[gentoo-server] Slow nameresolution with bind

[gentoo-server] Slow nameresolution with bind

[Alexander Zimmerling]

Hi guys,

I am sitting here with my new gentoo server. At the moment I struggle
with bind. The problem is known, but I cannot solve it without help. 

I've googled first of cause, and found a lot of reports, blogs and so so
on, telling me, that the source of my problem is the ipv6 support in
bind. My new server does not support ipv6. I've set USE="-ipv6", which
seems to be ignored.

I've got this in my /var/log/messages after named is started:

<snip>
Mar  5 08:30:50 Tartessos named[18050]: loading configuration from
'/etc/bind/named.conf'
Mar  5 08:30:50 Tartessos named[18050]: using default UDP/IPv4 port
range: [1024, 65535]
Mar  5 08:30:50 Tartessos named[18050]: using default UDP/IPv6 port
range: [1024, 65535]
Mar  5 08:30:50 Tartessos named[18050]: listening on IPv4 interface lo,
127.0.0.1#53
Mar  5 08:30:50 Tartessos named[18050]: listening on IPv4 interface
eth0, 192.168.0.5#53
<snap>

As you can see, named tries to listen on ipv6 ports.

I've read, that passing "-4" to bind forces ipv4 mode only, but
cat /etc/conf.d/named 
# Set various named options here.
#
OPTIONS="-4"

this does not help.

To give you an example what slow means:
<snip>
Tartessos ~ # dig www.gentoo.org

; <<>> DiG 9.4.3-P4 <<>> www.gentoo.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55705
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.gentoo.org.			IN	A

;; ANSWER SECTION:
www.gentoo.org.		300	IN	A	89.16.167.134

;; AUTHORITY SECTION:
gentoo.org.		86400	IN	NS	udns2.ultradns.net.
gentoo.org.		86400	IN	NS	udns1.ultradns.net.

;; ADDITIONAL SECTION:
udns1.ultradns.net.	86389	IN	A	204.69.234.1
udns2.ultradns.net.	86389	IN	A	204.74.101.1

;; Query time: 3990 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Mar  5 08:35:36 2010
;; MSG SIZE  rcvd: 132
<snap>

And seconds after (query is cached)

<snip>
Tartessos ~ # dig www.gentoo.org

; <<>> DiG 9.4.3-P4 <<>> www.gentoo.org
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4233
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;www.gentoo.org.			IN	A

;; ANSWER SECTION:
www.gentoo.org.		297	IN	A	89.16.167.134

;; AUTHORITY SECTION:
gentoo.org.		86397	IN	NS	udns2.ultradns.net.
gentoo.org.		86397	IN	NS	udns1.ultradns.net.

;; ADDITIONAL SECTION:
udns1.ultradns.net.	86386	IN	A	204.69.234.1
udns2.ultradns.net.	86386	IN	A	204.74.101.1

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Fri Mar  5 08:35:39 2010
;; MSG SIZE  rcvd: 132
<snap>

I've tried the latest stable version of bind, and all unstable versions
in the tree.

Here's my emerge --info

Tartessos ~ # emerge --info
Portage 2.1.7.17 (default/linux/amd64/10.0/server, gcc-4.1.2,
glibc-2.10.1-r1, 2.6.30-gentoo-r5 x86_64)
=================================================================
System uname:
Linux-2.6.30-gentoo-r5-x86_64-AMD_Athlon-tm-_64_X2_Dual_Core_Processor_5200+-with-gentoo-1.12.13
Timestamp of tree: Thu, 04 Mar 2010 17:45:02 +0000
app-shells/bash:     4.0_p35
dev-lang/python:     2.4.4-r13, 2.5.4-r3, 2.6.4
dev-python/pycrypto: 2.0.1-r6
dev-util/cmake:      2.6.4-r3
sys-apps/baselayout: 1.12.13
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.63-r1
sys-devel/automake:  1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc:       4.1.2, 4.3.4
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6b
virtual/os-headers:  2.6.30-r1
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=athlon64 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /var/bind"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-march=athlon64 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="assume-digests distlocks fixpackages news parallel-fetch
protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans
userfetch"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo
http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ "
LDFLAGS="-Wl,-O1"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times
--compress --force --whole-file --delete --stats --timeout=180
--exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="acl amd64 apache2 bzip2 cli cracklib crypt cups cxx dri fortran
gdbm gpm iconv ldap mmx modules mudflap multilib mysql ncurses nls nptl
nptlonly openmp pam pcre perl python readline reflection samba session
snmp spl sse sse2 ssl sysfs truetype unicode xml zlib"
ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug
file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw
multi null plug rate route share shm softvol" APACHE2_MODULES="actions
alias auth_basic authn_alias authn_anon authn_dbm authn_default
authn_file authz_dbm authz_default authz_groupfile authz_host
authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir
disk_cache env expires ext_filter file_cache filter headers include info
log_config logio mem_cache mime mime_magic negotiation rewrite setenvif
speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc"
INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad
cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text"
RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel
mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa via
vmware voodoo" 
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK,
LANG, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS,
PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

