service default action allow alarm

service text-chat action allow alarm

server permit name scs.msg.yahoo.com

server permit name scsa.msg.yahoo.com

server permit name scsb.msg.yahoo.com

server permit name scsc.msg.yahoo.com

server permit name scsd.msg.yahoo.com

server permit name cs16.msg.dcn.yahoo.com

server permit name cs19.msg.dcn.yahoo.com

server permit name cs42.msg.dcn.yahoo.com

server permit name cs53.msg.dcn.yahoo.com

server permit name cs54.msg.dcn.yahoo.com

server permit name ads1.vip.scd.yahoo.com

server permit name radio1.launch.vip.dal.yahoo.com

server permit name in1.msg.vip.re2.yahoo.com

server permit name data1.my.vip.sc5.yahoo.com

server permit name address1.pim.vip.mud.yahoo.com

server permit name edit.messenger.yahoo.com

server permit name messenger.yahoo.com

server permit name http.pager.yahoo.com

server permit name privacy.yahoo.com

server permit name csa.yahoo.com

server permit name csb.yahoo.com

server permit name csc.yahoo.com

!

username xxx privilege 15 secret 5 xxxxxx

username yyyy secret 5 xxxxxx

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key ellingvpn address x.x.x.x

!

crypto isakmp client configuration group xxxx

key xxxxx

dns 192.168.1.50 80.58.61.250

domain xxxxxx.int

pool SDM_POOL_1

acl 104

max-users 5

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

match identity group xxxxx

client authentication list ciscocp_vpn_xauth_ml_1

isakmp authorization list ciscocp_vpn_group_ml_1

client configuration address respond

virtual-template 1

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA3

set isakmp-profile ciscocp-ike-profile-1

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel tox.x.x.x

set peer x.x.x.x

set transform-set ESP-3DES-SHA2

match address 103

!

archive

log config

hidekeys

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode itu-dmt

!

interface ATM0.2 point-to-point

no ip proxy-arp

ip nat outside

ip virtual-reassembly

pvc 8/32

pppoe-client dial-pool-number 1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Virtual-Template1 type tunnel

description $FW_INSIDE$

ip unnumbered Dialer1

ip access-group 105 in

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

ip access-group 106 in

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Dialer1

description $FW_OUTSIDE$

ip address negotiated

ip access-group 107 in

ip mtu 1452

ip inspect CCP_MEDIUM out

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname xxxx@xxxxxx

ppp chap password 0 xxxxx

ppp pap sent-username xxxxx@txxxxx password 0 xxxxx

crypto map SDM_CMAP_1

!

ip local pool SDM_POOL_1 172.26.0.1 172.26.0.10

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1 permanent

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip dns server

ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload

!

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 remark CCP_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 remark CCP_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 103 remark CCP_ACL Category=4

access-list 103 remark IPSec Rule

access-list 103 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 104 remark CCP_ACL Category=4

access-list 104 permit ip 192.168.1.0 0.0.0.255 any

access-list 105 remark auto generated by CCP firewall configuration

access-list 105 remark CCP_ACL Category=1

access-list 105 deny ip 192.168.1.0 0.0.0.255 any

access-list 105 deny ip host 255.255.255.255 any

access-list 105 deny ip 127.0.0.0 0.255.255.255 any

access-list 105 permit ip any any

access-list 106 remark auto generated by CCP firewall configuration

access-list 106 remark CCP_ACL Category=1

access-list 106 deny ip host 255.255.255.255 any

access-list 106 deny ip 127.0.0.0 0.255.255.255 any

access-list 106 permit ip any any

access-list 107 remark auto generated by CCP firewall configuration

access-list 107 remark CCP_ACL Category=1

access-list 107 permit udp host 80.58.61.254 eq domain any

access-list 107 permit udp host 80.58.61.250 eq domain any

access-list 107 permit udp any any eq non500-isakmp

access-list 107 permit udp any any eq isakmp

access-list 107 permit esp any any

access-list 107 permit ahp any any

access-list 107 permit ahp host 88.12.52.105 any

access-list 107 permit esp host 88.12.52.105 any

access-list 107 permit udp host 88.12.52.105 any eq isakmp

access-list 107 permit udp host 88.12.52.105 any eq non500-isakmp

access-list 107 remark IPSec Rule

access-list 107 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 107 deny ip 192.168.1.0 0.0.0.255 any

access-list 107 permit icmp any any echo-reply

access-list 107 permit icmp any any time-exceeded

access-list 107 permit icmp any any unreachable

access-list 107 deny ip 10.0.0.0 0.255.255.255 any

access-list 107 deny ip 172.16.0.0 0.15.255.255 any

access-list 107 deny ip 192.168.0.0 0.0.255.255 any

access-list 107 deny ip 127.0.0.0 0.255.255.255 any

access-list 107 deny ip host 255.255.255.255 any

access-list 107 deny ip host 0.0.0.0 any

access-list 107 deny ip any any log

dialer-list 1 protocol ip permit

no cdp run

route-map SDM_RMAP_1 permit 1

match ip address 101

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

^C

banner login ^C

-----------------------------------------------------------------------

^C

!

line con 0

no modem enable

line aux 0

line vty 0 4

access-class 23 in

transport input telnet ssh

!

scheduler max-task-time 5000

end

Thnaks!

raddie6989 · ‎09-18-2011

I had similar problem. Removed ip cef and my resolutions are fast.

heronmb · ‎03-13-2012

I had the same problem too, but on Cisco 1905 router with IOS version 15.2(1)T.

When I disable ip cef, my DNS response.

Very strange, and its not a good idea disabled it