We have 2 MX100's (Primary and secondary) and both have been showing the DNS misconfigured alert for about a week. A packet capture shows that DNS requests on both WAN uplinks are not getting responses. We can see them going out but there is never a response back. Most of our internal traffic is routed through a site to site VPN to AWS where it goes out through a firewall. All of these internal VLANs do not have any connectivity problems. Our guest network which does not travel over the site-to-site VPN has been down since the error appeared.
The change log shows no changes at the time that the misconfiguration first occurred.
We have tried changing the DNS servers used on both uplinks with no effect.
Meraki support recommended checking with our ISP to figure out why we are not getting DNS responses. We have done that but they have been less than helpful.
Does anyone have any ideas of what could be going on? Has anyone had experience with an ISP blocking DNS responses?
I am happy to answer any additional questions. Help is greatly appreciated.
@mdubs91 some ISPs want you to use their DNS and block others, have you tried that?
Thanks. We do use Spectrum (our ISP) DNS on the WAN1 uplink and use Google DNS on the WAN 2 Uplink. Both are down. Maybe we should switch both to Spectrum.
Have you tried with a different DNS (like umbrella)?
Unfortunately, I have yes. The same issue occurs where there are no DNS responses. Testing umbrella connectivity from the dashboard also shows an inability to connect to umbrella DNS servers. We have also tried switching to Cloudflare and Google DNS.
Thank you for the thought.
Are you using a non-Meraki VPN to Amazon AWS? Does the VPN destination include the DNS servers you are trying to reach (such as using a VPN to 0.0.0.0/0)? If so, the DNS queries may be going via that VPN.
Hi Philip,
Thank you for you response. We have a site-to-site VPN set up between our Office network and AWS. The Meraki serves as the customer gateway on the office side and we have an AWS Transit Gateway as the termination point in AWS.
You're thinking that if the VPN destination is set to 0.0.0.0/0 that the DNS queries are going through the VPN?
I'm far far from an expert. Do you mind explaining a little more what you mean?
Thank you.
>You're thinking that if the VPN destination is set to 0.0.0.0/0 that the DNS queries are going through the VPN?
I'm not sure, but I'm thinking that is what it could be.
This is interesting. You may be on to something. Thank you very much.