Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I setup bind 9.10.4-P3 as a caching DNS server. It is very slow to respond.
There seem to be two problems.
When a query result is not in the cache it takes a very long time to query other servers, often returning SRVRFAIL. The overall response time is over two seconds
Even when the result already is cached it somtimes takes a long time for it to response.
The machine it runs on is a quad-core and is not busy at all.
Below is rndc stats report. I think it shows decent response times, so I don't understand why the actual response time is so different.
Quote:
+++ Statistics Dump +++ (1475775635)
++ Incoming Requests ++
57260 QUERY
++ Incoming Queries ++
56715 A
4 SOA
105 PTR
412 AAAA
6 SRV
6 DS
12 DNSKEY
++ Outgoing Queries ++
[View: default]
148468 A
1159 NS
281 CNAME
9 SOA
803 AAAA
23 SRV
9579 DS
1305 DNSKEY
5617 DLV
[View: _bind]
++ Name Server Statistics ++
57260 IPv4 requests received
4269 requests with EDNS(0) received
6 TCP requests received
46850 responses sent
6 truncated responses sent
4266 responses with EDNS(0) sent
26350 queries resulted in successful answer
105 queries resulted in authoritative answer
26901 queries resulted in non authoritative answer
141 queries resulted in nxrrset
19844 queries resulted in SERVFAIL
515 queries resulted in NXDOMAIN
45326 queries caused recursion
10410 duplicate queries received
57254 UDP queries received
6 TCP queries received
++ Zone Maintenance Statistics ++
++ Resolver Statistics ++
[Common]
[View: default]
167244 IPv4 queries sent
47814 IPv4 responses received
3036 NXDOMAIN received
13 FORMERR received
13 EDNS(0) query failures
9019 truncated responses received
6 lame delegations received
111587 query retries
120013 query timeouts
12476 IPv4 NS address fetches
3156 IPv4 NS address fetch failed
26262 DNSSEC validation attempted
18358 DNSSEC validation succeeded
7675 DNSSEC NX validation succeeded
185 DNSSEC validation failed
37561 queries with RTT 10-100ms
10183 queries with RTT 100-500ms
57 queries with RTT 500-800ms
10 queries with RTT 800-1600ms
2 queries with RTT > 1600ms
31 bucket size
I think the root cause is a bad DNS peer (that returns SERVFAIL) or a network/link problem (truncated responses, query timeouts).
Please run ping to the peers (i.e. the configured forwarders) and watch the errors.
Thanks smallpond, I re-configured the server by adding OPTIONS="-4" to /etc/sysconfig/named and filter-aaaa-on-v4 yes; to the options section in /etc/named.conf. It already was not listening for ipv6 since that line was commented out (# listen-on-v6 port 53 { ::1; }. I restarted the server and will see if it works better.
Thanks MadeInGermany, this server does not forwards requests, rather it resolves them by working its way from the root servers.
One more data tidbit. With the new configuration and an empty cache, notice how running dig from another machine (connected on the same network, it takes dig 7 seconds to return the result, even though it reports the query took 1.7 seconds.
07:52:22.573496 IP 10.0.0.2.53 > 10.0.0.16.47953: 49638 2/0/1 A 157.166.226.26, A 157.166.226.25 (68)
E..`y...@...
...
....5.Q.L...............cnn.com..............,...............,........)........
As you can see it did take 7 seconds for the response to arrive (the requesting machine asked a second time after waiting 5 seconds for a response to the first request)
On the server side, looking in named log file, you can see the first request arrives immediately after it was sent from the client machine, nothing happens for 5 seconds, the second request arrives (client machine retries), named detects it is a duplicate.
As you can see from the moment named went to work, it took 168 milliseconds for it to return a result. However, named reported the query time as 1.7 seconds, that is, from the time of the second request. (That's a named bug imho.) But what was it doing for the previous almost 1.5 seconds from the second request and almost 7 seconds from the first request?
smallpond, I made the changes, no observable improvement. I found a workaround which helps some: I enabled prefetch. That keeps cached entries up to date, helps with frequent requests.
