bind 8 slow when resolving new domains!

Simon Waters Simon at wretched.demon.co.uk
Thu May 6 20:59:53 UTC 2004 

dap99 at i-55.com wrote:
> I am having a big problem with slow internal DNS (named 8.3.7-REL on
> FreeBSD 4.9).
What no BIND 9?

> Also, we are using their two DNS servers as forwarders.

"Red alert, captain".

> The colo promises it's not them, but frankly I can't see how it's us.
> 
> # tcpdump -n host ns2 and \( icmp or udp \)
> 10:07:37.832611 192.168.42.78.53 > isp-dns1.53:  4240+ [1au] A?
> www.altavista.com. (46)
> 10:07:51.013213 192.168.42.78.53 > isp-dns2.53:  4240+ [1au] A?
> www.altavista.com. (46)
> 10:07:51.074160 isp-dns2.53 > 192.168.42.78.53:  4240 2/9/10
> CNAME[|domain] (DF)
> 10:07:51.074476 192.168.42.78.53 > isp-dns1.53:  17509+ [1au] A?
> avatw.search.yahoo2.akadns.net. (59)
> 10:07:51.131568 isp-dns1.53 > 192.168.42.78.53:  17509 1/9/10 (393)
> (DF)

Looks like there first forwarder was slow or overloaded on the initial
query. Not sure about BIND 8, but I know the method of selecting
forwarders is pretty simplistic in BIND 9. Don't assume it'll do
anything clever like reordering forwarders if one is down or slow.

If the DNS packets are allowed though the firewall, I'd say switch
forwarding off entirely if predictable responses are important.

If the forwarders you use are coping easily with their load, and primed
with queries from thousands of clients (or even one or two busy email
servers), you may save a few tenths of a second per query by using them,
but at the cost of slow responses if and when things go wrong (and more
to go wrong).

>         forward only; // added while troubleshooting
>         forward first; // added while troubleshooting

One of these only.... forward-first, if allowed by the firewall, always
seemed the smarter option to me.

> ns2# nslookup www.looser.com

Is "dig" broken on BSD ;)

> Any ideas? Also, why so many FormErr (am I sending out bunk DNS
> queries?). 

EDNS0 is my first guess - although you can double check the tcpdump
after reading the docs.

> I would be happy to show selected output from named -d 3.

"{r}ndc querylog" is friendlier and easier to understand than "-d 3" or
"tcpdump", even if it does eat disk space on busy servers.


-- Attached file included as plaintext by Ecartis --
-- File: signature.asc
-- Desc: OpenPGP digital signature

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAmqdKGFXfHI9FVgYRAiWCAJ46/2mxiG9o/lEcsW2xutuMT+pTUwCfdVYh
/K5Vxv4IUFOd7u8nSyxIgOw=
=pOrZ
-----END PGP SIGNATURE-----

More information about the bind-users mailing list