locdang
asked on
DNS speed issue with squid
Hi all,
Having some trouble with squid and dns resolution, it can take clients anywhere between 3 to 8 seconds to have webdata passed back to their client browsers which i have determined to be squid and it having issues resolving dns quickly.
My resolv.conf file is setup with my domain's dns servers and search param....
any ideas?
Having some trouble with squid and dns resolution, it can take clients anywhere between 3 to 8 seconds to have webdata passed back to their client browsers which i have determined to be squid and it having issues resolving dns quickly.
My resolv.conf file is setup with my domain's dns servers and search param....
any ideas?
My resolv.conf file:
nameserver 10.42.42.17
nameserver 10.42.42.11
search epicentre.internal
Something i forgot:
if client is Windows, you can "debug" the slow queries using the command:
nslookup -d2 <name>
if client is Windows, you can "debug" the slow queries using the command:
nslookup -d2 <name>
ASKER
Hi,
The problem isn't with the DNS servers though as the linux box is the only machine having trouble with the winserv2003 dns servers.
i will now relocate that entry in my resolv.conf
The problem isn't with the DNS servers though as the linux box is the only machine having trouble with the winserv2003 dns servers.
i will now relocate that entry in my resolv.conf
ASKER
No change in performance since i tried that change.
However I am thinking that maybe it is not DNS but something else, when I do a ping to any domain it takes about a second or two to get this line:
EPICSQUID:~ # ping google.com.au -I eth1
PING google.com.au (72.14.235.104) from 10.42.42.41 eth1: 56(84) bytes of data.
then pauses here for about 4-8 seconds, before working normally...
64 bytes from tw-in-f104.google.com (72.14.235.104): icmp_seq=1 ttl=241 time=182 ms
64 bytes from tw-in-f104.google.com (72.14.235.104): icmp_seq=2 ttl=241 time=174 ms
64 bytes from tw-in-f104.google.com (72.14.235.104): icmp_seq=3 ttl=241 time=165 ms
64 bytes from tw-in-f104.google.com (72.14.235.104): icmp_seq=4 ttl=241 time=185 ms
64 bytes from tw-in-f104.google.com (72.14.235.104): icmp_seq=5 ttl=241 time=173 ms
64 bytes from tw-in-f104.google.com (72.14.235.104): icmp_seq=6 ttl=241 time=184 ms
64 bytes from tw-in-f104.google.com (72.14.235.104): icmp_seq=7 ttl=241 time=218 ms
However I am thinking that maybe it is not DNS but something else, when I do a ping to any domain it takes about a second or two to get this line:
EPICSQUID:~ # ping google.com.au -I eth1
PING google.com.au (72.14.235.104) from 10.42.42.41 eth1: 56(84) bytes of data.
then pauses here for about 4-8 seconds, before working normally...
64 bytes from tw-in-f104.google.com (72.14.235.104): icmp_seq=1 ttl=241 time=182 ms
64 bytes from tw-in-f104.google.com (72.14.235.104): icmp_seq=2 ttl=241 time=174 ms
64 bytes from tw-in-f104.google.com (72.14.235.104): icmp_seq=3 ttl=241 time=165 ms
64 bytes from tw-in-f104.google.com (72.14.235.104): icmp_seq=4 ttl=241 time=185 ms
64 bytes from tw-in-f104.google.com (72.14.235.104): icmp_seq=5 ttl=241 time=173 ms
64 bytes from tw-in-f104.google.com (72.14.235.104): icmp_seq=6 ttl=241 time=184 ms
64 bytes from tw-in-f104.google.com (72.14.235.104): icmp_seq=7 ttl=241 time=218 ms
ASKER
Is anyone able to assist? I have re-posted this issue so many times without resolution.
If you are having DNS issues and you issue a ping "hostname" command, then it will take awhile before you see the first line like:
PING google.com.au (72.14.235.104) from 10.42.42.41 eth1: 56(84) bytes of data.
What happens if you issue:
ping 72.14.235.104
I'm saying that it definitly is a DNS issue, it could be a network and a DNS issue, or just a network issue with one specific network segement.
You may want to do a tracer route to you dns servers to see if there a lot of latency someplace.
You may also want to start doing packet captures at various points on your network to see where the slowdown is.
PING google.com.au (72.14.235.104) from 10.42.42.41 eth1: 56(84) bytes of data.
What happens if you issue:
ping 72.14.235.104
I'm saying that it definitly is a DNS issue, it could be a network and a DNS issue, or just a network issue with one specific network segement.
You may want to do a tracer route to you dns servers to see if there a lot of latency someplace.
You may also want to start doing packet captures at various points on your network to see where the slowdown is.
When you are on the linux box and do nslookup -debug hostname.domain
You should see all the requests that are generated to resolve.
Did you perhaps configure squid to compress the data stream back to the client?
Do you have statistic data collection of squid functionality so that you can see if the server is overloaded by the numerous requests?
Is the squid cache configured to cache data or is it simply a pass through?
I.e. does not cache anything.
Do you have iptables/ipchains enabled that could explain the delay if the server on which squid runs is overloaded.
