Serious DNS issues after installing a Cisco RV325 gateway
RV325 Gigabit Dual WAN VPN Router
Firmware Version: v1.5.1.05 (2019-10-01, 15:39:40)
Ever since I installed this RV325 on our LAN about a month ago, I've been having serious, seemingly random, and so far unsolvable DNS problems.
The RV325 is the gateway device on this LAN. It is connected via WAN1 to an AT&T Netgear ADSL modem that provides the Internet connectivity. (Currently we are not using the WAN2 connection; I'm having enough problems with WAN1 as it is.)
The LAN address of the RV325 is 192.168.214.253; its WAN1 IP address is 192.168.215.253. The Netgear modem's LAN IP address is 192.168.215.1, and it manages a static Internet IP address.
The RV325 is set up with its DHCP server active on the 192.168.214.0 subnet and proxied DNS; it's using OpenDNS's servers at 188.8.131.52 and 184.108.40.206 as its forwarding servers.
What's happening is that, seemingly at random and for no reason that I can figure out, DNS resolution on this LAN stops for some random amount of time. DNS resolution works fine for awhile, then suddenly stops working, then usually picks up back on its own (although on some occasions I've had to restart the two devices). I've run DNSQuerySniffer on one of the affected PCs, and I can see where suddenly all DNS queries from the PC (in this case 192.168.214.164) to the RV325 at 192.168.214.253 are met with no response. This can happen for as much as a minute or more, with DNS requests stacking up with no reply, before suddenly the problem seems to resolve itself.
I haven't been able to figure out how to get the RV325 to present me with logging information that would help me figure this out. But the Netgear modem has no trouble presenting me with scads of information that I can nonetheless not understand. When this DNS stoppage happens, if I check the Netgear's logs I see stacks of entries like the following:
I'm not sure what a "PortScanLo" entry is supposed to indicate on this Netgear modem, and I have been unable to find any information about this online. I'm also a bit confused about exactly what constitutes inbound traffic and what constitutes outbound traffic in this log, based on other entries I've found there. But the entries above clearly show something (not good?) happening with DNS communications (SPT=53) occurring between the RV325 (IP=192.168.215.253) and the OpenDNS servers (208.67.22x.22x).
Other Netgear log entries also seem to show outbound DNS-related traffic from the RV325 to OpenDNS being blocked:
I've been all over that modem configuration, and I can't find anywhere that allows me to block outbound ICMP requests to the Internet. Inbound, yes. Outbound, no.
I've also set up a dizzying array of firewall rules to unconditionally allow all incoming and outgoing TCP and UDP port 53 traffic between the RV325 and the OpenDNS servers. They have had no effect.
The RV325 replaced a Netgear ProSafe FVS336G firewall that was performing the same services and was configured almost exactly the same way (with the exception that it was the .254 device instead of the .253 device). We never had these repeated, widespread DNS outages with the Netgear firewall.
Can anyone help me get to the bottom of this?
What did Cisco Support say? I know, OpenDNS is Cisco too, but a totally different area.
Btw, the first group of log messages are DNS replies from OpenDNS on your DNS queries to OpenDNS. They do not seem to be blocked, just reported.
The second log entry is an ICMP (ping, tracert) packet to OpenDNS being blocked outbound. Could also be the related echo packet being blocked inbound, as seen in the square brackets.
The "other" Cisco hasn't replied yet.
That's what's so confusing about these logs ... That blocked "outbound" ping entry seems to be reporting bidirectional traffic. There is no way that I can find to block outbound ICMP requests on this Netgear modem.
As for the other entries: Those entries only show up in the Netgear modem's log when DNS requests start to fail. When I start to see yellow DNS query requests pile up on the DNSQuerySniffer screen, the modem logs start to pile up with matching time stamps. Whenever DNS queries are working, the modem remains silent.
And if I were to check the logs in detail, I would probably find one of those blocked ICMP entries just before a stack of "PortScanLo" entries. (The modem is also legitimately blocking other traffic and logging it, so there's a lot more scattered in that log than just the entries concerning OpenDNS.)
Do you have any idea what "PortScanLo" means? Is the "Lo" a truncated "Log"? Who would be doing a port scan in this case?
Thanks for your reply!
Please sign in to leave a comment.