fast resolving IP -> slow ping answers

Hello!

I have very basic DNS configuration (bind). It is working, but when I try to ping some host from different host, IP is resolved fast but I must wait long time for first pings (there are no lost pings).

#ping testvis
PING testvis.testit.pl (10.50.10.199) 56(84) bytes of data.
 
wait, wait, wait...

64 bytes from 10.50.10.199: icmp_req=1 ttl=64 time=0.176 ms
64 bytes from 10.50.10.199: icmp_req=2 ttl=64 time=0.204 ms
64 bytes from 10.50.10.199: icmp_req=3 ttl=64 time=0.062 ms
...

Open in new window


What is ping waiting for?? :/
LVL 5
rysicAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kerem ERSOYPresidentCommented:
Hi,

Can you check your resolv.conf and make sure that there are no stale servers in it. Also check your /etc/hosts and make sure that your host name is not an alias to 127.0.0.1 (localhost)

Cheers,
K.
0
rysicAuthor Commented:
No, there is only one DNS server.

In /etc/hosts I have only one alias to localhost:

127.0.0.1              localhost

Open in new window


and in my opinion it is OK.
0
xtermCommented:
Please ping it by IP as below, and tell me if you still get that long pause before the responses.

If so, then it's not hanging on the forward lookup, but probably on the inverse lookup.  Do 'nslookup 10.50.10.199' and see if that hangs.  If so, then you will need to do one of two things:

1)  Fix your DNS server to respond for PTR lookups for 10.50.10.in-addr.arpa
2)  Band-aid it by adding "10.50.10.199           testvis.testit.pl  testvis" to /etc/hosts
ping 10.50.10.199

Open in new window

0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

rysicAuthor Commented:
It is not hanging on ping IP and nslookup. Also dig doesn't hang. I checked that before and that was very strange for me what else is doing PING resolving that IP...

If you are right, then why PING is checking inverse lookup????? :/

I'll try to add reverse lookup and let you know.
0
Kerem ERSOYPresidentCommented:
Hi,

Will you please also check your: /etc/nsswitch.conf file and make sure that files are as below:

hosts:      files dns

Cheers,
K.
0
xtermCommented:
No need to add inverse - it's apparently not getting stuck there if nslookup and dig instantly come back when you resolve the IP address.

Do you have any ipv6 stuff in your /etc/hosts?
0
rysicAuthor Commented:
Do you have any ipv6 stuff in your /etc/hosts?
There was something byt I commented and didn't help.

Will you please also check your: /etc/nsswitch.conf file and make sure that files are as below:
There was
hosts:    files mdns4_minimal [NOTFOUND=return] dns

Open in new window

I deleted that and leave only files dns but also didn't help.
0
xtermCommented:
When you ping from your DNS server to the client IP, do you get similar hangs?  Other machines on your network?  What about if you were to ping something like www.yahoo.com?

Or is it just specifically from this one client machine to testvis.testit.pl?
0
rysicAuthor Commented:
When you ping from your DNS server to the client IP, do you get similar hangs?
No.

Or is it just specifically from this one client machine to testvis.testit.pl?
No, all in that test environment.

When I ping google.pl, then I get answers in the same time. So problem is in name server, but what it can be...?
0
Kerem ERSOYPresidentCommented:
Hi,

This is a known bug. The nss breaks the integrity of glibc and causes erroneous dns queries. Will you please modify your /etc/nsswitch.conf and make it read like:

 
hosts:    files dns

Open in new window


Instead of your current default ?

Cheers,
K.
0
xtermCommented:
The author already said in 37390450 above that he changed the hosts entry to "files dns" and it had no impact.
0
rysicAuthor Commented:
xterm is right! I did and it didn't help.
0
giltjrCommented:
Run tcpdump and you should be able to see what is going on.

Issue:

tcpdump -s 0 -w dump01.cap &

Then issue "ping testvis".  After the pings start responding kill tcpdump.  You can use Wireshark to look at the capture.

If you issue ping testvis.testit.pl do you see the same delay?
0
Kerem ERSOYPresidentCommented:
On some systems this delay was caused by avahi dameon being run.

Will you please post your :

netstat -anpu

output?

If it is running (UDP ports 5353 and 32768 are listened)  yo might like to disable avahi daemon..

