slow lookup to non-existent host

Eric Ritchie eritchie at interactivebrokers.com
Mon Oct 18 21:20:12 UTC 2010 

  Thank you for your replies. This is an internal network with only 1 
domain, no other DNS servers. I disabled recursion and its working good.

Eric

On 10/17/2010 8:44 PM, Mark Andrews wrote:
> In message<barmar-63054E.22484615102010 at reserved-multicast-range-not-delegated.example.com>, Barry Margo
> lin writes:
>> In article<mailman.490.1287172931.555.bind-users at lists.isc.org>,
>>   Eric Ritchie<eritchie at interactivebrokers.com>  wrote:
>>
>>>    When doing a nslookup of a non-existent host on the same network as
>>> the bind servers, there is a delay. If I do the same nslookup from a
>>> host on a different network, the response is immediate.
>> My guess is that the server allows recursion for clients on the same
>> network, but doesn't allow it for clients on a different network.  But
>> there's something blocking its ability to recurse.
> You have two problem.
>
> 1. You don't have allow-recursion set to allow all your recursive
>     clients to recurse.  When your off net clients try to recurse
>     they get REFUSED.  This is why you get "quick" responses.
>     The default for allow-recursion is "{ localnets; localhost; };"
>
> 2. When you do attempt to recurse on behalf of the local clients
>     you can't reach the root servers.  This results in a timeout.
>     I would be looking for a mis-configured firewall.
>
>>> host a is on the same network as bind servers, host b is on different
>>> network:
>>>
>>> hostb$ nslookup dev600
>>> Server:         131.210.30.200
>>> Address:        131.210.30.200#53
>>>
>>> ** server can't find dev600: REFUSED
>>> hosta $ nslookup dev600
>>> ;; connection timed out; no servers could be reached
>>>
>>> tcpdump on server:
>>> 15:53:38.535453 IP hosta.ibg.28346>   bindsrv.domain:  36663+ A? dev600.ibg.
>>> (28)
>>> 15:53:38.535582 IP bindsrv.domain>   hosta.ibg.28346:  36663 NXDomain* 0/1/0
>>> (75)
>>> 15:53:38.535834 IP hosta.ibg.23719>   bindsrv.domain:  44929+ A? dev600. (24)
>>>
>>>
>>> 15:53:21.233381 IP hostb.ibg.51921>   bindsrv.domain:  38869+ A? dev600.ibg.
>>> (28)
>>> 15:53:21.233750 IP bindsrv.domain>   hostb.ibg.51921:  38869 NXDomain*- 0/1/0
>>> (75)
>>> 15:53:21.234022 IP hostb.ibg.43283>   bindsrv.domain:  41973+ A? dev600. (24)
>>> 15:53:21.234181 IP bindsrv.domain>   hostb.ibg.43283:  41973 Refused- 0/0/0
>>> (24)
>>>
>>>
>>> We have several locations with similar setups and all see the same
>>> issue. They are running different versions also, one is 9.4.2 and one is
>>> 9.7.0-P1. The /etc/resolv.conf file is:
>>>
>>> search ibg
>>> options rotate
>>> options ndots:3
>>> nameserver 131.210.30.200
>>> nameserver 131.210.30.201
>>> nameserver 131.210.30.202
>>> nameserver 131.210.30.203
>>>
>>> Thanks
>> -- 
>> Barry Margolin, barmar at alum.mit.edu
>> Arlington, MA
>> *** PLEASE don't copy me on replies, I'll read them in the group ***
>> _______________________________________________
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Eric Ritchie
Interactive Brokers LLC
203-618-5868

More information about the bind-users mailing list