Windows 7 Users Cannot Access the Internet Because DNS Attack Defense is Enabled on the USG5300

Publication Date:  2012-07-17 Views:  58 Downloads:  0
Issue Description
At an ISP customer's site, a log of the customer's users access the Internet through the USG5300. During busy hours, a lot of Windows 7 users cannot open Web pages.  
Alarm Information
Handling Process

1.          Check the interface traffic during busy hours. The network bandwidth and firewall forwarding performance are normal.

2.          Help users rectify operating system problems.

3.          When the problem occurs, Windows 7 users can use chatting applications, such as QQ but cannot open Web pages. When the domain name is pinged, the name cannot be resolved. Therefore, the problem is DNS-related.

4.          Because users who use other operating system can access the Internet normally, so the problem does not originate from the DNS service provider.

5.          Check the firewall configuration. The DNS flood attack defense function is enabled on the firewall. Disable the function. The problem is rectified.

6.          According to the analysis of the DNS attack defense principle, when the interface receives over 1000 DNS requests every second when the DNS attack defense is enabled, the firewall starts the defense. Specifically, the firewall requests the peer end to send TCP DNS requests upon receiving UDP DNS packets. Because the Windows 7 operating system does not supports TCP DNS, Windows 7 users encounters the problem that domains names cannot be resolved normally.

Root Cause

1.          The network bandwidth is insufficient. As a result, some users cannot access the Internet.

2.          Users' operating system is problematic or their DNS settings are incorrect.

3.          The USG5300 forwarding performance is not high enough or the USG5300 has other problems.

When you encounter a firewall problem, find which functional module is relevant to the problem, and then perform thorough analysis.