Serious DNS issues after installing a Cisco RV325 gateway

Follow
Avatar
vulogiccl2

RV325 Gigabit Dual WAN VPN Router
Firmware Version: v1.5.1.05 (2019-10-01, 15:39:40)

Ever since I installed this RV325 on our LAN about a month ago, I've been having serious, seemingly random, and so far unsolvable DNS problems.

The RV325 is the gateway device on this LAN. It is connected via WAN1 to an AT&T Netgear ADSL modem that provides the Internet connectivity. (Currently we are not using the WAN2 connection; I'm having enough problems with WAN1 as it is.)

The LAN address of the RV325 is 192.168.214.253; its WAN1 IP address is 192.168.215.253. The Netgear modem's LAN IP address is 192.168.215.1, and it manages a static Internet IP address.

The RV325 is set up with its DHCP server active on the 192.168.214.0 subnet and proxied DNS; it's using OpenDNS's servers at 208.67.222.222 and 208.67.220.220 as its forwarding servers.

What's happening is that, seemingly at random and for no reason that I can figure out, DNS resolution on this LAN stops for some random amount of time. DNS resolution works fine for awhile, then suddenly stops working, then usually picks up back on its own (although on some occasions I've had to restart the two devices). I've run DNSQuerySniffer on one of the affected PCs, and I can see where suddenly all DNS queries from the PC (in this case 192.168.214.164) to the RV325 at 192.168.214.253 are met with no response. This can happen for as much as a minute or more, with DNS requests stacking up with no reply, before suddenly the problem seems to resolve itself.

I haven't been able to figure out how to get the RV325 to present me with logging information that would help me figure this out. But the Netgear modem has no trouble presenting me with scads of information that I can nonetheless not understand. When this DNS stoppage happens, if I check the Netgear's logs I see stacks of entries like the following:

 

2020/06/16 22:50:41 EDT WRN | kernel          | PortScanLo:IN=ppp0 OUT=br0 src=208.67.222.222 DST=192.168.215.253 LEN=107 TOS=0x00 PREC=0x00 TTL=55 ID=57824 DF PROTO=UDP SPT=53 DPT=8447 LEN=87 
2020/06/16 22:50:40 EDT WRN | kernel          | PortScanLo:IN=ppp0 OUT=br0 src=208.67.222.222 DST=192.168.215.253 LEN=108 TOS=0x00 PREC=0x00 TTL=55 ID=38400 DF PROTO=UDP SPT=53 DPT=52070 LEN=88 
2020/06/16 22:50:39 EDT WRN | kernel          | PortScanLo:IN=ppp0 OUT=br0 src=208.67.222.222 DST=192.168.215.253 LEN=184 TOS=0x00 PREC=0x00 TTL=55 ID=37976 DF PROTO=UDP SPT=53 DPT=27228 LEN=164 
2020/06/16 22:50:38 EDT WRN | kernel          | PortScanLo:IN=ppp0 OUT=br0 src=208.67.220.220 DST=192.168.215.253 LEN=110 TOS=0x00 PREC=0x00 TTL=55 ID=958 DF PROTO=UDP SPT=53 DPT=33561 LEN=90 
2020/06/16 22:50:37 EDT WRN | kernel          | PortScanLo:IN=ppp0 OUT=br0 src=208.67.222.222 DST=192.168.215.253 LEN=107 TOS=0x00 PREC=0x00 TTL=55 ID=57523 DF PROTO=UDP SPT=53 DPT=8447 LEN=87 
2020/06/16 22:50:36 EDT WRN | kernel          | PortScanLo:IN=ppp0 OUT=br0 src=208.67.220.220 DST=192.168.215.253 LEN=110 TOS=0x00 PREC=0x00 TTL=55 ID=709 DF PROTO=UDP SPT=53 DPT=33561 LEN=90 
2020/06/16 22:50:35 EDT WRN | kernel          | PortScanLo:IN=ppp0 OUT=br0 src=208.67.220.220 DST=192.168.215.253 LEN=110 TOS=0x00 PREC=0x00 TTL=55 ID=473 DF PROTO=UDP SPT=53 DPT=33561 LEN=90 
2020/06/16 22:50:34 EDT WRN | kernel          | PortScanLo:IN=ppp0 OUT=br0 src=208.67.220.220 DST=192.168.215.253 LEN=110 TOS=0x00 PREC=0x00 TTL=55 ID=318 DF PROTO=UDP SPT=53 DPT=33561 LEN=90

