DNS requests taking too long [SOLVED]

expat · August 21, 2005, 4:23pm

This seems to be a common issue, but I’ve not seen a complete answer.

I have an Intel based MT device with two interfaces - one public, one private. DHCP is used on the inside network and the DNS server IP provided to clients is that of the internal MT interface, as follows:

[iain@fw-stj-02] ip dhcp-server> print
Flags: X - disabled, I - invalid
 #   NAME                                                                INTERFACE RELAY           ADDRESS-POOL LEASE-TIME ADD-ARP
 0   dhcp-stj08                                                          inside                    pool-sjt08   8h         yes

[iain@fw-stj-02] ip pool> print
 # NAME                                                                                            RANGES
 0 pool-sjt08                                                                                      xxx.yyy.zzz.50-xxx.yyy.zzz.80

My DNS settings on the MT device are as follows:

[iain@fw-stj-02] ip dns> print
              primary-dns: isp.dns.ip.1
            secondary-dns: isp.dns.ip.2
    allow-remote-requests: yes
               cache-size: 2048 kB
            cache-max-ttl: 7d
               cache-used: 55 kB

What I am finding is that when using ‘dig’ a DNS request from an internal client can take 1-2 seconds to resolve. But If an applicaiton (web/email) tries to contact a server the rsolution takes ~10 seconds, even if there is a static entry in the DNS cache…which, BTW, only ever holds the static entries!

Does the DNS service work correctly with MT??

Regs.

andrewluck · August 21, 2005, 5:16pm

No problems with the DNS service here (v2.8.28).

[admin@Net4501] > /ip dns pr
              primary-dns: 212.23.8.1
            secondary-dns: 212.23.8.6
    allow-remote-requests: yes
               cache-size: 2048 kB
            cache-max-ttl: 7d
               cache-used: 138 kB

You have a problem if your cache only shows static entries. Sounds like you have a problem contacting your ISPs DNS servers.

What happens if you use your ISPs addresses on a client and perform a lookup? There should be no difference between using dig and an application performing a lookup.

Regards

Andrew

expat · August 22, 2005, 7:38am

When the DHCP server tells client to use the ISP DNS servers, everything zips along at top speed.

There should be no difference between using dig and an application performing a lookup.

One would expect so, but these are the symptoms I find. I had previously been using a Gentoo device with dnsmaq running and this was working great.

The only change here (and the only way I can replicate this symptom) is to set the MT device as my DNS server for internal client machines.

Regs.

Iain.

expat · August 28, 2005, 7:36pm

Bump

andrewluck · August 28, 2005, 7:53pm

What firewall rules do you have in the input and/or output chains for DNS?

Regards

Andrew

expat · August 31, 2005, 11:24am

Ended up replacing the Intel based device with a MIPS one.