I put my linux box running SuSE 8.1 behind a D-Link DI-604 router/firewall, which is connected to ADSL. Before putting the machine behind the router, all my network connection (i.e., web, email, etc.) were quite quite quick. After setting up the DI-604, I can successfully connect to outside addresses, but resolving host names is terribly slow. However, when I use nslookup I get a very fast response. If I run Win NT though vmware, the response is also very quick! The problem does not seem to be browser or software related--the slow down occurs with different browsers (mozilla, galeon, konqueror) as well as with my email retrieval (sylpheed).

Any help to resolving this problem would be greatly appreciated! I've included my host.conf, hosts, and resolv.conf for reference.

Thanks.





host.conf:

#
# /etc/host.conf - resolver configuration file
#
# Please read the manual page host.conf(5) for more information.
#
#
# The following option is only used by binaries linked against
# libc4 or libc5. This line should be in sync with the "hosts"
# option in /etc/nsswitch.conf.
#
order hosts, bind
#
# The following options are used by the resolver library:
#
multi on



hosts:

#
# hosts This file describes a number of hostname-to-address
# mappings for the TCP/IP subsystem. It is mostly
# used at boot time, when no name servers are running.
# On small systems, this file can be used instead of a
# "named" name server.
# Syntax:
#
# IP-Address Full-Qualified-Hostname Short-Hostname
#

127.0.0.1 localhost

# special IPv6 addresses
::1 localhost ipv6-localhost ipv6-loopback

fe00::0 ipv6-localnet

ff00::0 ipv6-mcastprefix
ff02::1 ipv6-allnodes
ff02::2 ipv6-allrouters
ff02::3 ipv6-allhosts

192.168.0.100 mycomp.pacifier.com mycomp


resolv.conf:

domain pacifier.com
nameserver 64.255.237.242
nameserver 64.255.237.243

What does you /etc/resolv.conf look like?

resolv.conf:

domain pacifier.com
nameserver 64.255.237.242
nameserver 64.255.237.243

Sorry I guess I didn't see the resolv.conf in you original post.
What is you hostname of this computer? It probably is not localhost. You need to put that name and ip into the hosts file.

Isn't that the last line in my hosts file?

192.168.0.100 mycomp.pacifier.com mycomp

The IP is static from the DI-604 router. The hostname is "mycomp" and my ISP is pacifier.com.

Thanks for taking a look at this. I appreciate it.

Could the IPv6 be causing problems? I've seen references from Google searches to its causing problems. However, I discounted the idea initially because the response is fine if I put it outside the router/firewall. At this point I'm at a loss as to what the problem is.

Sorry agian. Guess I had my eyes wide shut last night. I don't know much, about IPV6.
Putting you machine outside the router would give you a public IP for your isp, putting it inside the router lan gives you a private IP. That private ip is not in you ISP's doamin. Try changing the domain name of you machine to say mycomp.home instead of mycomp.pacifer.com in /etc/HOSTNAME and domainname home and update /etc/hosts.

Thanks again for the idea. Still a no go. Ultimately, this will be a good learning experience.

I am grasping here but is it possible that you something else on the network with same ip?

Any resolution to this issue? This is now my problem ...

Unfortunately, no. The last piece of advice that I received was to hire someone to look at the packet flow. I find the poor response annoying and will get it resolved, but it's taken a back burner to other projects.

Please let me know if you learn anything or how you resolve the issue.

ok, try two things...

restart the router/firewall. I hade a firewall that had been up for a year and a half just stop responding one day, a quick restart brought everything back up to speed.

try setting your dns to you friewalls ip addy. if no joy, change it back....

I've attempted both of those fixes without any success. I still need to look at seeing what effect turning on and off the firewall in SuSE has.

Thanks.

Hello,

You are having a legitimate problem with the DI-604. I have analyzed the packets on both sides of the unit...

My configuration:

multiple hosts. One of them is a cobalt qube2 running BIND, another one is a Linux Redhat 6.2 box running BIND 9.2.1, another is a Solaris 8 box running BIND 9.2.1. Additionally there are several other systems including irix 6.5, windows 2k pro, nt 4., xp, macintosh, hp-ux, multiple xbox, wifi, etc.


My DI-604 h/w: E1, f/w: 3.20 (July 15 2003). It came with July 1, 2003 3.20 firmware but I u/g'd hoping it would fix this problem.

This is the problem: If you are querying DNS on an external nameserver it works fine. If you query DNS on the DI-604 itself it works fine. If you query DNS on an internal nameserver the internal nameservers check their root-hints (root.ca or named.ca) file to get the root-name-server list and IP addresses. When they attempt to query the root nameservers the request goes out but the response is blocked by the DI-604 firewall.

I have debugging turned on, on the firewall and it does not show this but will indicate when various filters/rules are denying.

I put a sniffer on both sides of the connection and I can see the packets go out, the packets come back and when they come back they appear on the outside of the DI-604 but not on the inside.

I spoke with the folks at DLINK and they are very nice but over their heads. It is impossible to actually get to an engineer. The support people don't really know what I am talking about. I have emailed them hoping they send to an engineer.

I think it is a problem with the packet inspection on their firewall but cannot see any more detail than this.

YOU ARE HAVING A LEGITIMATE PROBLEM with the DI-604. I also had problems with the DI-604 hanging during configuration/boot if it was getting WAN and/or LAN traffic other than the workstation I was using to configure it.

I am returning the DI-604. I did not have this problem with the 804U, 704, 804, or DI-614+.

I was very surprised. I have used numerous dlink's over the years and they have been awesome (imho).

I have not had the same experience with linksys. Their code revisisons are inconsistent. Problems fixed in a prior release reappear in a later release. Unsupported beta code often solves problems but is, ahem, unsupported. I am back to the store today to return this DI-604 and hopefully find a dlink that works better. Sometimes the store selection for DLINK is limited and they appear to be a much better unit than linksys. It figures that cisco would by linksys.

I wish you the very best, good luck. I hope this helps.
Dave

Was your delay problem consistent with all your systems behind the DI-604?

I do not have the problem with a Mac or Win box--it's only with my Linux box. Moreover, if I run Win NT with VMWare from within Linux it's not a problem.