Slow recursive query performance on Windows x64

Fri Jan 17 20:26:38 UTC 2020

Hi Steve,

I would suggest to either bump debugging level in bind9 or use wireshark to look what’s happening on the wire. My best guest is broken IPv6 connectivity, but it could be something completely different. Looking at the packets is a easiest way to get better understanding of the problem.

Ondrej
--
Ondřej Surý — ISC

> On 17 Jan 2020, at 20:52, Steve Farr via bind-users <bind-users at lists.isc.org> wrote:
> 
> 
> Hi there,
>  
> I'm hoping perhaps someone can point me in a good direction for troubleshooting here… I recently upgraded from BIND 9.9.10-P3 running in 32-bit Windows, to 9.14.9 running on 64-bit Windows. I've tried it in both Windows 10 and Windows 7, and the behavior is the same: Queries for addresses that aren't already cached take a long time (long enough that the client resolver often gives up and assumes the DNS server failed - perhaps 5-6 seconds). On a second attempt, it's usually in the cache and responds right away. The server has three views, two of which allow recursion, and it hosts a couple of authoritative domains (differing in content between the views, but present in all three). Queries for addresses in the domains that are hosted locally are fast, and so are queries for anything that's cached. I had to make a few tweaks to the config, jumping so many versions, in order to eliminate warnings about things like DNSSEC… I also downloaded a fresh copy of the named.cache / root hints, as well as bind.keys.
>  
> It's entirely possible that I just don't know what I'm doing.
>  
> Any ideas what could be causing this? The old server occupied the same internal IP address (same firewall, same NAT, etc) so I don't tend to suspect the network, especially since it's reproducible (the old 32-bit box still works fast if I swap it back in). Here's my current config (feel free to critique it even if off-topic):
>  
> // named.conf
> acl internal { 192.168.63.0/24; 192.168.65.0/24; 127.0.0.1; };
> acl wifi { 192.168.64.0/24; };
> acl notifiers { [public IP removed for anonymity];};
>  
> key "transfer-key" {
>         algorithm hmac-md5;
>         secret "[removed for security]";
> };
> server [same public IP as in acl notifiers] {
>         keys { transfer-key; };
> };
>  
> options {
>         version "1.1.1.1";
>         directory "C:\ISCBIND9\etc\namedb";           // Working directory
>         pid-file "C:\ISCBIND9\var\named.pid";
>         statistics-file "C:\ISCBIND9\var\named.stats";
>         memstatistics-file "C:\ISCBIND9\var\named.memstats";
>         auth-nxdomain yes;
>         listen-on { 192.168.63.23; 127.0.0.1; };
>         tcp-clients 1024;
>         max-cache-size 128M;
>         allow-query { any; };
>                recursion no;
>                allow-recursion { none; };
>                allow-query-cache { none; };
>         allow-transfer { none; };
>                allow-notify { notifiers; };
>         notify no;
>  
>                dnssec-enable yes;
>                dnssec-lookaside no;
>                dnssec-validation yes;
>                bindkeys-file "C:\ISCBIND9\etc\namedb\bind.keys";
> };
>  
> view internal {
>                match-clients { internal; };
>                recursion yes;
>                allow-query { internal; };
>                allow-recursion { internal; };
>                allow-query-cache { internal; };
>  
>                zone "." in {type hint; file "named.cache"; };
>                zone "localhost" IN {type master; file "localhost.zone"; };
>                zone "0.0.127.in-addr.arpa" IN {type master; file "named.local"; };
>                [authoritative zones follow]
> };
>  
> view wifi {
>                [basically the same as internal except different match-clients statement and different zones]
> };
>  
> view external {
>                match-clients { any; };
>                allow-recursion { none; };
>                allow-query-cache { none; };
>                recursion no;
>                allow-query {any; };
>  
>                zone "." in {type hint; file "named.cache"; };
>                zone "localhost" IN {type master; file "localhost.zone"; };
>                zone "0.0.127.in-addr.arpa" IN {type master; file "named.local"; };
>                [authoritative zones follow]
> };
>  
>  
> Thanks for any help anyone may be able to offer!
>  
> -Steve
>  
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200117/92e671c5/attachment-0001.htm>