Slow recursive query performance on Windows x64

Lee ler762 at gmail.com
Sun Jan 19 21:56:31 UTC 2020


On 1/18/20, Steve Farr  wrote:
>
> I don't have IPv6 connectivity through my ISP, and don't use it on my LAN,
> so I have it unchecked/not bound in Windows,

Same here.
When I tried running named on windows it didn't support the -4 option;
the workaround I was given was to add

server ::/0 { bogus yes; };

to named.conf so it wouldn't try to use ipv6.  And maybe this is
enabled/works on windows now:

options {
  filter-aaaa-on-v4 yes;
}


> Basically, it looks like my DNS server sits on it for 3.2 seconds before
> asking the root for a referral.

Which is weird.  Exactly how did you do the packet capture - as in, is
it possible you didn't capture everything to/from the server?

Lee


>
> From: Ondrej Surý
> Sent: Friday, January 17, 2020 3:27 PM
> To: Steve Farr
> Cc: bind-users at lists.isc.org
> Subject: Re: Slow recursive query performance on Windows x64
>
>
>
> Hi Steve,
>
>
>
> I would suggest to either bump debugging level in bind9 or use wireshark to
> look what’s happening on the wire. My best guest is broken IPv6
> connectivity, but it could be something completely different. Looking at the
> packets is a easiest way to get better understanding of the problem.
>
> Ondrej
>
> --
>
> Ondřej Surý — ISC
>
>
>
>
>
> On 17 Jan 2020, at 20:52, Steve Farr via bind-users
>
> Hi there,
>
>
>
> I'm hoping perhaps someone can point me in a good direction for
> troubleshooting here… I recently upgraded from BIND 9.9.10-P3 running in
> 32-bit Windows, to 9.14.9 running on 64-bit Windows. I've tried it in both
> Windows 10 and Windows 7, and the behavior is the same: Queries for
> addresses that aren't already cached take a long time (long enough that the
> client resolver often gives up and assumes the DNS server failed - perhaps
> 5-6 seconds). On a second attempt, it's usually in the cache and responds
> right away. The server has three views, two of which allow recursion, and it
> hosts a couple of authoritative domains (differing in content between the
> views, but present in all three). Queries for addresses in the domains that
> are hosted locally are fast, and so are queries for anything that's cached.
> I had to make a few tweaks to the config, jumping so many versions, in order
> to eliminate warnings about things like DNSSEC… I also downloaded a fresh
> copy of the named.cache / root hints, as well as bind.keys.
>
>
>
> It's entirely possible that I just don't know what I'm doing.
>
>
>
> Any ideas what could be causing this? The old server occupied the same
> internal IP address (same firewall, same NAT, etc) so I don't tend to
> suspect the network, especially since it's reproducible (the old 32-bit box
> still works fast if I swap it back in). Here's my current config (feel free
> to critique it even if off-topic):
>
>
>
> // named.conf
>
> acl internal { 192.168.63.0/24; 192.168.65.0/24; 127.0.0.1; };
>
> acl wifi { 192.168.64.0/24; };
>
> acl notifiers { [public IP removed for anonymity];};
>
>
>
> key "transfer-key" {
>
>         algorithm hmac-md5;
>
>         secret "[removed for security]";
>
> };
>
> server [same public IP as in acl notifiers] {
>
>         keys { transfer-key; };
>
> };
>
>
>
> options {
>
>         version "1.1.1.1";
>
>         directory "C:\ISCBIND9\etc\namedb";           // Working directory
>
>         pid-file "C:\ISCBIND9\var\named.pid";
>
>         statistics-file "C:\ISCBIND9\var\named.stats";
>
>         memstatistics-file "C:\ISCBIND9\var\named.memstats";
>
>         auth-nxdomain yes;
>
>         listen-on { 192.168.63.23; 127.0.0.1; };
>
>         tcp-clients 1024;
>
>         max-cache-size 128M;
>
>         allow-query { any; };
>
>                recursion no;
>
>                allow-recursion { none; };
>
>                allow-query-cache { none; };
>
>         allow-transfer { none; };
>
>                allow-notify { notifiers; };
>
>         notify no;
>
>
>
>                dnssec-enable yes;
>
>                dnssec-lookaside no;
>
>                dnssec-validation yes;
>
>                bindkeys-file "C:\ISCBIND9\etc\namedb\bind.keys";
>
> };
>
>
>
> view internal {
>
>                match-clients { internal; };
>
>                recursion yes;
>
>                allow-query { internal; };
>
>                allow-recursion { internal; };
>
>                allow-query-cache { internal; };
>
>
>
>                zone "." in {type hint; file "named.cache"; };
>
>                zone "localhost" IN {type master; file "localhost.zone"; };
>
>                zone "0.0.127.in-addr.arpa" IN {type master; file
> "named.local"; };
>
>                [authoritative zones follow]
>
> };
>
>
>
> view wifi {
>
>                [basically the same as internal except different
> match-clients statement and different zones]
>
> };
>
>
>
> view external {
>
>                match-clients { any; };
>
>                allow-recursion { none; };
>
>                allow-query-cache { none; };
>
>                recursion no;
>
>                allow-query {any; };
>
>
>
>                zone "." in {type hint; file "named.cache"; };
>
>                zone "localhost" IN {type master; file "localhost.zone"; };
>
>                zone "0.0.127.in-addr.arpa" IN {type master; file
> "named.local"; };
>
>                [authoritative zones follow]
>
> };
>
>
>
>
>
> Thanks for any help anyone may be able to offer!
>
>
>
> -Steve


More information about the bind-users mailing list