DNS issues with NAT

I have NAT enabled on most of my SMs and twice I have had my primary DNS server go down. When this happens, it seems Canopy ignores the secondary DNS server. So it’s like having just one DNS server even though there are two in the SM, meaning when the primary goes down, nobody switches over to the secondary.

I have some SMs without NAT, and when the DNS server went down, they switched over to the secondary DNS server with no problems.

This seems like a serious issue. Has anyone had any experience with NAT and one of your DNS servers going down?

Can you clarify?

it seems Canopy ignores the secondary DNS server

This makes it sound as if the Canopy is dropping, blocking, or misdirecting DNS requests.

meaning when the primary goes down, nobody switches over to the secondary

But this sounds like the issue is at the client.

The client is issuing the DNS resolution request to whatever DNS address(es) are in it’s TCP/IP configuration on that network interface.

You might try checking a few client machines with active conections (“ipconfig /all” @ the command line in XP). Are they getting both server addresses from Canopy’s DHCP?

If not, you need to find out why. If both DNS ip’s are shown, then something between your clients and that secondary DNS box is dropping the DNS requests from the clients.

Good luck!

Or, duh on my part, blocking the replies back from that secondary DNS server.

My quick take would be:
Hardcode just the secondary server’s ip into a AP with a live feed. Setup 2 test SM’s. Verify ipconfig on connected machines as showing the correct DNS ip. Attempt to surf. Look at DNS server logs, or sniff the traffic.

Can you surf? If not, are you seeing the requests come in to the DNS server? Are you seeing replies leave? If you can surf, try putting both addresses in as normal and reboot the AP and SM’s.

I’m basing my thoughts on general networking, but I’m new to Canopy. If there’s something unique to Canopy that could cause this behavior, I hope someone lets us know.

Please reply if you have a chance to troubleshoot further, I’m interested in what you find.

no just standard stuff… that should work…

on an XP machine at command promt execute

ipconfig /all

make sure client is taking both DNS entries

server <ip address of DNS you think doesn’t work>

does it resolve…


NAT disable give your machine the NAT ip address of the SM and use the DNS not working… does it work ?

Thanks for the replys.

NAT is enabled and the canopy is plugged directly into my laptop.

-My laptop retrieves the two DNS servers from the SM.
-The primary server is still down. The secondary is up and working.
-I try nslookup www.yahoo.com. It tries resolving with the primary and times out, the secondary resolves it OK.
-I can’t ping the hostname www.yahoo.com, even though the secondary server resolved it with nslookup.
-I can ping the IP address of yahoo OK.

Next I try disabling NAT and setting the IP and DNS information in my laptop.

-nslookup does the same thing as before, primary times out, secondary resolves OK.
-This time I can ping www.yahoo.com

They aren’t my DNS servers so I don’t have access to them. I didn’t try sniffing traffic from my end to see what is happening.

Also, if it’s set up the first way with NAT, I can set a static IP with static DNS (just set the one working DNS server (secondary)) in the computer and it will work fine this way.

Try doing the same test you did, but in between switching from NAT to non-NAT, go to the command prompt and issue the following:

ipconfig.exe /flushdns

Like name servers, clients also cache DNS entires.

When you ping www.yahoo.com and do not get a reply, is it saying
request timed out or unknown host ?

can you ping the DNS server ?

I have also witnessed this during a period while I was configuring a replacement DNS server. This server is rock-solid now, so I never have this problem. However, it indeed happened on multiple occasions. When the primary DNS server was unavailable, NAT end users could not resolve even though they were correctly assigned a primary and secondary address via DHCP.

Most revolver implementations totally ignore the secondary name server. They almost universally support the secondary configuration but almost universally don’t ever actually use it, or have extremely long timeouts to fail over to the secondary.

Even Linux and FreeBSD do this, to say nothing of any Microsoft product. Very troubling when I discovered this first-hand and followed up with various in-the-knows.

Before, I said it was the secondary server that went down. It wasn’t, I just remembered it was the primary. So it was the same problem before.

msmith- I don’t think flushing the DNS will solve anything, cached DNS entries aren’t my problem. Although I think I did try this the first time I had the problem and it didn’t change anything.

vj- I believe it was saying unkown host when I was pinging.

I’ve switched to different DNS servers since, and this isn’t a problem for me anymore. I just hope this new primary never goes down.

building a network based on hope is not a good idea…

you should invest the time into figuring out what is going on, or build a solution using backup DNS which takes over the address of the primary should it go down…

At the client workstation:
launch the cmd window
type nslookup - return
type an well known web site (e.g. www.cnn.com) - return
type server and your secondary DNS IP address – return
type an well known web site (e.g. www.cnn.com) - return

If both hosts resolve the well known site, then DNS is working. If the secondary fails, try it on another workstation and then contact the vendor to confirm IP address and operational status.

I have not seen any issues with the Canopy radios failing to pass the secondary (we load a local caching DNS as our 1st DNS and we do take it offline for service w/o any observed client connectivity issues).

wtkirk wrote:
I have not seen any issues with the Canopy radios failing to pass the secondary (we load a local caching DNS as our 1st DNS and we do take it offline for service w/o any observed client connectivity issues).

This is with NAT? Do you have the DNS IPs set manually in the radio or set to obtain automatically? Mine are set manually.

yes with NAT enabled.

shouldn’t make a difference test with manually set

I have exaclty the same problem.

1.) SM with NAT enabled.
a) Obtaining IP from DHCP or DNS from DHCP.
b) Manually assigned IP and DNS.
2.) Client receiving IP/DNS information from SM.

3.) I do an ipconfig /all and both DNS are there.
4.) I can ping both DNS servers.
5.) nslookup works with both DNS Servers.
6.) When I try to ping or browse, nothing happens. It can not resolve the hostname.

The FIX:
I eliminate NAT and the client’s computer gets the information from DHCP and it works.

Any idea on why NAT would do that?

generate a PCAP dump of the traffic BEFORE AND AFTER NAT and you can see which packets are being dropped (if any) by NAT…

Had the same problem and running my setup just like you are! I had to go in and change the DNS numbers around to get my customers back up and running. Canopy does not use the 2nd DNS number when you are using nat, but canopy is not the only product that does this.
It needs to be fixed!

We had a simular issue, and it was the setup on the secondary Dns(I believe it was in the root hint ) once that was corrected, We could take down the primary Dns and never miss a beat