To tell you exact directions on how to disable it please post the output of:

lsb_release -a

(from the command line)

0
Kerem ERSOYPresidentCommented:
BTW   will you post the contetns of your /etc/resolv.conf

I am suspecting that you're also missing the search directive from it.
0
Kerem ERSOYPresidentCommented:
This is already a confirmed bug in ubuntu.

https://bugs.launchpad.net/ubuntu/+source/nss-mdns/+bug/94940
0
giltjrCommented:
I was assuming he has multiple search domains.  In the original post he ping'ed just plain  "testvis" and the ping command came back ping'ing testvis.testit.pl.

This would imply that at a minimum he has testit.pl in the search list.  However if he had multiple other domains in front of that it could take awhile to resolve the name as it goes through the domains in the list.
0
rysicAuthor Commented:
#cat /etc.resolv.conf
nameserver 10.50.10.101
search testit.pl

Open in new window


It is no matter if I use vistest or vistest.testit.pl
0
Kerem ERSOYPresidentCommented:
What about netstat -anpu output ??
0
Kerem ERSOYPresidentCommented:
As I told it seems to me that this is somethng about avahi and nss
0
rysicAuthor Commented:
@giltjr,
When I use Wireshar, I can see very fast first echo request and reply (tat is when ping hangs). But then it is waiting long time and then next echo requests and echo replay are one by one (ping unhangs)
Between that, there one interesting thing - DNS query
Standard query PTR 170.10.50.10.in.addr.arpa

Open in new window

May be it is problem. He is asking for reverse record - why??? He is asking many times when ping hangs...
0
Kerem ERSOYPresidentCommented:
> May be it is problem. He is asking for reverse record - why??? He is asking many times when ping
> hangs...

This is what this bug in Ubuntu about local resolution.. This is why it hangs. But you insistently don't respond to what I ask ...
0
rysicAuthor Commented:
Output from netstat:
# netstat -anpu
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
udp        0      0 0.0.0.0:952             0.0.0.0:*                           2050/rpcbind        
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           1794/avahi-daemon:  
udp        0      0 0.0.0.0:11301           0.0.0.0:*                           4825/dhclient       
udp        0      0 0.0.0.0:68              0.0.0.0:*                           4825/dhclient       
udp        0      0 0.0.0.0:58952           0.0.0.0:*                           1794/avahi-daemon:  
udp        0      0 0.0.0.0:111             0.0.0.0:*                           2050/rpcbind        
udp        0      0 0.0.0.0:631             0.0.0.0:*                           2075/cupsd          
udp        0      0 :::60071                :::*                                4825/dhclient       
udp        0      0 :::952                  :::*                                2050/rpcbind        
udp        0      0 :::111                  :::*                                2050/rpcbind        

Open in new window


But when I disable avahi:
rcavahi-daemon stop

Open in new window


It is not helping.
0
rysicAuthor Commented:
@KeremE,
responding for many questions. I saw your answer but didn't read yet. :)
Too many questions in one time, sorry. I'm reading it now! :)
0
Kerem ERSOYPresidentCommented:
No problem..

Yeah your avahi daemon is running please shut it down:

service avahi-caemon stop

and retry the command.. To disable it permanently:

sudo update-rc.d -f avahi-daemon remove

Cheers,
K.


0
Kerem ERSOYPresidentCommented:
It seems to me that this is an invalid command like that:


 
rcavahi-daemon stop

Open in new window


Use the one I've suggested above. ( I had a typo though). Here's the corrected version:

 
service avahi-daemon stop

Open in new window


Cheers,
K.
0
Kerem ERSOYPresidentCommented:
You shouldn't be seeing  

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
udp        0      0 0.0.0.0:5353            0.0.0.0:*                           1794/avahi-daemon:  
      
udp        0      0 0.0.0.0:58952           0.0.0.0:*                           1794/avahi-daemon:

Open in new window


These. Since they are listened by avahi-daemon.

0
giltjrCommented:
Do you know what device/host has the IP address 10.50.10.170?

I don't think that reverse lookup has anything to do with the ping., but I would do tcpdump again and see if you see the same thing.  

Typically the only time a Linux box does a reverse lookup is when a server service (like Apache or sshd) requests it.  Apache has this option turned off by default.  Some distributions of Linux will turn this off in sshd, some leave it on.  

When you see the delay/hang in tcpdump, is the ICMP request going out and then nothing for awhile.  Or is nothing going out?