Still, when named needs to query an external DNS server, it always takes 6-7 seconds. Interestingly, if I query that same server directly, for example using dig, it returns the answer quite quickly. For example, from named log when looking for pop.googlemail.com
Quote:
07-Oct-2016 21:46:08.851 client 10.0.0.16#58146: UDP request
07-Oct-2016 21:46:08.851 client 10.0.0.16#58146: using view '_default'
07-Oct-2016 21:46:08.851 client 10.0.0.16#58146: request is not signed
07-Oct-2016 21:46:08.851 client 10.0.0.16#58146: recursion available
07-Oct-2016 21:46:08.851 client 10.0.0.16#58146: query
07-Oct-2016 21:46:08.851 client 10.0.0.16#58146 (pop.googlemail.com): query (cache) 'pop.googlemail.com/A/IN' approved
07-Oct-2016 21:46:08.851 client 10.0.0.16#58146 (pop.googlemail.com): replace
07-Oct-2016 21:46:08.851 clientmgr @0x7f5e073f0458: get client
07-Oct-2016 21:46:08.851 clientmgr @0x7f5e073f0458: recycle
07-Oct-2016 21:46:08.851 fetch: googlemail-pop.l.google.com/A
07-Oct-2016 21:46:08.851 client @0x7f5df812e370: udprecv
07-Oct-2016 21:46:08.851 expiring v4 for name 0x7f5dff2e4600
07-Oct-2016 21:46:08.851 dns_adb_createfind: found A for name ns1.google.com (0x7f5dff2e4600) in db
07-Oct-2016 21:46:08.851 expiring v4 for name 0x7f5dff2e44d0
07-Oct-2016 21:46:08.851 dns_adb_createfind: found A for name ns2.google.com (0x7f5dff2e44d0) in db
07-Oct-2016 21:46:08.851 expiring v4 for name 0x7f5dff2e8ac0
07-Oct-2016 21:46:08.851 dns_adb_createfind: found A for name ns3.google.com (0x7f5dff2e8ac0) in db
07-Oct-2016 21:46:08.851 expiring v4 for name 0x7f5dff2e8990
07-Oct-2016 21:46:08.851 dns_adb_createfind: found A for name ns4.google.com (0x7f5dff2e8990) in db
07-Oct-2016 21:46:09.651 dns_adb_destroyfind on find 0x7f5dff2bbb50
07-Oct-2016 21:46:09.651 dns_adb_destroyfind on find 0x7f5dff2c3f10
07-Oct-2016 21:46:09.651 dns_adb_destroyfind on find 0x7f5dff2bb1f0
07-Oct-2016 21:46:09.651 dns_adb_destroyfind on find 0x7f5dff2cf5b0
07-Oct-2016 21:46:10.452 dns_adb_destroyfind on find 0x7f5dff2bbb50
07-Oct-2016 21:46:10.452 dns_adb_destroyfind on find 0x7f5dff2c3f10
07-Oct-2016 21:46:10.452 dns_adb_destroyfind on find 0x7f5dff2bb1f0
07-Oct-2016 21:46:10.452 dns_adb_destroyfind on find 0x7f5dff2cf5b0
07-Oct-2016 21:46:12.052 dns_adb_destroyfind on find 0x7f5dff2c3f10
07-Oct-2016 21:46:12.052 dns_adb_destroyfind on find 0x7f5dff2bb1f0
07-Oct-2016 21:46:12.053 dns_adb_destroyfind on find 0x7f5dff2bbb50
07-Oct-2016 21:46:12.053 dns_adb_destroyfind on find 0x7f5dff2cf5b0
07-Oct-2016 21:46:15.253 dns_adb_destroyfind on find 0x7f5dff2bb1f0
07-Oct-2016 21:46:15.253 dns_adb_destroyfind on find 0x7f5dff2bbb50
07-Oct-2016 21:46:15.253 dns_adb_destroyfind on find 0x7f5dff2c3f10
07-Oct-2016 21:46:15.253 dns_adb_destroyfind on find 0x7f5dff2cf5b0
07-Oct-2016 21:46:15.344 received packet from 216.239.34.10#53 (no opt):
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14831
;; flags: qr aa; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;googlemail-pop.l.google.com. IN A
;; ANSWER SECTION:
googlemail-pop.l.google.com. 300 IN A 74.125.28.16
As you can see named spent over 6 seconds doing something, logging "dns_adb_destroyfind" before it bothered to query google's name server.
