BIND 9: Slow response from root servers. Local is ok.
 

I have BIND 9 installed on a mail server running RH 8 and on another mail server running FreeBSD 5.3. I won't give details except to say I run a local DNS server on these boxes to increase performance because there can be a lot of DNS lookups.

When the RH 8 box queries the root servers I get a response in 100-300 ms typically (not bad). Then only 2-4 ms when the same lookup is done against the local cache (fast). If I turn on a forwarder to the ISPs nameservers I get a response to that initial query in about 50-75 ms. Better, but I don't like being dependent on the ISP's hardware if I can avoid it. So, I do not normally set up a forwarder.

QUESTION 1:

When a forwarder is running, what happens if the ISP's nameserver is down? Does the query just time out and return nothing? Or does BIND then query the root servers directly?


QUESTION 2:

I have the FreeBSD box set up with exactly the same BIND 9 configuration as the RH 8 box. The only difference is BIND 9 runs in a chroot jail on the FreeBSD box. However initial root server queries usually take between 2000-4000 ms (2-4 seconds!) -- unacceptable. Once the lookup is cached I'm looking at 2-4 ms locally, which is great, but I just cannot live with that initial lookup time of 2-4 seconds. I get good performance with a forwarder to my ISP (~50-70 ms), but I don't want to rely on that. Can anyone think of what the problem might be? For now both boxes are on the same LAN (eventually they will be in different locations). I have tried and tried to find some configuration difference. I do not think it's faulty hardware -- network performance is fine otherwise on the FreeBSD box. Is it the chroot jail? Could it be some other software interfering? Ideas?

I'll post my FreeBSD named.conf file if you want to see it.

Thanks,
Apollo

Well, I didn't do anything, but this has almost resolved itself. I am now getting normal root server response times about 90% of the time. Still maybe 1 in 10 times I am getting slow responses (2-4 seconds).

Here's something I notice ... if I do a "dig @<one of the root-servers>" I get varying response times from 25 ms to 300 ms depending on which server I hit. I assume this is simply my proximity to the various root servers. How does BIND determine which server to try first? My first thought is that it's just the first server listed in the named.root file. But that would probably mean the A server getting way more traffic than the M since most people will have the A listed at the top. So, what's the deal? Can I control it? I seem to get lighting fast responses from C and F. I'd prefer if they got priority. Can I prioritize this. Does BIND automatically prioritize the various servers? What's the deal?

mmmh, I may be wrong, but my educated guess that the rule is "round robin" : from top to bottom, stepping down one step at every time a root-server query is needed. Which would mean that you can't really control anything, even if you change the order of the servers in the file (order that might be re-arranged in RAM cache anyway).

But, unless you run a TLD server (and even then, really...), it should not go to ROOTs often if it's correctly configured, that is, if it addresses its requests to your ISP DNS for example.

Round robin makes sense. For some reason I am having trouble locating info on this subject, but it must be abundant. Haven't tried including "round robin" as a search phrase yet -- I will try it.

Using my ISPs DNS gives better performance. I may end up doing that, although my RH8 server functions happily going directly to the root servers. I don't like depending on my ISPs nameservers (unreliable at times). I do realize it's better for the internet as a whole if fewer people access the root servers directly. However, the root servers seem healthy enough -- I'm not losing any sleep over accessing them directly.