Slow recursive query performance on Windows x64
Steve Farr
steve at farrhomestead.com
Mon Jan 20 02:54:36 UTC 2020
Lee, that was fantastic. Thank you! Setting the whole IPv6 internet to be Bogus worked like a charm. It would appear that even though IPv6 is unbound from the NIC that BIND is running on, and even though BIND is only listening on v4 addresses, and even though I had the v6 roots commented out (all done sequentially as troubleshooting measures), it was still pining away after the v6 world.
Seems like maybe there ought to be a "cleaner" way to turn off v6 for queries when it's totally not in use, rather than marking it as bogus. I tried setting
listen-on-v6 { none; };
or
query-source-v6 { none; };
(which turned out to be a syntax error / not allowed)
but it still delayed the queries unless I put in your suggestion server ::/0 { bogus yes; }; -- really nice call.
By the way, I also tried filter-aaaa-on-v4 yes; because none of my clients have any v6 access either, so those aaaa's probably aren't helpful to them, but the log says this option is obsolete (and it does not actually filter out the aaaa responses with the option enabled).
Does anyone know of a functionality that replaced the now-obsolete filter-aaaa-on-v4?
Thanks again, Lee!
-Steve
On 1/18/20, Steve Farr wrote:
>
> I don't have IPv6 connectivity through my ISP, and don't use it on my
> LAN, so I have it unchecked/not bound in Windows,
Same here.
When I tried running named on windows it didn't support the -4 option; the workaround I was given was to add
server ::/0 { bogus yes; };
to named.conf so it wouldn't try to use ipv6. And maybe this is enabled/works on windows now:
options {
filter-aaaa-on-v4 yes;
}
> Basically, it looks like my DNS server sits on it for 3.2 seconds
> before asking the root for a referral.
Which is weird. Exactly how did you do the packet capture - as in, is it possible you didn't capture everything to/from the server?
Lee
>
> From: Ondrej Sur
> Sent: Friday, January 17, 2020 3:27 PM
> To: Steve Farr
> Cc: bind-users at lists.isc.org
> Subject: Re: Slow recursive query performance on Windows x64
>
>
>
> Hi Steve,
>
>
>
> I would suggest to either bump debugging level in bind9 or use
> wireshark to look what s happening on the wire. My best guest is
> broken IPv6 connectivity, but it could be something completely
> different. Looking at the packets is a easiest way to get better understanding of the problem.
>
> Ondrej
>
> --
>
> Ondrej Sur ISC
>
>
>
>
>
> On 17 Jan 2020, at 20:52, Steve Farr via bind-users
>
> Hi there,
>
>
>
> I'm hoping perhaps someone can point me in a good direction for
> troubleshooting here I recently upgraded from BIND 9.9.10-P3 running
> in 32-bit Windows, to 9.14.9 running on 64-bit Windows. I've tried it
> in both Windows 10 and Windows 7, and the behavior is the same:
> Queries for addresses that aren't already cached take a long time
> (long enough that the client resolver often gives up and assumes the
> DNS server failed - perhaps
> 5-6 seconds). On a second attempt, it's usually in the cache and
> responds right away. The server has three views, two of which allow
> recursion, and it hosts a couple of authoritative domains (differing
> in content between the views, but present in all three). Queries for
> addresses in the domains that are hosted locally are fast, and so are queries for anything that's cached.
> I had to make a few tweaks to the config, jumping so many versions, in
> order to eliminate warnings about things like DNSSEC I also
> downloaded a fresh copy of the named.cache / root hints, as well as bind.keys.
>
>
>
> It's entirely possible that I just don't know what I'm doing.
>
>
>
> Any ideas what could be causing this? The old server occupied the same
> internal IP address (same firewall, same NAT, etc) so I don't tend to
> suspect the network, especially since it's reproducible (the old
> 32-bit box still works fast if I swap it back in). Here's my current
> config (feel free to critique it even if off-topic):
>
>
>
> // named.conf
>
> acl internal { 192.168.63.0/24; 192.168.65.0/24; 127.0.0.1; };
>
> acl wifi { 192.168.64.0/24; };
>
> acl notifiers { [public IP removed for anonymity];};
>
>
>
> key "transfer-key" {
>
> algorithm hmac-md5;
>
> secret "[removed for security]";
>
> };
>
> server [same public IP as in acl notifiers] {
>
> keys { transfer-key; };
>
> };
>
>
>
> options {
>
> version "1.1.1.1";
>
> directory "C:\ISCBIND9\etc\namedb"; // Working directory
>
> pid-file "C:\ISCBIND9\var\named.pid";
>
> statistics-file "C:\ISCBIND9\var\named.stats";
>
> memstatistics-file "C:\ISCBIND9\var\named.memstats";
>
> auth-nxdomain yes;
>
> listen-on { 192.168.63.23; 127.0.0.1; };
>
> tcp-clients 1024;
>
> max-cache-size 128M;
>
> allow-query { any; };
>
> recursion no;
>
> allow-recursion { none; };
>
> allow-query-cache { none; };
>
> allow-transfer { none; };
>
> allow-notify { notifiers; };
>
> notify no;
>
>
>
> dnssec-enable yes;
>
> dnssec-lookaside no;
>
> dnssec-validation yes;
>
> bindkeys-file "C:\ISCBIND9\etc\namedb\bind.keys";
>
> };
>
>
>
> view internal {
>
> match-clients { internal; };
>
> recursion yes;
>
> allow-query { internal; };
>
> allow-recursion { internal; };
>
> allow-query-cache { internal; };
>
>
>
> zone "." in {type hint; file "named.cache"; };
>
> zone "localhost" IN {type master; file
> "localhost.zone"; };
>
> zone "0.0.127.in-addr.arpa" IN {type master; file
> "named.local"; };
>
> [authoritative zones follow]
>
> };
>
>
>
> view wifi {
>
> [basically the same as internal except different
> match-clients statement and different zones]
>
> };
>
>
>
> view external {
>
> match-clients { any; };
>
> allow-recursion { none; };
>
> allow-query-cache { none; };
>
> recursion no;
>
> allow-query {any; };
>
>
>
> zone "." in {type hint; file "named.cache"; };
>
> zone "localhost" IN {type master; file
> "localhost.zone"; };
>
> zone "0.0.127.in-addr.arpa" IN {type master; file
> "named.local"; };
>
> [authoritative zones follow]
>
> };
>
>
>
>
>
> Thanks for any help anyone may be able to offer!
>
>
>
> -Steve
More information about the bind-users
mailing list