"Forwarder Upstream Server Timeout" alarms appear in AVS when the NSX DNS Forwarder is unable to communicate with its configured upstream DNS servers. This impacts DNS resolution for virtual machines, potentially leading to failures when accessing external services or websites.

VMware NSX

The NSX DNS Forwarder is configured with upstream DNS servers that are unreachable from the AVS environment. This typically occurs when:

• Public DNS servers are configured as upstream forwarders but internet egress is not enabled for DNS traffic.

• No alternative internal DNS servers are specified in the configuration.

To resolve this issue, ensure the NSX DNS Forwarder has reachable upstream DNS servers. There are two approaches:

Option A: Enable Internet Connectivity for DNS Traffic

• Allow egress connectivity for DNS traffic (UDP/TCP port 53) through the NSX Tier-0 Gateway.

• Configure firewall rules to permit outbound DNS traffic.

• Validate routing to ensure DNS traffic can reach the internet.

Option B: Use Internal DNS Servers (Recommended)

• Update the NSX DNS Forwarder configuration to use internal DNS servers (e.g., Active Directory DNS servers hosted within AVS or reachable via ExpressRoute).

• Ensure internal DNS servers can resolve both internal and external queries by forwarding to recursive DNS resolvers as needed.

• Confirm routing and firewall rules allow communication between the NSX DNS Forwarder and internal DNS servers.

For most enterprise deployments, using internal DNS servers is the recommended option. This approach provides centralized management, enhanced security, and better integration with existing identity and directory services.

Reference link for the procedure to check the DNS forwarder statistic in the UI:
https://knowledge.broadcom.com/external/article/330601/forwarder-upstream-server-timeout-alarm.html