Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Phrozt
New Contributor

I believe this is an ISP DNS problem, but I need verification, also any potential fixes

-- Problem --------------

I've had comcast for years, and have had intermittent problems for years.  Almost every time it was a problem on their end, with one time being an issue w/my cables here.  NEVER has it been an issue w/my hardware.  I've been experiencing the problem below for the last month or so... ish?  It interrupted me in the middle of a game last night, and dropped my wife's video call with her friends, and I finally decided to do something about it.

 

I ALWAYS have a ping window open, using hrping so that I can timestamp things.  This is for the times that my connection is slow/dropping, and I can quickly diagnose if it's the source I'm trying to connect to, or me.  The behavior in the ping windows is exactly the same as what I've been seeing for a month - connection drops totally, then when it's coming back up, it still drops a lot of packages until it comes back to full.  When it dropped, I took the ss, then I did some digging in my fortigate and took screenshots, and then the other ping ss was of it recovering.

 

Based on what I saw in my fortigate, it seems that this is 100% a problem with Comcast's DNS servers.  I know these are comcast's, but also, when I go to Network > DNS, those are the servers that are dynamically obtained by my WAN.  Is there any way to change this??  What you can see here in the screenshot of my sources, are 4 devices with a very high number of sessions.  These are comprised of laptops, a desktop, and a tv, with active connections outside the LAN.  Some of the others with high connections are an xbox and an NVIDIA Shield.

 

When I click on 117 (and this was the same for all of the high session devices) you can see that the VAST majority of connections are to 75.75.75.75, 75.75.76.76, which are comcast's DNS servers.  As the connection resolved itself, these sessions dropped.  Right now, as I'm typing this, and things are working normally, my device has 69 connections, and only 17 of them are to ..75.75, with NO connections to ..76.76. 

 

I won't bore you with a long story of my conversations w/Comcast; the tl;dr is that they kept saying they wanted to work with me to find the problem, but that since the internet signal was strong to my house (at the time of the call it had already resolved), then it must be a problem w/my model/router (repeat this cycle about 10 times or so to get the full transcript).  When I gave all the information I just shared w/you, they kept saying they couldn't transfer me to anyone else, and would not talk about their DNS servers at all.  So there's really no help I can get from them.

 

-- Question --------------

 

For those who've made the journey thus far, I appreciate it.  This is what I need help with:

1 - Would you agree with my assessment of the situation? Or am I totally off?  Need more clarity?

2 - If #1 is validated, is there ANY WAY I can get rid of, or get around those dynamically obtained DNS servers?

 

I'm new to fortigate, but I've done some poking around, and I've been doing my own home networking stuff for 15+ years, so I'd be more than happy to do extra diagnostics, try some settings, etc.

 

-- Images --------------

Here you can see the connection dropping out.

 

Here is the connection recovering (this ss was taken AFTER the investigation/ss in fortigate)

 

Here are the sources on my network.  The 4 highlighted are 2 laptops, a desktop, and a tv.  The TV isn't even on or doing anything.  Right now, the TV's connection has 14 sessions.  The other devices w/60+ sessions are another laptop, 2 xboxes, and an NVIDIA shield.  This list of things is comprised of both hardwired and wifi devices.  Curiously, neither android phone (both attached to wifi) had many sessions at all.

 

Finally, here is a view of all destinations of sessions from one of the computers.  You can also see that the session count exploded from 224 to 269 w/in just a few clicks around in the interface.  The highlighted IPs are comcast's DNS servers.

 

Thanks for taking a look at this.

4 REPLIES 4
rwpatterson
Valued Contributor III

Welcome and thank you for the very verbose diagnosis. I have VZ FiOS and with my dynamic IP address I am able to configure static DNS servers. This is totally doable.

 

Under 'System', 'Network', 'DNS', the options are "Use FortiGuard Servers" and "Specify". Choose the latter, and add up to two DNS servers. I think you can use more if you go CLI, but that shouldn't be necessary.

 

Hope that helps.

 

I just recall that under 'DNS Servers', you need to set the server to 'Forward to System DNS' I think. 'Recursive' will use the acquired servers I believe. Feel free to test these as I use local DNS servers configured under DHCP.

 

To me it sounds like they have a failing piece of equipment upstream that has intermittent drops. This gear will continue this trend until it finally goes belly up and you'll have an outage on your hands. This is what I have seen from ISPs in the past. Unless you're business class (and not always then), you may get them to intervene when the problems occur. Usually (like Microsoft) they use the end users as their QC and you'll have to live with it. Good luck. The drops you see when the network is recovering most of the time is all the blocked traffic trying to reconnect at the same time and overwhelming the circuit. As all these connections stabilize, bandwidth slowly opens up again and your PINGs ring through.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
brycemd

If you are dropping connection via ping to 8.8.8.8 during the issue then it should have nothing to do with DNS. That ping connection will continue without DNS.

 

It seems you are outright losing internet connectivity rather than connectivity specifically to DNS.

 

Another test could be to ping your default gateway(WAN default gateway) and see if that drops as well. Should give you an idea if it is your modem if that drops as well, or if it's somewhere else along the ISP equip.

Phrozt
New Contributor

That's a great idea.  I'll get another ping window up to my gateway.  At minimum, it should tell me if it's a problem in house v out of the house, though whether it's my modem or router would require further investigation.  I have had my modem for a very long time, but it's a rock solid modem, and there's absolutely no reason that it would only fail 3-5% of the time at random intervals in the day.

Phrozt

Didn't 100% follow your second suggestion, so if you wouldn't mind checking my work, I'd appreciate it.  To your first point, I did see the "Specify" option, but did not use it, because I figured the dynamically obtained DNS servers would override, which is what I was poorly trying to communicate in my original post asking for a way around it.  This is what I set up after reading your post:

 

 

And again, for your second point, I'm just not following.  I'm very new to fortinet's environment and directionality for things.  I'm assuming you want me to go here and create a new service:

 

And then forward option 1 (the lan) to the system DNS?

 

Thanks for your insight!

 

Labels
Top Kudoed Authors