P.S.: I've found a similar "bug" in bugzilla
(http://bugs.gentoo.org/show_bug.cgi?id=269202) but w/o resolution.

looking forward to hearing from you soon

Alex

Re: [gentoo-server] Slow nameresolution with bind

[Christian Bricart]

Alexander Zimmerling wrote:
> Hi guys,
>
> I am sitting here with my new gentoo server. At the moment I struggle
> with bind. The problem is known, but I cannot solve it without help.

> [..]

have you tried to point upstream resolving to your provider's nameservers
rather than always asking the root-nameservers..?

try adding:

  ..
  forwarders {
    8.8.8.8;
    8.8.4.4;
  };
  ..

to the "options { ..}"-block in your /etc/bind/named.conf - which will
then ask the Google-DNS cluster for unknown/uncached RR.
You may also specify your provider's DNS IPs there to have an even shorter
round-trip for lookups.

> P.S.: I've found a similar "bug" in bugzilla
> (http://bugs.gentoo.org/show_bug.cgi?id=269202) but w/o resolution.

i doubt that your problem is IPv6 related.

Christian

Re: [gentoo-server] Slow nameresolution with bind

[Alexander Zimmerling]

Am Freitag, den 05.03.2010, 10:59 +0100 schrieb Christian Bricart:
> Alexander Zimmerling wrote:
> > Hi guys,
> >
> > I am sitting here with my new gentoo server. At the moment I struggle
> > with bind. The problem is known, but I cannot solve it without help.
> 
> > [..]
> 
> have you tried to point upstream resolving to your provider's nameservers
> rather than always asking the root-nameservers..?
> 
> try adding:
> 
>   ..
>   forwarders {
>     8.8.8.8;
>     8.8.4.4;
>   };
>   ..
> 
> to the "options { ..}"-block in your /etc/bind/named.conf - which will
> then ask the Google-DNS cluster for unknown/uncached RR.
> You may also specify your provider's DNS IPs there to have an even shorter
> round-trip for lookups.
> 
> > P.S.: I've found a similar "bug" in bugzilla
> > (http://bugs.gentoo.org/show_bug.cgi?id=269202) but w/o resolution.
> 
> i doubt that your problem is IPv6 related.
> 
> Christian
> 
> 

Hi Christian,

find below my current (nearly copied) named.conf.
As you can see, forwarders are defined (a router, connected to the
internet). Name-resolution works like a charm in dmz (using the router).

<snip>

Tartessos ~ # cat /etc/bind/named.conf
//azi 2010 02 28
include "/etc/bind/log.conf";
options {
	directory "/var/bind";

	// uncomment the following lines to turn on DNS forwarding,
	// and change the forwarding ip address(es) :
	//forward first;
	forwarders {
		#192.168.0.3;
		192.168.5.1;
	};

//azi 2010 03 03
	listen-on-v6 { none; };
        listen-on { 127.0.0.1;
		    192.168.0.5;
	};

	// to allow only specific hosts to use the DNS server:
	allow-query {
		127.0.0.1;
		192.168.0.0/24;
	};

	auth-nxdomain yes;
	notify no;

	// if you have problems and are behind a firewall:
	//query-source address * port 53;
	pid-file "/var/run/named/named.pid";
	
	zone-statistics yes;
	statistics-file "/var/log/named.stats";
};

zone "." IN {
	type hint;
	file "named.ca";
};

zone "localhost" IN {
	type master;
	file "pri/localhost.zone";
	allow-update { none; };
	notify no;
};

zone "127.in-addr.arpa" IN {
	type master;
	file "pri/127.zone";
	allow-update { none; };
	notify no;
};

};


<snap>

I've added the provided forwarders, which -in deed- speeds up
name-resolution. Some queries are still slow, but I guess, this is ok.
Thanks for your help.

Have a nice weekend

- Alex