Timeout for resolver

Marc.Thach at radianz.com Marc.Thach at radianz.com
Wed Jul 18 17:23:27 UTC 2001



Put the sniffer on the other side of the firewall.  Are you now getting
ICMP port unreachables?  When I last looked at a Microsoft stack (NT4 &
w95) it timed out waiting for a DNS response in 35 seconds (three requests
timing out in 5, 10, and 20 seconds).  I would take a wild guess that UNIX
systems are more likely to use a four second base giving 28 secs timeout,
IIRC BIND 4 used these timeouts by default (I haven't looked at it
recently).  These timeouts are per DNS server listed.  If a BIND server
times whilst recursing it returns SERVFAIL.  What responses did you find on
the sniffer?
Rgds
Marc TXK
________________________________________________________________________
The views expressed are personal and do not necessarily reflect those of
the organisation providing the mail address from which this message was
sent




                                                                                                                   
                    "Weeber,                                                                                       
                    Burkhard"              To:     "BIND Liste (E-Mail)" <bind-users at isc.org>                      
                    <b.weeber at viast        cc:                                                                     
                    ore.de>                Subject:     RE: Timeout for resolver                                   
                    Sent by:                                                                                       
                    bind-users-boun                                                                                
                    ce at isc.org                                                                                     
                                                                                                                   
                                                                                                                   
                    18/07/2001                                                                                     
                    16:42                                                                                          
                                                                                                                   
                                                                                                                   





Thanks for the hint Barry.

Though the book doesn't shed light into my problem which is like this:

I live behind a firewall doing NAT with 2Mbit into the Internet.
Normally the DNS queries are answered in quite a reasonnable time while
the firewall keeps the UDP port it sent the request from open (180
seconds).

Since about fall last year I saw a tremendous increase of packets beeing
dropped by the firewall with a source of a name server port 53/udp and
destination firewall random port/udp. The F/W software was not changed
then.

Putting up a sniffer outside the firewall reveals that these are answer
packets that just arrive very late so I had to increase the NAT timeout
to 600 seconds. This makes at least the annoying logs go.

So my question is how long does it take these days to resolve a
non-cached record ?
Five minutes aren't enough.
Are the timeouts added up with each forwarder ?

Any hints appreciated


Burkhard Weeber
viastore systems GmbH
P/O Box 300668
D-70446 Stuttgart
Tel: +49-711-9818-0
Email: B.Weeber at viastore.de

Windows95: <win-doz-nin-te-fiv> n.
32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit
operating system originally coded for a 4 bit microprocessor, written by
a 2 bit company, that can't stand 1 bit of competition.



> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
> Behalf Of Barry Margolin
> Sent: Wednesday, July 18, 2001 5:11 PM
> To: comp-protocols-dns-bind at moderators.isc.org
> Subject: Re: Timeout for resolver
>
>
> In article <9j3q56$5ul at pub3.rc.vix.com>,
> Weeber, Burkhard <b.weeber at viastore.de> wrote:
> >before digging in the source code perhaps you can answer
> this question:
> >
> >What is the resolvers timeout waiting for an answer to its query ?
> >Is it options.timeout ?
>
> Look up "timeouts" in the index of "DNS & BIND".  The precise
> answer is a
> bit complicated and takes two pages to described.
>
> --
> Barry Margolin, barmar at genuity.net
> Genuity, Burlington, MA
> *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them
> to newsgroups.
> Please DON'T copy followups to me -- I'll assume it wasn't
> posted to the group.
>
>







More information about the bind-users mailing list