 

I'm not sure what a "PortScanLo" entry is supposed to indicate on this Netgear modem, and I have been unable to find any information about this online. I'm also a bit confused about exactly what constitutes inbound traffic and what constitutes outbound traffic in this log, based on other entries I've found there. But the entries above clearly show something (not good?) happening with DNS communications (SPT=53) occurring between the RV325 (IP=192.168.215.253) and the OpenDNS servers (208.67.22x.22x).

Other Netgear log entries also seem to show outbound DNS-related traffic from the RV325 to OpenDNS being blocked:

2020/06/16 22:37:30 EDT WRN | kernel          | ICMP:logOutboundBlocked:IN=br0 OUT=ppp0 PHYSIN=eth0 src=192.168.215.253 DST=208.67.220.220 LEN=212 TOS=0x00 PREC=0xC0 TTL=63 ID=3679 PROTO=ICMP TYPE=3 CODE=3 [src=208.67.220.220 DST=192.168.215.253 LEN=184 TOS=0x00 PREC=0x00 TTL=55 ID=25072 DF PROTO=UDP SPT=53 DPT=16245 LEN=164 ]

 

I've been all over that modem configuration, and I can't find anywhere that allows me to block outbound ICMP requests to the Internet. Inbound, yes. Outbound, no.

I've also set up a dizzying array of firewall rules to unconditionally allow all incoming and outgoing TCP and UDP port 53 traffic between the RV325 and the OpenDNS servers. They have had no effect.

The RV325 replaced a Netgear ProSafe FVS336G firewall that was performing the same services and was configured almost exactly the same way (with the exception that it was the .254 device instead of the .253 device). We never had these repeated, widespread DNS outages with the Netgear firewall.

Can anyone help me get to the bottom of this?

Thanks,
CL

0

Comments

3 comments

Sort by Date Votes
  • Avatar
    rotblitz (Edited )

    What did Cisco Support say?  I know, OpenDNS is Cisco too, but a totally different area.

    Btw, the first group of log messages are DNS replies from OpenDNS on your DNS queries to OpenDNS.  They do not seem to be blocked, just reported.

    The second log entry is an ICMP (ping, tracert) packet to OpenDNS being blocked outbound.  Could also be the related echo packet being blocked inbound, as seen in the square brackets.

    0
    Comment actions Permalink
  • Avatar
    vulogiccl2

    The "other" Cisco hasn't replied yet.

    That's what's so confusing about these logs ... That blocked "outbound" ping entry seems to be reporting bidirectional traffic. There is no way that I can find to block outbound ICMP requests on this Netgear modem.

    As for the other entries: Those entries only show up in the Netgear modem's log when DNS requests start to fail. When I start to see yellow DNS query requests pile up on the DNSQuerySniffer screen, the modem logs start to pile up with matching time stamps. Whenever DNS queries are working, the modem remains silent.

    And if I were to check the logs in detail, I would probably find one of those blocked ICMP entries just before a stack of "PortScanLo" entries. (The modem is also legitimately blocking other traffic and logging it, so there's a lot more scattered in that log than just the entries concerning OpenDNS.)

    Do you have any idea what "PortScanLo" means? Is the "Lo" a truncated "Log"? Who would be doing a port scan in this case?

    Thanks for your reply!
    CL

     

    0
    Comment actions Permalink
  • Avatar
    rotblitz

    Sorry, I think I am not able to help with this. This is a pure router problem, and I do not have this router.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post