Querying the same name server directly
Quote:
$ dig pop.googlemail.com @216.239.34.10
; <<>> DiG 9.10.4-P1 <<>> +noadflag pop.googlemail.com @216.239.34.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36706
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available
;; QUESTION SECTION:
;pop.googlemail.com. IN A
;; ANSWER SECTION:
pop.googlemail.com. 600 IN CNAME googlemail-pop.l.google.com.
googlemail-pop.l.google.com. 300 IN A 173.194.203.16
I ran wireshark on the dns machine looking for communication between it, the client machine and the outside world
Below see the request comming from 10.0.0.16 (client) to 10.0.0.2 (dns server) The server immediately queries the resolver for cnn.com and receives a response. It then queries another resolve and recieves the same response, etc. This goes on for a while (seems like named bug?) until the client times out and retires the request, at which point named sends back SRVFAIL (another bug?)
Quote:
No. Time Source Destination Protocol Length Info
429 2016-10-08 12:28:11.884293 10.0.0.16 10.0.0.2 DNS 80 Standard query 0xc7c8 A cnn.com OPT
430 2016-10-08 12:28:11.884768 10.0.0.2 205.251.196.62 DNS 80 Standard query 0xeb71 A cnn.com OPT
431 2016-10-08 12:28:11.928284 205.251.196.62 10.0.0.2 DNS 248 Standard query response 0xeb71 A cnn.com A 157.166.226.26 A 157.166.226.25 NS ns-1086.awsdns-07.org NS ns-1630.awsdns-11.co.uk NS ns-47.awsdns-05.com NS ns-576.awsdns-08.net OPT
432 2016-10-08 12:28:12.685049 10.0.0.2 205.251.198.94 DNS 80 Standard query 0x9947 A cnn.com OPT
433 2016-10-08 12:28:12.748541 205.251.198.94 10.0.0.2 DNS 248 Standard query response 0x9947 A cnn.com A 157.166.226.26 A 157.166.226.25 NS ns-1086.awsdns-07.org NS ns-1630.awsdns-11.co.uk NS ns-47.awsdns-05.com NS ns-576.awsdns-08.net OPT
436 2016-10-08 12:28:13.485345 10.0.0.2 205.251.192.47 DNS 80 Standard query 0xb364 A cnn.com OPT
437 2016-10-08 12:28:13.568526 205.251.192.47 10.0.0.2 DNS 248 Standard query response 0xb364 A cnn.com A 157.166.226.26 A 157.166.226.25 NS ns-1086.awsdns-07.org NS ns-1630.awsdns-11.co.uk NS ns-47.awsdns-05.com NS ns-576.awsdns-08.net OPT
440 2016-10-08 12:28:15.085678 10.0.0.2 205.251.194.64 DNS 80 Standard query 0x2801 A cnn.com OPT
441 2016-10-08 12:28:15.168584 205.251.194.64 10.0.0.2 DNS 248 Standard query response 0x2801 A cnn.com A 157.166.226.25 A 157.166.226.26 NS ns-1086.awsdns-07.org NS ns-1630.awsdns-11.co.uk NS ns-47.awsdns-05.com NS ns-576.awsdns-08.net OPT
444 2016-10-08 12:28:18.286007 10.0.0.2 205.251.198.94 DNS 80 Standard query 0x9567 A cnn.com OPT
445 2016-10-08 12:28:18.348275 205.251.198.94 10.0.0.2 DNS 248 Standard query response 0x9567 A cnn.com A 157.166.226.26 A 157.166.226.25 NS ns-1086.awsdns-07.org NS ns-1630.awsdns-11.co.uk NS ns-47.awsdns-05.com NS ns-576.awsdns-08.net OPT
454 2016-10-08 12:28:21.881474 10.0.0.16 10.0.0.2 DNS 80 Standard query 0xc7c8 A cnn.com OPT
455 2016-10-08 12:28:21.884999 10.0.0.2 10.0.0.16 DNS 80 Standard query response 0xc7c8 Server failure A cnn.com OPT
I do not run the OS in a VM, however, the default setting was to offload checksum calculations
Before
Quote:
# ethtool -k eth0 | grep on
rx-checksumming: on
tx-checksumming: on
scatter-gather: on
tcp segmentation offload: on
udp fragmentation offload: off
generic segmentation offload: on
Disable offloading
Quote:
# ethtool -K eth0 tx off rx off
# /etc/init.d/network restart
After
Quote:
# ethtool -k eth0 | grep on
scatter-gather: on
tcp segmentation offload: off
udp fragmentation offload: off
generic segmentation offload: on
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.