0
rysicAuthor Commented:
@KeremE,
believe me,
rcavahi-daemon stop

Open in new window

is correct :) I don't see anymore ports 5353, 58952 open.

@giltjr,
10.50.10.170 is IP of host which i try to ping.

I know that now for sure. I is reverse lookup. In Wireshark there are many DNS PTR requests and no answers when ping hangs.
I also added reverse lookup do DNS server and now ping is not hanging!
I suppose that it is some similar but to this in Ubuntu... :/
0
rysicAuthor Commented:
@KeremE,
In SUSE of course! :)
0
Kerem ERSOYPresidentCommented:
> I know that now for sure. I is reverse lookup. In Wireshark there are many DNS PTR requests and no
> answers when ping hangs.
> I also added reverse lookup do DNS server and now ping is not hanging!
> I suppose that it is some similar but to this in Ubuntu... :/

Isn't it possible for you to add a reverse lookup zone to your DNS Server ?
0
Kerem ERSOYPresidentCommented:
> is correct :) I don't see anymore ports 5353, 58952 open.
Ok. I believe :)  Cheers.
0
rysicAuthor Commented:
> I know that now for sure. I is reverse lookup. In Wireshark there are many DNS PTR requests and no
> answers when ping hangs.
> I also added reverse lookup do DNS server and now ping is not hanging!
> I suppose that it is some similar but to this in Ubuntu... :/

Isn't it possible for you to add a reverse lookup zone to your DNS Server ?
It is not so secure if I add all reverse lookup for all hosts... :/ It is very easy then to ask all IPs in network about name and know the functionality of every server... :/
0
giltjrCommented:
Unless I am missing something you seem to have another problem 10.50.10.170 is the IP address of the host you are trying to ping.

In your first post testvis.testit.pl seems to reslove to 10.50.10.199. which is different.
0
Kerem ERSOYPresidentCommented:
> It is not so secure if I add all reverse lookup for all hosts... :/ It is very easy then to ask all IPs in
> network about name and know the functionality of every server... :/

You address are all 10.x.x.x so all you'd open is an internal reverse DNS. I don2t think there's a security impact on it.. Are you allowing access to your internal DNS globally?? This is altogether a bad idea. You should use a split DNS.

Cheers,
K.

 
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
giltjrCommented:
Try using the -n option on the ping command:

ping -n testvis.

The -n option says, do not reverse lookup.  I never realized that ping does a reverse lookup by default  at least:

  http://linux.die.net/man/8/ping

seem to imply that.
0
rysicAuthor Commented:

giltjr:
 Unless I am missing something you seem to have another problem 10.50.10.170 is the IP address of the host you are trying to ping.

In your first post testvis.testit.pl seems to reslove to 10.50.10.199. which is different.
Because there is no difference which host I ping... Sorry bout that. That was different host.

KeremE:
 > It is not so secure if I add all reverse lookup for all hosts... :/ It is very easy then to ask all IPs in
> network about name and know the functionality of every server... :/

You address are all 10.x.x.x so all you'd open is an internal reverse DNS. I don2t think there's a security impact on it.. Are you allowing access to your internal DNS globally?? This is altogether a bad idea. You should use a split DNS.

Cheers,
K.
No, it is cosed network, but if anyone will be inside somehow, then he has clear situation what is doing any server.

Try using the -n option on the ping command:

ping -n testvis.

The -n option says, do not reverse lookup.  I never realized that ping does a reverse lookup by default  at least:

  http://linux.die.net/man/8/ping

seem to imply that.
Yes, it is working. I also thought that is is not doing reverse by default...
0
Kerem ERSOYPresidentCommented:
In fact once hacker is inside network discovery b revers DNS will be the least of your worries. Think that he has filled your Switch's internal buffer with bogus requests an he is now able to listen all your internal traffic. also the arp cache of systems and he has the system info.

What you say is called "security by obscurity" and it is not a replacement for actual layered security only a poor man's consolation :))

Cheers,
K.
0
giltjrCommented:
Thanks for the points, but I don't think that solved the problem.  That just resolves the symptoms.

The problem is why is it taking so long to either say "no such entry" or "here is the name".

I think somebody already suggested you setup a reverse zone for you subnet.  You don't have to put any records in it, just setup the zone.  That way your DNS server will respond immediately with "no such entry."  However I would suggest that you do populate entries for hosts with static IP addresses assigned.

0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.