I get timed out when I do nslookup for "unknown" hosts (ie. hosts that couldn't possibly be in my DNS cache). For example, if I do nslookup host.com, DNS starts thinking and I get an error ";; connection timed out; no servers could be reached" and if I do nslookup host.com again, I get the hostname resolved. My sendmail and squid proxy servers are all using this same DNS server and there's no problem there. Also, when I try to browse some unknown site, my browser keeps thinking for a few seconds (while trying to resolve the host->IP) before I get to connect to the site. My DNS server is running bind and the "port 53;" option is disabled because of the recent DNS vulnerability; so it randomizes ports.

Is this timeout behavior normal and should be expected?

Thanks.

This sounds like a problem I had just a few hours ago!

The DNS server that's connected to your network, do you have control over it or not?

It seems like your machine maybe trying to resolve to 2 DNS servers at once using the main DNS server as the secondary.

Maybe you can point your machine to only that server if more then one are configured or perhaps change to ISP DNS server.

What's in your /etc/network/interfaces file if your on a Debian system, I'm not sure where other distros keep there network interfaces files but if you know then please post the contents

Also whats in /etc/resolv.conf?

hmm.....

you might wana think about Desktop->Admin->Networking from Gnome if you run (if not use the KDE equivelent or whatever desktop manager you are working with) and having only the DNS server inside the DNS part if there are two DNS servers currently.

And also remove any search domains that maybe in there!

I only use one DNS server as my resolver on my client PC. My success to failure rate is 50/50; i.e. two out of four random sites time out.

Also, I have access to the DNS server so I can make changes there if need be.

Ok then post these results for me please:

--replace "server IP address" with the servers IP

and
--replace "server name" with dns name of server eg. ns1.example.com

If your network is high-latency, or you have an aggressive host firewall, it's possible that the application (or the connection state on the firewall) will time-out before you get the answer back. In the first case, usually the socket still receives the information any way (I've seen this happen) and it gets cached. In the second case, the response packets never get a chance to come in because the firewall gives up and tears down the state. In that case you just to query repeatedly until an answer comes back quickly enough for the firewall to allow it through.

Do you know what the time-out duration is for UDP states on your firewall? What sort of connection do you have? Do you have any forwarders configured in named.conf? How fast is the hardware that your DNS server is running on?

Yeah I agree with chort;

you can test your systems load with top and see the CPU, RAM, and load average states of your machine to see how much it is being 'loaded'.

Also with the ping command, depending on network traffic in your lacal subnet should be around 1 -> 10ms roughly...

Any thing over 20ms should be the norm of off site resolution.