Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
517
Views
0
Helpful
0
Replies

Serious DNS issues on an RV325

vulogiccl1
Level 1
Level 1

‎06-16-2020 09:07 PM - edited ‎06-16-2020 09:13 PM

RV325 Gigabit Dual WAN VPN Router
Firmware Version: v1.5.1.05 (2019-10-01, 15:39:40)

 

Ever since I installed this RV325 on our LAN about a month ago, I've been having serious, seemingly random, and so far unsolvable DNS problems.

The RV325 is the gateway device on this LAN. It is connected via WAN1 to an AT&T Netgear ADSL modem that provides the Internet connectivity. (Currently we are not using the WAN2 connection; I'm having enough problems with WAN1 as it is.)

The LAN address of the RV325 is 192.168.214.253; its WAN1 IP address is 192.168.215.253. The Netgear modem's LAN IP address is 192.168.215.1, and it manages a static Internet IP address.

The RV325 is set up with its DHCP server active on the 192.168.214.0 subnet and proxied DNS; it's using OpenDNS's servers at 208.67.222.222 and 208.67.220.220 as its forwarding servers.

What's happening is that, seemingly at random and for no reason that I can figure out, DNS resolution on this LAN stops for some random amount of time. DNS resolution works fine for awhile, then suddenly stops working, then usually picks up back on its own (although on some occasions I've had to restart the two devices). I've run DNSQuerySniffer on one of the affected PCs, and I can see where suddenly all DNS queries from the PC (in this case 192.168.214.164) to the RV325 at 192.168.214.253 are met with no response. This can happen for as much as a minute or more, with DNS requests stacking up with no reply, before suddenly the problem seems to resolve itself.

I haven't been able to figure out how to get the RV325 to present me with logging information that would help me figure this out. But the Netgear modem has no trouble presenting me with scads of information that I can nonetheless not understand. When this DNS stoppage happens, if I check the Netgear's logs I see stacks of entries like the following:

 

2020/06/16 22:50:41 EDT WRN | kernel          | PortScanLo:IN=ppp0 OUT=br0 src=208.67.222.222 DST=192.168.215.253 LEN=107 TOS=0x00 PREC=0x00 TTL=55 ID=57824 DF PROTO=UDP SPT=53 DPT=8447 LEN=87 
2020/06/16 22:50:40 EDT WRN | kernel          | PortScanLo:IN=ppp0 OUT=br0 src=208.67.222.222 DST=192.168.215.253 LEN=108 TOS=0x00 PREC=0x00 TTL=55 ID=38400 DF PROTO=UDP SPT=53 DPT=52070 LEN=88 
2020/06/16 22:50:39 EDT WRN | kernel          | PortScanLo:IN=ppp0 OUT=br0 src=208.67.222.222 DST=192.168.215.253 LEN=184 TOS=0x00 PREC=0x00 TTL=55 ID=37976 DF PROTO=UDP SPT=53 DPT=27228 LEN=164 
2020/06/16 22:50:38 EDT WRN | kernel          | PortScanLo:IN=ppp0 OUT=br0 src=208.67.220.220 DST=192.168.215.253 LEN=110 TOS=0x00 PREC=0x00 TTL=55 ID=958 DF PROTO=UDP SPT=53 DPT=33561 LEN=90 
2020/06/16 22:50:37 EDT WRN | kernel          | PortScanLo:IN=ppp0 OUT=br0 src=208.67.222.222 DST=192.168.215.253 LEN=107 TOS=0x00 PREC=0x00 TTL=55 ID=57523 DF PROTO=UDP SPT=53 DPT=8447 LEN=87 
2020/06/16 22:50:36 EDT WRN | kernel          | PortScanLo:IN=ppp0 OUT=br0 src=208.67.220.220 DST=192.168.215.253 LEN=110 TOS=0x00 PREC=0x00 TTL=55 ID=709 DF PROTO=UDP SPT=53 DPT=33561 LEN=90 
2020/06/16 22:50:35 EDT WRN | kernel          | PortScanLo:IN=ppp0 OUT=br0 src=208.67.220.220 DST=192.168.215.253 LEN=110 TOS=0x00 PREC=0x00 TTL=55 ID=473 DF PROTO=UDP SPT=53 DPT=33561 LEN=90 
2020/06/16 22:50:34 EDT WRN | kernel          | PortScanLo:IN=ppp0 OUT=br0 src=208.67.220.220 DST=192.168.215.253 LEN=110 TOS=0x00 PREC=0x00 TTL=55 ID=318 DF PROTO=UDP SPT=53 DPT=33561 LEN=90

 

I'm not sure what a "PortScanLo" entry is supposed to indicate on this Netgear modem, and I have been unable to find any information about this online. I'm also a bit confused about exactly what constitutes inbound traffic and what constitutes outbound traffic in this log, based on other entries I've found there. But the entries above clearly show something (not good?) happening with DNS communications (SPT=53) occurring between the RV325 (IP=192.168.215.253) and the openDNS servers (208.67.22x.22x).

Other Netgear log entries also seem to show outbound DNS-related traffic from the RV325 to OpenDNS being blocked:

2020/06/16 22:37:30 EDT WRN | kernel          | ICMP:logOutboundBlocked:IN=br0 OUT=ppp0 PHYSIN=eth0 src=192.168.215.253 DST=208.67.220.220 LEN=212 TOS=0x00 PREC=0xC0 TTL=63 ID=3679 PROTO=ICMP TYPE=3 CODE=3 [src=208.67.220.220 DST=192.168.215.253 LEN=184 TOS=0x00 PREC=0x00 TTL=55 ID=25072 DF PROTO=UDP SPT=53 DPT=16245 LEN=164 ]

 

I've been all over that modem configuration, and I can't find anywhere that allows me to block outbound ICMP requests to the Internet. Inbound, yes. Outbound, no.

I've also set up a dizzying array of firewall rules to unconditionally allow all incoming and outgoing TCP and UDP port 53 traffic between the RV325 and the OpenDNS servers. They have had no effect.

The RV325 replaced a Netgear ProSafe FVS336G firewall that was performing the same services and was configured almost exactly the same way (with the exception that it was the .254 device instead of the .253 device). We never had these repeated, widespread DNS outages with the Netgear firewall.

Can anyone help me get to the bottom of this?

Thanks,
CL

 

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents