Internal Hosts or the SonicWall Are Able to Ping by IP Address but not by DNS/Domain Name
03/26/2020 48 15302
At times Users from a particular Zone, Subnet, or other location may be able to access Internal or External resources by IP Address but not by DNS/Domain Name. This is commonly an issue on either the Client or the DNS Server but this article provides steps on how to track down the cause of the issue to facilitate further troubleshooting.
This issue can also apply to the SonicWall being unable to resolve DNS Names which can cause issues with Content Filtering, Licenses, and other services.
1. Perform a Ping from the impacted Client to the SonicWall Interface the Client is behind. If successful proceed to Step 2. If not then troubleshoot connectivity between the Client and the SonicWall.
NOTE: Make sure that Ping Management is Enabled on the Interface. This is Enabled under Network | Interfaces | Configure for the Interface in question. Enable Ping Management.
2. Perform a Ping to a Server on the Public WAN, for example 188.8.131.52. If successful proceed to Step 3. If not then troubleshoot connectivity between the Client and the WAN.
3. Verify the DNS Information on the Network Interface Card (NIC) of the impacted Client. If the SonicWall is the impacted device, check the DNS Settings under Network | DNS.
TIP: This will very from Operating System to Operating System, we recommend finding official documentation from the Operating System Developer on how to do this.
4. Setup a Packet Capture on the SonicWall with the following settings:
- Ether Type: IP
- IP Type: UDP, TCP
- Source IP Address: The IP Address of the impacted Client
- Destination Port: 53
TIP: If you're unsure how to setup a Packet Monitor on the SonicWall reference [[Using the Packet Monitor to Analyze Traffic|170505908598057]].
- Examine the Traffic Flow, does the SonicWall Forward the Packets to the correct IP Address / MAC Address? Is there return traffic from the DNS Server, sent to the Client's IP Address and MAC Address? Are there any dropped packets?
TIP: It may be helpful to perform a Packet Capture on the impacted Client and the target DNS Server (if possible) to see where the breakdown is.
5. If there are any Dropped Packets check the Packet Detail field to obtain the Drop Code. If the listed reason is Policy Drop or Enforced Firewall Rule verify that the Access Rule, available under Firewall | Access Rules, from the Client Zone to the DNS Zone has an Access Rule that allows DNS Traffic.
6. Check the SonicWall Logs under Log | Log Monitor and filter by the impacted IP Address. This will present any drops or other issues that may result in the traffic failing.