12-13-2014 06:43 AM
I have been seeing an increased number of critical alerts on my Ironport indicating that it has reached the maximum number of failures querying the DNS server.
Has anyone seen this alerts before and/or know what causes them? I have not been able to find any information on the alert.
Thanks
12-29-2014 12:23 AM
We are seeing this alert as well, but we haven't had any complaints from the users.
I had a TAC case in July this year due to "Application Fault Errors", and my TAC engineer told me I was experiencing bug CSCzv44813. The solution was to change to Google DNS and reboot the appliance.
Now we are getting the "Reached maximum failures querying DNS server" messages from time to time.
Are you also using Google DNS (8.8.8.8 and 8.8.4.4.) by any chance?
12-29-2014 06:25 AM
Thanks for the reply Erik. No we don't use Google DNS on the Ironport, we use our internal DNS servers.
It happens randomly and I had seen the error a few times before but it just seemed as we were starting to see it more often. The TAC engineer I worked with did some testing from our appliance and found no issues querying our DNS servers during her testing. She cleared the cache on the appliance and we haven't seen the error since (11 days ago).
02-01-2016 02:06 AM
Hi!
Any news about this issue?
Regards.
Cleber
02-01-2016 03:13 PM
With regards to that DNS error, it is actually a new feature about DNS being introduced in version 8.x is to implement one feature request
"CSCzv40742: Feature Request: WSA should remember dead DNS servers². Prior to version 8.x, when an IronPort appliance is configured with two DNS servers, queries go to the primary DNS server first. If the query fails ,for example because the primary DNS server is offline, the query goes to the secondary DNS server.
However, all subsequent queries follow the same order first DNS server and then second one even the primary is offline. Intelligence is needed to ensure the query goes to the secondary DNS server immediately in such an event.
The proposed feature is to add such intelligence to the DNS querying mechanism. For example:
- allow user to configure thresholds related to failure-detection :
"Enter the number of failed attempts before considering a local DNS server offline.² in CLI.
- restore original order when offline server is back online: "Enter the interval in seconds for polling an offline local DNS server.² in CLI
Currently the additional configuration options related to failure thresholds will only be provided via CLI.
In Summary , WSA will only query the DNS servers with secondary priority while it is failed with primary DNS server, for example Non-exisiting domains. Therefore you will only receive such notification for the DNS servers with secondary priority.
In roder to confirm this , you could enable WSA proxy logs with trace logging level from WSA GUI>System Administration>Log Subscription>proxy logs. As this logging
level will generate quite a lot information. Please restore it back to default
"Information" level after you receive the first new email alert for that DNS issue.
Hope it helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide