Bind takes a long time to resolve requests
Kevin Darcy
kcd at chrysler.com
Tue Oct 4 22:23:26 UTC 2011
On 10/4/2011 12:40 PM, Pablo Maurelli wrote:
>
> hello, pick up a dns server with bind9, is resolving claims, but
> it takes time to resolve a lot, sometimes throw timeout error and
> the second time resolved, any ideas?
> I pass below my named.conf, host.conf and nsswitch.conf
>
>
>
> *_DIG:_*
>
> ; <<>> DiG 9.7.3 <<>>
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 90
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 14
>
> ;; QUESTION SECTION:
> ;. IN NS
>
> ;; ANSWER SECTION:
> . 517816 IN NS g.root-servers.net
> <http://g.root-servers.net>.
> . 517816 IN NS a.root-servers.net
> <http://a.root-servers.net>.
> . 517816 IN NS m.root-servers.net
> <http://m.root-servers.net>.
> . 517816 IN NS f.root-servers.net
> <http://f.root-servers.net>.
> . 517816 IN NS b.root-servers.net
> <http://b.root-servers.net>.
> . 517816 IN NS e.root-servers.net
> <http://e.root-servers.net>.
> . 517816 IN NS j.root-servers.net
> <http://j.root-servers.net>.
> . 517816 IN NS k.root-servers.net
> <http://k.root-servers.net>.
> . 517816 IN NS i.root-servers.net
> <http://i.root-servers.net>.
> . 517816 IN NS h.root-servers.net
> <http://h.root-servers.net>.
> . 517816 IN NS d.root-servers.net
> <http://d.root-servers.net>.
> . 517816 IN NS c.root-servers.net
> <http://c.root-servers.net>.
> . 517816 IN NS l.root-servers.net
> <http://l.root-servers.net>.
>
> ;; ADDITIONAL SECTION:
> a.root-servers.net <http://a.root-servers.net>. 604216 IN A
> 198.41.0.4
> a.root-servers.net <http://a.root-servers.net>. 604216 IN
> AAAA 2001:503:ba3e::2:30
> b.root-servers.net <http://b.root-servers.net>. 604216 IN A
> 192.228.79.201
> c.root-servers.net <http://c.root-servers.net>. 604216 IN A
> 192.33.4.12
> d.root-servers.net <http://d.root-servers.net>. 604216 IN A
> 128.8.10.90
> d.root-servers.net <http://d.root-servers.net>. 604216 IN
> AAAA 2001:500:2d::d
> e.root-servers.net <http://e.root-servers.net>. 604216 IN A
> 192.203.230.10
> f.root-servers.net <http://f.root-servers.net>. 604216 IN A
> 192.5.5.241
> f.root-servers.net <http://f.root-servers.net>. 604216 IN
> AAAA 2001:500:2f::f
> g.root-servers.net <http://g.root-servers.net>. 604216 IN A
> 192.112.36.4
> h.root-servers.net <http://h.root-servers.net>. 604216 IN A
> 128.63.2.53
> i.root-servers.net <http://i.root-servers.net>. 604216 IN A
> 192.36.148.17
> j.root-servers.net <http://j.root-servers.net>. 604216 IN A
> 192.58.128.30
> j.root-servers.net <http://j.root-servers.net>. 604217 IN
> AAAA 2001:503:c27::2:30
>
> ;; Query time: 0 msec
> ;; SERVER: 172.31.26.85#53(172.31.26.85)
> ;; WHEN: Tue Oct 4 13:34:03 2011
> ;; MSG SIZE rcvd: 500
I would check connectivity to all of those root nameservers using the
"+norec" and "+buf=4096" options so as to mimic how named itself would
query them.
If by some chance you have IPv6 enabled on your nameserver, with an
assigned (non-link-local) IPv6 address, but no actual IPv6 connectivity
to the Internet, you should probably start named with the "-4" option,
to prevent it wasting time trying to talk to root nameservers (and
others) over the IPv6 transport.
- Kevin
>
>
> *_DIG ns1.resolver01.net <http://ns1.resolver01.net>_*
>
> root at resolver01:/var/named# dig ns1.resolver01.net
> <http://ns1.resolver01.net>
>
> ; <<>> DiG 9.7.3 <<>> ns1.resolver01.net <http://ns1.resolver01.net>
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61061
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;ns1.resolver01.net <http://ns1.resolver01.net>. IN A
>
> ;; ANSWER SECTION:
> ns1.resolver01.net <http://ns1.resolver01.net>. 43200 IN A
> 172.31.26.85
>
> ;; AUTHORITY SECTION:
> resolver01.net <http://resolver01.net>. 43200 IN NS
> ns1.resolver01.net <http://ns1.resolver01.net>.
>
> ;; Query time: 0 msec
> ;; SERVER: 172.31.26.85#53(172.31.26.85)
> ;; WHEN: Tue Oct 4 13:34:42 2011
> ;; MSG SIZE rcvd: 66
Both queries returned in 0 milliseconds. Are you looking for something
faster than that? :-)
>
>
> *_NAMED.CONF_*
>
> // Mis redes permitidas
>
> acl "redes_sky" {
> 172.31.26.0/24 <http://172.31.26.0/24>;
> 172.31.25.0/24 <http://172.31.25.0/24>;
> 172.31.24.0/24 <http://172.31.24.0/24>;
> };
>
> options {
> directory "/var/named";
> dump-file "/var/named/data/cache_dump.db";
> statistics-file "/var/named/data/named_stats.txt";
> version "TXT, ";
> listen-on { 127.0.0.1; 172.31.26.85;};
> query-source port *;
> //recursive-clients 2500;
> allow-transfer{ /* !192.168.100.0/24 <http://192.168.100.0/24>; */
> redes_sky;
> };
> allow-recursion{ /* !192.168.100.0/24
> <http://192.168.100.0/24>; */
> redes_sky;
> };
> allow-query { redes_sky; localhost;
> };
>
> //recursion no;
> };
>
> include "/etc/bind/rndc.key";
>
> logging {
> channel default_log {
> file "/var/log/named.log" versions 3 size 25m;
> severity info;
> print-time yes;
> print-severity yes;
> print-category yes;};
> category default {default_log; };
> category lame-servers {null; };
>
> };
>
> zone "." {
> type hint;
> file "root.hints";
> };
> zone "0.0.127.in-addr.arpa" in{
> type master;
> file "named.local";
> };
> zone "26.31.172.in-addr.arpa" in{
> type master;
> file "zones/26.31.172.in-addr.arpa";
> };
> zone "resolver01.net <http://resolver01.net>" in{
> type master;
> file "zones/resolver01.net <http://resolver01.net>";
> };
>
>
> *_Zones:_*
>
> *NAMED.LOCAL*
>
> $TTL 43200 ; 12 hours
> @ IN SOA localhost. root.localhost. (
> 2008122911 ; serial
> 3600 ; refresh (1 hour)
> 900 ; retry (15 minutes)
> 1209600 ; expire (2 weeks)
> 43200 ; minimum (12 hours)
> )
> IN NS localhost.
> 1 IN PTR localhost.
>
>
> *_26.31.172.in-addr.arpa_*
> *_
> _*
> $ORIGIN .
> $TTL 43200 ; 12 horas
> 26.31.172.in-addr.arpa IN SOA
> ns1.resolver01.net.26.31.172.IN-ADDR.ARPA.
> hostmaster.resolver01.net.26.31.172.IN
> <http://hostmaster.resolver01.net.26.31.172.IN>
> -ADDR.ARPA. (
> 2011093021 ; serial
> 3600 ; refresh
> 900 ; retry
> 1209600 ; expire
> 43200 ; minimum
> )
>
> NS ns1.resolver01.net
> <http://ns1.resolver01.net>.
> $ORIGIN 26.31.172.in-addr.arpa.
> 85 PTR ns1.resolver01.net
> <http://ns1.resolver01.net>.
>
>
> _*26.31.172.in-addr.arpa*_
> *_
> _*
> $ORIGIN .
> $TTL 43200 ; 12 horas
> 26.31.172.in-addr.arpa IN SOA
> ns1.resolver01.net.26.31.172.IN-ADDR.ARPA.
> hostmaster.resolver01.net.26.31.172.IN
> <http://hostmaster.resolver01.net.26.31.172.IN>
> -ADDR.ARPA. (
> 2011093021 ; serial
> 3600 ; refresh
> 900 ; retry
> 1209600 ; expire
> 43200 ; minimum
> )
>
> NS ns1.resolver01.net
> <http://ns1.resolver01.net>.
> $ORIGIN 26.31.172.in-addr.arpa.
> 85 PTR ns1.resolver01.net
> <http://ns1.resolver01.net>.
>
>
> *_resolver01.net <http://resolver01.net>_*
>
> $ORIGIN .
> $TTL 43200
> resolver01.net <http://resolver01.net> SOA ns1.resolver01.net
> <http://ns1.resolver01.net>. hostmaster.resolver01.net
> <http://hostmaster.resolver01.net>. (
> 2011093072 ; serial
> 3600 ; refresh
> 900 ; retry
> 86400 ; expire
> 43200 ; minimum
> )
>
> NS ns1.resolver01.net <http://ns1.resolver01.net>.
>
> TXT "v=spf1 ptr ip4:172.31.26.0/24
> <http://172.31.26.0/24> 172.31.24.0/24 <http://172.31.24.0/24>
> 172.31.25.0/24 <http://172.31.25.0/24> ~all"
> $ORIGIN resolver01.net <http://resolver01.net>.
>
> ns1 A 172.31.26.85
>
>
> But in the zone 0.0.127.in-addr.arpa is empty???
>
What do you mean "empty"? The special symbol "@" stands for the name of
the zone, so named.local is defining 1 SOA and 1 NS record for the name
"0.0.127.in-addr.arpa". You can verify this by transferring the zone
contents (e.g. "dig -x 127.0.0 axfr").
- Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20111004/554e0403/attachment.html>
More information about the bind-users
mailing list