What type of network connection does the linux box have? Does it have two network interfaces one through which it delivers the responses and one through which it retrieves the data? The two can be on the LAN segment.
You should see all the requests that are generated to resolve.
Did you perhaps configure squid to compress the data stream back to the client?
Do you have statistic data collection of squid functionality so that you can see if the server is overloaded by the numerous requests?
Is the squid cache configured to cache data or is it simply a pass through?
I.e. does not cache anything.
Do you have iptables/ipchains enabled that could explain the delay if the server on which squid runs is overloaded.
What type of network connection does the linux box have? Does it have two network interfaces one through which it delivers the responses and one through which it retrieves the data? The two can be on the LAN segment.
ASKER
giltjr:
I did what you said, no latency issues for pings to hostnames and IPs.
traceroute to both DNS servers is only a single hop, and >5ms
I did what you said, no latency issues for pings to hostnames and IPs.
traceroute to both DNS servers is only a single hop, and >5ms
ASKER
arnold:
I don't believe i have setup squid to compress to the client, if it is doing so i didn't set it. i will check for you shortly.
It would'nt be an overload issue. this server is way over spec'd for its intended application, however currently its being tested before it is placed in production and only by 10 users... the server shouldn't even feel a pinch at this time.
Squid should be caching data. I thought maybe there was something wrong with the cache so i rebuilt it however no difference in performance.
I have a routing script that i run for squid to work, i have included it below, possibly that is where the issue lies.
traffic from lan goes in eth0 and out eth1, both eth adapters are on the same subnet (no way around this unfortunately) however i doubt that is the cause because i have had other squid boxes running the same 'setup' and no issues at all.
Thanks :)
I don't believe i have setup squid to compress to the client, if it is doing so i didn't set it. i will check for you shortly.
It would'nt be an overload issue. this server is way over spec'd for its intended application, however currently its being tested before it is placed in production and only by 10 users... the server shouldn't even feel a pinch at this time.
Squid should be caching data. I thought maybe there was something wrong with the cache so i rebuilt it however no difference in performance.
I have a routing script that i run for squid to work, i have included it below, possibly that is where the issue lies.
traffic from lan goes in eth0 and out eth1, both eth adapters are on the same subnet (no way around this unfortunately) however i doubt that is the cause because i have had other squid boxes running the same 'setup' and no issues at all.
Thanks :)
#!/bin/sh
# ------------------------------------------------------------------------------------
# See URL: http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
# (c) 2006, nixCraft under GNU/GPL v2.0+
# -------------------------------------------------------------------------------------
# squid server IP
SQUID_SERVER="10.42.42.40"
# Interface connected to Internet
INTERNET="eth1"
# Interface connected to LAN
LAN_IN="eth0"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
ASKER
here is my squid.conf
just in case :)
just in case :)
#httpd_accel_host virtual
#httpd_accel_port 80
#httpd_accel_with_proxy on
#httpd_accel_uses_host_header oncp su
#auth_param basic program /usr/sbin/ncsa_auth /etc/squid/squid_passwd
#acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl no_cache_list src "/etc/squid/no-cache-list.squid"
no_cache deny no_cache_list
acl epicentre_42_range src 10.42.42.0/23
acl bad_urls dstdomain "/etc/squid/bad-url-list.squid"
acl good_urls dstdomain "/etc/squid/good-url-list.squid"
#acl bad_ports port "/etc/squid/bad-port-list.squid"
acl good_ports port "/etc/squid/good-port-list.squid"
#acl bad_hosts src "/etc/squid/bad-host-list.squid"
#acl good_hosts src "/etc/squid/good-host-list.squid"
acl bad_exts urlpath_regex -i "/etc/squid/bad-ext-list.squid"
#acl bad_exts urlpath_regex -i "http://localhost/bad-ext-list.squid"
deny_info denied bad_urls
deny_info denied bad_exts
http_access deny bad_exts
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#http_access deny bad_hosts
#http_access allow good_hosts
http_access deny bad_urls
http_access allow good_urls
#http_access deny bad_ports
http_access allow good_ports
http_access allow epicentre_42_range
http_access allow localhost
http_access deny all
icp_access allow all
http_port 3128 transparent
hierarchy_stoplist cgi-bin ?
cache_replacement_policy heap LFUDA
cache_swap_low 90
cache_swap_high 95
maximum_object_size_in_memory 200 KB
cache_mem 100 MB
memory_pools off
maximum_object_size 10 MB
quick_abort_min 0 KB
quick_abort_max 0 KB
log_icp_queries off
client_db off
buffered_logs on
half_closed_clients off
cache_dir aufs /squidcache 800 16 256
access_log /var/log/squid/access.log squid
log_fqdn on
acl QUERY urlpath_regex cgi-bin \?
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
acl apache rep_header Server ^Apache
cache deny QUERY
#broken_vary_encoding allow apache
cache_mgr xavier.hutchinson@epicentre.com.au
dns_nameservers 10.42.42.17 10.42.42.11
coredump_dir /var/cache/squid
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
run bind service with "-g" option to get output to the attahced vty; check any strange error to logs
Put "search epicentre.interna" at the top of your resolv.conf