Slowness and timeouts resolving qa.pay.gov
Lear, Karen (Evolver)
Karen.Lear at USPTO.GOV
Wed Jul 14 15:43:42 UTC 2010
1. I run the recursive servers.
2. RHEL 4.0 running BIND 9.6.1-P3
3. timeouts or slow responses from dig qa.pay.gov occur maybe 1 in 3 or 4 tries.
4. Not having the same issue with other requests. Otherwise, the campus would be screaming about Internet slowness/timeouts.
5. I don't see anything strange in the logs. I see requests showing up in dnssec.log and query.log. I do see what looks like IPv6 requests showing up in query.log, but not being approved in dnssec.log. Examples:
[klear at idns1 logs]$ grep pay.gov dnssec.log
14-Jul-2010 10:56:37.608 security: debug 3: client 10.112.171.38#60907: query (cache) 'qa.pay.gov/A/IN' approved
[klear at idns1 logs]$ grep pay.gov query.log
13-Jul-2010 13:00:00.079 client 10.112.171.38#59791: query: qa.pay.gov IN A +
13-Jul-2010 13:00:03.082 client 10.112.171.38#57288: query: qa.pay.gov IN AAAA +
6. I'm logging:
logging {
category lame-servers { null; };
category edns-disabled { null; };
category unmatched { unmatched_log; };
channel unmatched_log {
severity info;
print-time yes;
print-category yes;
print-severity yes;
file "/logs/unmatched.log" versions 10 size 100M;
};
channel update_log {
severity info;
print-time yes;
print-category yes;
print-severity yes;
file "/logs/updates.log" versions 10 size 100M;
};
channel query_log {
severity info;
print-time yes;
file "/logs/query.log" versions 15 size 500M;
};
channel activity_log {
severity info;
print-time yes;
print-category yes;
print-severity yes;
file "/logs/activity.log" versions 3 size 10M;
};
channel dnssec_log {
severity debug 10;
print-time yes;
print-category yes;
print-severity yes;
file "/logs/dnssec.log" versions 3 size 100M;
};
category queries { query_log; };
category default { activity_log; };
category xfer-in { activity_log; };
category xfer-out { activity_log; };
category notify { activity_log; };
category security { activity_log; };
category update-security { update_log; };
category update { update_log; };
category dnssec { dnssec_log; };
category security { dnssec_log; };
};
7. Yes there is a firewall between my resolver and the rest of the world.
9. Dig outputs:
[klear at idns1 etc]$ dig qa.pay.gov @localhost
; <<>> DiG 9.6.1-P3 <<>> qa.pay.gov @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59511
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;qa.pay.gov. IN A
;; ANSWER SECTION:
qa.pay.gov. 30 IN A 199.169.197.30
;; AUTHORITY SECTION:
pay.gov. 30 IN NS ns2.twai.gov.
pay.gov. 30 IN NS ns1.twai.gov.
;; Query time: 989 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jul 14 11:42:16 2010
;; MSG SIZE rcvd: 85
[klear at idns1 etc]$ dig +trace qa.pay.gov
; <<>> DiG 9.6.1-P3 <<>> +trace qa.pay.gov
;; global options: +cmd
. 515795 IN NS i.root-servers.net.
. 515795 IN NS m.root-servers.net.
. 515795 IN NS f.root-servers.net.
. 515795 IN NS l.root-servers.net.
. 515795 IN NS e.root-servers.net.
. 515795 IN NS a.root-servers.net.
. 515795 IN NS g.root-servers.net.
. 515795 IN NS h.root-servers.net.
. 515795 IN NS k.root-servers.net.
. 515795 IN NS j.root-servers.net.
. 515795 IN NS d.root-servers.net.
. 515795 IN NS c.root-servers.net.
. 515795 IN NS b.root-servers.net.
;; Received 320 bytes from 127.0.0.1#53(127.0.0.1) in 9 ms
gov. 172800 IN NS e.usadotgov.net.
gov. 172800 IN NS g.usadotgov.net.
gov. 172800 IN NS b.usadotgov.net.
gov. 172800 IN NS c.usadotgov.net.
gov. 172800 IN NS a.usadotgov.net.
gov. 172800 IN NS d.usadotgov.net.
gov. 172800 IN NS f.usadotgov.net.
;; Received 265 bytes from 192.228.79.201#53(b.root-servers.net) in 78 ms
pay.gov. 86400 IN NS NS1.TWAI.gov.
pay.gov. 86400 IN NS NS2.TWAI.gov.
;; Received 101 bytes from 206.204.217.151#53(b.usadotgov.net) in 6278 ms
qa.pay.gov. 30 IN A 199.169.197.30
pay.gov. 30 IN NS ns1.twai.gov.
pay.gov. 30 IN NS ns2.twai.gov.
;; Received 117 bytes from 199.169.192.28#53(NS2.TWAI.gov) in 74 ms
Thank you.
-----Original Message-----
From: Warren Kumari [mailto:warren at kumari.net]
Sent: Wednesday, July 14, 2010 10:59 AM
To: Lear, Karen (Evolver)
Cc: 'bind-users at lists.isc.org'
Subject: Re: Slowness and timeouts resolving qa.pay.gov
On Jul 14, 2010, at 9:54 AM, Lear, Karen (Evolver) wrote:
> My recursive DNS servers are intermittently timing out and giving
> slow responses to qa.pay.gov. I haven't noticed problems with any
> other sites. How can I nail down where the problem is?
You are going to have to start by providing way more info, like:
1: Do you run these recursive servers or does someone else?
2: what are they ? version, etc.
3: How often does this happen?
4: Do you have the same issues with any other requests?
5: Do you have anything interesting in the logs?
6: Are you logging anything?
7: Is there a firewall between your resolver and the rest of the world?
8: Please provide configs...
9: Please provide output of dig, against both your server and with
+trace.
Also, please don't start a new thread by replying to a message and
changing the subject, it is bad form and will annoy lots of folk.
People who have stopped following the old thread with also probably
not see your message, and so you will be less likely to get help...
W
> From my home, on comast.net, I don't have slowness or timeouts
> resolving qa.pay.gov.
>
> Thx,
> k
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
A. No
Q. Is it sensible to top-post?
More information about the bind-users
mailing list