slow lookup to non-existent host

[Barry Margolin]

In article <mailman.490.1287172931.555.bind-users at lists.isc.org>,
 Eric Ritchie <eritchie at interactivebrokers.com> wrote:

>   When doing a nslookup of a non-existent host on the same network as 
> the bind servers, there is a delay. If I do the same nslookup from a 
> host on a different network, the response is immediate.

My guess is that the server allows recursion for clients on the same 
network, but doesn't allow it for clients on a different network.  But 
there's something blocking its ability to recurse.

> 
> host a is on the same network as bind servers, host b is on different 
> network:
> 
> hostb$ nslookup dev600
> Server:         131.210.30.200
> Address:        131.210.30.200#53
> 
> ** server can't find dev600: REFUSED
> 
> hosta $ nslookup dev600
> ;; connection timed out; no servers could be reached
> 
> tcpdump on server:
> 15:53:38.535453 IP hosta.ibg.28346>  bindsrv.domain:  36663+ A? dev600.ibg. 
> (28)
> 15:53:38.535582 IP bindsrv.domain>  hosta.ibg.28346:  36663 NXDomain* 0/1/0 
> (75)
> 15:53:38.535834 IP hosta.ibg.23719>  bindsrv.domain:  44929+ A? dev600. (24)
> 
> 
> 15:53:21.233381 IP hostb.ibg.51921>  bindsrv.domain:  38869+ A? dev600.ibg. 
> (28)
> 15:53:21.233750 IP bindsrv.domain>  hostb.ibg.51921:  38869 NXDomain*- 0/1/0 
> (75)
> 15:53:21.234022 IP hostb.ibg.43283>  bindsrv.domain:  41973+ A? dev600. (24)
> 15:53:21.234181 IP bindsrv.domain>  hostb.ibg.43283:  41973 Refused- 0/0/0 
> (24)
> 
> 
> We have several locations with similar setups and all see the same 
> issue. They are running different versions also, one is 9.4.2 and one is 
> 9.7.0-P1. The /etc/resolv.conf file is:
> 
> search ibg
> options rotate
> options ndots:3
> nameserver 131.210.30.200
> nameserver 131.210.30.201
> nameserver 131.210.30.202
> nameserver 131.210.30.203
> 
> Thanks

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE don't copy me on replies, I'll read them in the group ***