[prev in list] [next in list] [prev in thread] [next in thread]
List: bind-users
Subject: Re: Initial Lookup Slowness BIND 9.2.4
From: Anthony Blalock <anthony_blalock () homedepot ! com>
Date: 2008-12-31 14:51:35
Message-ID: C580F127.CAAC%anthony_blalock () homedepot ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
We had a similar problem when we moved some DNS servers to a DMZ that was
behind a firewall (a Cisco FWSM blade in a 6513 chassis.) A packet capture
showed that the initial query from the DNS server had the EDNS flag set. It
never got a response to that query, and would then resend it without the
EDNS flag and would get an immediate response. Iąm not sure if the firewall
didnąt like the query itself or the response, but there was definitely
something about EDNS that it didnąt like. We fixed the problem by disabling
the DNS application inspection that the firewall was doing (łno fixup
protocol dns˛). Check your firewalls to see if they are dropping the EDNS
requests. If so, you can try modifying your firewalls to allow the EDNS
queries, or if that isnąt possible then you can try limiting the EDNS packet
size to 512 in your options:
options {
edns-udp-size 512;
};
-Anthony Blalock
>> > I have installed a caching only instance of BIND (9.2.4) on a CentOS
>> > machine on my internal network. I have noticed that initial DNS requests
>> > against the server take a rather large amount of time (usually around 7
>> > seconds). I have done some basic troubleshooting and I am coming up at a
>> > loss. I think my ISP might be doing something "funny" but I am not sure
>> > how to test any further.
>> >
>> > I have captured BIND debug info at a trace level of 3 (posted bellow). I
>> > have also captured snoop data via tcpdump. >From what I can tell; it seems
>> > as if responses are taking a "long" time to come back. The same behavior
>> > is exhibited for any domain or host I attempt to lookup.
>> >
>> > To be clear, everything is working, just much slower than it should for
>> > initial queries. Any help troubleshooting would be greatly appreciated.
-----------------------------------------
The information contained in this e-mail and any attached documents
may contain information that is confidential or otherwise protected
from disclosure. If you are not the intended recipient of this
message, or if this message has been sent to you in error, please
immediately alert the sender by reply e-mail and then delete this
message, including any attachments. Any dissemination, distribution
or other use of the contents of this message by anyone other than
the intended recipient is strictly prohibited.
[Attachment #5 (text/html)]
<HTML>
<HEAD>
<TITLE>Re: Initial Lookup Slowness BIND 9.2.4</TITLE>
</HEAD>
<BODY>
<FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN STYLE='font-size:11pt'>We had a \
similar problem when we moved some DNS servers to a DMZ that was behind a firewall (a \
Cisco FWSM blade in a 6513 chassis.) A packet capture showed that the initial \
query from the DNS server had the EDNS flag set.. It never got a response to \
that query, and would then resend it without the EDNS flag and would get an immediate \
response. I’m not sure if the firewall didn’t like the query itself \
or the response, but there was definitely something about EDNS that it didn’t \
like. We fixed the problem by disabling the DNS application inspection that the \
firewall was doing (“no fixup protocol dns”). Check \
your firewalls to see if they are dropping the EDNS requests. If so, you can \
try modifying your firewalls to allow the EDNS queries, or if that isn’t \
possible then you can try limiting the EDNS packet size to 512 in your options:<BR> \
<BR> </SPAN></FONT><FONT SIZE="2"><FONT FACE="Courier, Courier New"><SPAN \
STYLE='font-size:10pt'> options {<BR> edns-udp-size \
512;<BR> };<BR>
<BR>
<BR>
-Anthony Blalock<BR>
</SPAN></FONT></FONT><FONT FACE="Calibri, Verdana, Helvetica, Arial"><SPAN \
STYLE='font-size:11pt'><BR> </SPAN></FONT><BLOCKQUOTE><FONT FACE="Calibri, Verdana, \
Helvetica, Arial"><SPAN STYLE='font-size:11pt'>> I have installed a caching only \
instance of BIND (9.2.4) on a CentOS<BR> > machine on my internal network. I \
have noticed that initial DNS requests<BR> > against the server take a rather \
large amount of time (usually around 7<BR> > seconds). I have done some \
basic troubleshooting and I am coming up at a<BR> > loss. I think my ISP \
might be doing something "funny" but I am not sure<BR> > how to test any \
further.<BR> ><BR>
> I have captured BIND debug info at a trace level of 3 (posted bellow). \
I<BR> > have also captured snoop data via tcpdump. From what I can \
tell; it seems<BR> > as if responses are taking a "long" time to come \
back. The same behavior<BR> > is exhibited for any domain or host I attempt \
to lookup.<BR> ><BR>
> To be clear, everything is working, just much slower than it should for<BR>
> initial queries. Any help troubleshooting would be greatly \
appreciated.<BR> </SPAN></FONT></BLOCKQUOTE>
</BODY>
</HTML>
<HTML><BODY><P><hr size=1></P><br>
<P><STRONG><br>
The information contained in this e-mail and any attached documents<br>
may contain information that is confidential or otherwise protected<br>
from disclosure. If you are not the intended recipient of this<br>
message, or if this message has been sent to you in error, please<br>
immediately alert the sender by reply e-mail and then delete this<br>
message, including any attachments. Any dissemination, distribution<br>
or other use of the contents of this message by anyone other than<br>
the intended recipient is strictly prohibited.<br>
</STRONG></P></BODY></HTML>
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic