Slow recursive query performance on Windows x64

Ondřej Surý ondrej at isc.org
Mon Jan 20 14:37:19 UTC 2020 

The problem is that apparently[*] the machines in your network have default IPv6 routes, but you don’t have IPv6 connectivity. Fix that and you don’t have to apply any bandaids. I think we should just remove filter-aaaa in the next release cycle of BIND 9, having the feature doesn’t do any good for the health of the Internet.

* - Normally, the ICMP unreachables are generated by local kernel, and based on the evidences you provided (timeouts) it doesn’t, so something is misconfigured either in your network or on that particular machine. Debugging your network is beyond the scope of this mailing list.

Ondřej 
--
Ondřej Surý — ISC

> On 20 Jan 2020, at 15:19, Steve Farr via bind-users <bind-users at lists.isc.org> wrote:
> 
> Yeah, it's hard to disagree on the "should" part but we all definitely have to administer networks in an imperfect world... To my mind, when there's zero ipv6 connectivity beyond the LAN, it would be handy to not ask the firewall to create 3x more TCP connections that it can never complete, and/or have it send unreachables for all of them, especially on a larger network, so I would suggest that even if it is "wrong," filter-aaaa-on-v4 is probably still "helpful" in some situations, particularly where v6 is not available. The network that I originally posted about is small, but I administer a number of larger ones and this has been very eye-opening, so I do thank you all for your contributions to the conversation. 
> 
> It looks like I'd have to compile the filter plugin separately on Windows since it's not already integrated, and I don't see a dll or exe for it in the bin folder... That's all right though; I'm just glad to have the query times be so much quicker now! 
> 
> In case it's useful for anyone to know, I did just now try running named with the -4 option, taking out the server ::/0 { bogus yes; }; and it still has the same delay problem, so it appears that even with -4 it's still trying to do something on v6 that it shouldn't be doing. So, server ::/0 { bogus yes; }; is still the fix... at least on Windows, anyway. Many thanks again to all of you for the insightful responses. 
> 
> -Steve
> 
> -----Original Message-----
> From: bind-users <bind-users-bounces at lists.isc.org> On Behalf Of Mark Andrews
> Sent: Monday, January 20, 2020 1:45 AM
> To: Lee 
> Cc: Ondrej Sury 
> Subject: Re: Slow recursive query performance on Windows x64
> 
> Devices should return ICMP unreachables when networks are not reachable.  This allows applications to move onto the next address.  Not returning unreachables results in timeouts being the mechanism to move to the next address.
> 
> Additionally applications can make parallel connection attempts.  This works particularly well for TCP and is what Happy Eyeballs does with a slight delay (sub second) between each different address. Once a TCP connection succeeds the other connection attempts are aborted.  Too many developers have coped out on providing fast multi-homing support.  It usually only takes small while to convert a application from serial connection attempts to parallel connection attempts to the addresses returned from getaddrinfo().  What s more work is adding MIF (multiple interface) support which allows you to try different source addresses as well.
> 
> Mark
> 
>> On 20 Jan 2020, at 17:16, Lee <ler762 at gmail.com> wrote:
>> 
>>> On 1/20/20, Ondrej Sur  <ondrej at isc.org> wrote:
>>> 
>>> Please note that filter-aaaa-on-v4 was always wrong.
>> 
>> how so?
>> 
>>> You should fix your network instead. It s a bandaid, not a fix.
>> 
>> My ISP doesn't offer ipv6, so I'm not sure how to fix my network..
>> unless you mean disable ipv6 on everything?  (which I'm not sure is 
>> even possible)
>> 
>> Lee
>> _______________________________________________
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to 
>> unsubscribe from this list
>> 
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
> 
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742              INTERNET: marka at isc.org
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list