Timeout for resolver
Marc.Thach at radianz.com
Marc.Thach at radianz.com
Wed Jul 18 17:23:27 UTC 2001
Put the sniffer on the other side of the firewall. Are you now getting
ICMP port unreachables? When I last looked at a Microsoft stack (NT4 &
w95) it timed out waiting for a DNS response in 35 seconds (three requests
timing out in 5, 10, and 20 seconds). I would take a wild guess that UNIX
systems are more likely to use a four second base giving 28 secs timeout,
IIRC BIND 4 used these timeouts by default (I haven't looked at it
recently). These timeouts are per DNS server listed. If a BIND server
times whilst recursing it returns SERVFAIL. What responses did you find on
the sniffer?
Rgds
Marc TXK
________________________________________________________________________
The views expressed are personal and do not necessarily reflect those of
the organisation providing the mail address from which this message was
sent
"Weeber,
Burkhard" To: "BIND Liste (E-Mail)" <bind-users at isc.org>
<b.weeber at viast cc:
ore.de> Subject: RE: Timeout for resolver
Sent by:
bind-users-boun
ce at isc.org
18/07/2001
16:42
Thanks for the hint Barry.
Though the book doesn't shed light into my problem which is like this:
I live behind a firewall doing NAT with 2Mbit into the Internet.
Normally the DNS queries are answered in quite a reasonnable time while
the firewall keeps the UDP port it sent the request from open (180
seconds).
Since about fall last year I saw a tremendous increase of packets beeing
dropped by the firewall with a source of a name server port 53/udp and
destination firewall random port/udp. The F/W software was not changed
then.
Putting up a sniffer outside the firewall reveals that these are answer
packets that just arrive very late so I had to increase the NAT timeout
to 600 seconds. This makes at least the annoying logs go.
So my question is how long does it take these days to resolve a
non-cached record ?
Five minutes aren't enough.
Are the timeouts added up with each forwarder ?
Any hints appreciated
Burkhard Weeber
viastore systems GmbH
P/O Box 300668
D-70446 Stuttgart
Tel: +49-711-9818-0
Email: B.Weeber at viastore.de
Windows95: <win-doz-nin-te-fiv> n.
32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit
operating system originally coded for a 4 bit microprocessor, written by
a 2 bit company, that can't stand 1 bit of competition.
> -----Original Message-----
> From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
> Behalf Of Barry Margolin
> Sent: Wednesday, July 18, 2001 5:11 PM
> To: comp-protocols-dns-bind at moderators.isc.org
> Subject: Re: Timeout for resolver
>
>
> In article <9j3q56$5ul at pub3.rc.vix.com>,
> Weeber, Burkhard <b.weeber at viastore.de> wrote:
> >before digging in the source code perhaps you can answer
> this question:
> >
> >What is the resolvers timeout waiting for an answer to its query ?
> >Is it options.timeout ?
>
> Look up "timeouts" in the index of "DNS & BIND". The precise
> answer is a
> bit complicated and takes two pages to described.
>
> --
> Barry Margolin, barmar at genuity.net
> Genuity, Burlington, MA
> *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them
> to newsgroups.
> Please DON'T copy followups to me -- I'll assume it wasn't
> posted to the group.
>
>
More information about the bind-users
mailing list