nameserver fails to complete forwarded requests

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Wed Oct 25 23:54:18 UTC 2000 

> I have the following name resolution topology:
> 
> [Host] queries-> [Internal Nameserver (INS)] forwards-> [External
> Nameserver (ENS)] queries-> Internet
> 
> INS=Solaris 2.6 with ISC Bind 8.2.2-P5
> ENS=Solaris 7 with ISC Bind 8.2.2-P5 (I've tried a solaris 2.6 box also)
> 
> Occasionally the ENS appears to "forget" forwarded requests.  Using
> snoop, I determined the following:
> 
> o Host sends A record query to INS
> o INS forwards to ENS
> o ENS sends request to root nameserver
> o root nameserver sends answer with 3 authoritative nameservers (and
> associated A records)
> o ENS sends to root nameserver A record requests for each of the 3
> nameservers
> o root nameserver sends answers to each of the 3 A record requests
> 
> This all happens in less than a second.  But then the ENS does *NOTHING*
> regarding the original query.  I see no query sent to any of the 3
> authoritative nameservers.
> 
> After about 59 seconds, the INS resends the request (same DNS ID).  The
> ENS then very promptly sends the request to one of the authoritative
> nameservers (learned a minute before!), receives an answer, and relays
> that back to the INS (which in turn sends a response back to the client
> host.)  By now, however, the application on the client host has given up
> waiting for an answer and has indicated that the hostname was not found.
> 
> I have summarized some of the "turn-around" times of the ENS, and a
> majority are < 1 second, but many are ~59 seconds, meaning that it
> didn't respond until poked again by the INS.  I also have seen many in
> the 15-30 second range, which appear to be users retrying the website
> after receiving "host not found".  This forces a query from the INS to
> the ENS sooner than the normal timeout, and an almost immediate answer
> is given.
> 
> I originally thought that the problem had to do with root nameservers,
> but if I remove forwarders from the INS configuration (so that it hits
> root nameservers directly), then the timeouts disappear entirely (and my
> users are much happier.)  And the packet capture is the real smoking
> gun.
> 
> So why are the forward requests just dropped by the ENS???
> 
> If I point my clients directly to the ENS, it also works, but this is
> because the original client is more persistent (retries after 1, 2, and
> 4 seconds in the case of NT) than a forwarding nameserver.  (I
> determined this from packet captures as well.)  The INS doesn't forward
> queries retransmitted from the client to the ENS, but instead sticks to
> its built-in timeouts for forwarding.  But when a client resolves
> directly from the ENS, it keeps querying several times in a short
> interval until it gets an answer.
> 
> Any ideas are appreciated.

	Upgrade to BIND 8.2.3-TB6 on your internal server or upgrade
	to BIND 9.0.0 on your external server.  BIND 8.x does not
	have query restart and depends on the client to requery.
	BIND 8.x (8.x < 8.2.3) has bad retry behaviour w.r.t. forwarders.

	Mark
> 
> Ian
> 
> 
> Sent via Deja.com http://www.deja.com/
> Before you buy.
> 
> 
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com

More information about the bind-users mailing list