[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 263
  • Last Modified:

Slow named responses

Hello. I have a BIND 9.2.3 DNS server on my network that is responding slowly...
as you can see below the queries are taking like 4 seconds.  this server has an AT&T public IP routed directly to our AT&T managed cisco that has 3 T1's loadbalanced.  of course, once the server does actually perform the lookup, the lookup is cached and the same lookup is instant afterwards.  i just don't know why the initial lookup of a new domain is taking so long.  i use shorewall firewall and i have turned it off for testing....same results running or not running..slow.
when i SSH into the linux server i can do an nslookup for a domain against the server itselft like, nslookup www.somedomain.gom 12.xx.xxx.xxx //that is my servers ip.  so it queries itself but takes several seconds to get the lookup.  what could be causing this?   anyone have any idea what this could be or any resolution??
Thank you!!

my resolv.conf is this:
nameserver 12.xx.xxx.xxx  //primary
nameserver 12.xx.xxx.xxx   //secondary
domain xxx.com  

here is /etc/hosts:
127.0.0.1               localhost
12.xx.xxx.xxx           zeus.xxxx.com zeus

it's odd because my other dns server (a windows box) is not like this...the responses are instant and i hate that a windows box is outperforming my linux box for dns lookups! :)

here is an example DIG:
; <<>> DiG 9.2.3 <<>> @12.xx.xxx.xxx www.mylinks.com
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14334
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;www.mylinks.com.               IN      A

;; ANSWER SECTION:
www.mylinks.com.        10800   IN      A       206.207.85.33

;; AUTHORITY SECTION:
mylinks.com.            10800   IN      NS      ns2.internetsource.com.
mylinks.com.            10800   IN      NS      ns1.internetsource.com.

;; Query time: 4106 msec
;; SERVER: 12.xx.xxx.xxx#53(12.xx.xxx.xxx)
;; WHEN: Thu Jun  1 09:27:58 2006
;; MSG SIZE  rcvd: 100
0
linuxrox
Asked:
linuxrox
  • 8
  • 6
1 Solution
 
kblack05Commented:
Looks to me that your server isn't doing internal lookups but rather is dereferencing from other hosts.

Try adding:

nameserver localhost

Just above the line:

nameserver 12.xx.xxx.xxx  //primary

In /etc/resolv.conf

Then issue the command 'tail -f /var/log/messages &' and then issue 'nslookup aol.com' or whatever domain. If you see DNS error messages, capture them and post back, if you do not, kill the first command with 'killall -HUP tail'

Regards
~K Black~
0
 
linuxroxAuthor Commented:
i just saw a few "lame server" type of messages and no errors i don't believe.

here's the top of my named.conf:
controls {
        inet 127.0.0.1 allow { localhost; } keys { key; rndc-key; };
};

key key {
        algorithm hmac-md5;
        secret "4zXH7nJRfwB0psTz00OIBw==";
        };
key rndc-key {
        algorithm hmac-md5;
        secret "koOm3RZwZBPQWQLrcQivgg==";
        };

#include "root-stubs.conf";
options {
        pid-file "/var/run/named/named.pid";
        directory "/var/named";
        allow-transfer {
                12.44.xxx.xxx;
                };
0
 
kblack05Commented:
Did you modify the resolv.conf and time the query?
0
Microsoft Certification Exam 74-409

VeeamĀ® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
linuxroxAuthor Commented:
yes my resolv.conf is :

nameserver localhost    
nameserver 12.xx.xxx.xxx #server itself; same as localhost only inet routable public ip on eth0)
nameserver 12.xx.xxx.xxx #secondary nameserver
domain xxx.com

i restarted bind and just did a query that took 4660 ms: 4.6 seconds is way too long i would imagine.

dig @12.xx.xxx.xxx www.forthree.com

; Query time: 4660 msec
;; SERVER: 12.xx.xxx.xxx#53(12.xx.xxx.xxx)
;; WHEN: Thu Jun  1 12:32:44 2006
;; MSG SIZE  rcvd: 197
0
 
kblack05Commented:
You can try taking the other nameserver references out of the /etc/resolv.conf so that only the localhost entry remains, then see if it even works.

The reason I'm suspicious is the time you describe sounds a lot like time alloted for failover to the next nameserver.

You should probably try using -v in the /etc/rc.d/named scripting to start bind with verbose logging output. Additionally, the host command is very useful here. Have a look at http://www.linuxjunkies.org/adminstration%20Howto/webminguide/x2711.htm and try the host command with the -v options. Be sure your host is even looking back to itself. If 127.0.0.1 isn't in the byte range, you will see that the host command failed over.

0
 
linuxroxAuthor Commented:
Ok, I will try that and have a look at that link.
this is the only error from messages i see:
Jun  1 12:49:02 zeus named[14700]: loading configuration from '/etc/named.conf'
Jun  1 12:49:02 zeus named[14700]: /etc/named.conf:6: couldn't find key 'key' for use with command channel 127.0.0.1#953

but i commented out the key line like so:
#key key {
#       algorithm hmac-md5;
#       secret "4zXH7nJRfwB0psTz00OIBw==";
#       };

not sure what that error is telling me really.


0
 
linuxroxAuthor Commented:
oh, nevermind, i see i had two keys listed in this line:

controls {
        inet 127.0.0.1 allow { localhost; } keys { key; rndc-key; };
};
0
 
linuxroxAuthor Commented:
ok, i edited resolv.conf to only have
nameserver localhost

restarted named and have this which took several seconds:

[root@zeus named]# nslookup www.insert.com
Server:         localhost
Address:        127.0.0.1#53

Non-authoritative answer:
www.insert.com  canonical name = insert.com.
Name:   insert.com
Address: 67.103.217.40

so it looks like it is still resolving the ip's..just slowly for some reason.
0
 
kblack05Commented:
You should probably acid test the server at http://www.dnsreports.com and see if the config has some major issues, such as recursion, or some other loop.
0
 
linuxroxAuthor Commented:
check it:

this looks bad:

[root@zeus named]# host -v localhost  
Trying "localhost"
Host localhost not found: 3(NXDOMAIN)
Received 102 bytes from 127.0.0.1#53 in 39 ms
0
 
kblack05Commented:
Sorry that URI isn't plural. http://www.dnsreport.com/ My bad.
0
 
linuxroxAuthor Commented:
kblack05:
those references you made were helpful.  what i ended up doing was I downloaded the latest version of bind.
version 9.3.2 and recompiled.  for some strange reason now the queries are instant...same network setup and everything...quite odd i think.  those links you provided showed some good config examples and how to secure bind very well.
Thanks!
0
 
kblack05Commented:
Sure! I apologize I didn't have the exact answer.

Be advised that running bind is best if done in a chroot jail.

Here's a REAL good link, required reading I should think...

www.ecst.csuchico.edu/~dranch/ LINUX/TrinityOS/cHTML/TrinityOS-c-24.html

(though it was slow just now, you might wait a bit.)

Highest regards

~K Black
0
 
linuxroxAuthor Commented:
i have it running as -u named.  i'll check on the chroot jail though.
you couldn't have had the exact answer because who knows if it wasn't a bug in bind or something, or the fact that it was compiled on a previous kernel :)  i have the latest kernel running on linux now and all of my other binaries are fine so i figured named would be also..who knows!  recompiled it works fine now though!  i wasn't aware of the "views" that bind had.  i'm using the views to stop other servers from being able to use my server to make queries for other domains other than my own hosted domains.  it's amazing how that most dns servers actually allow anyone to use their server for remote lookups!!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 8
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now