Community discussions

MikroTik App
 
LtFlash
just joined
Topic Author
Posts: 4
Joined: Tue Mar 27, 2012 5:17 am

Queue Tree, global-in and DNS issues

Tue Mar 27, 2012 5:44 am

Hi all,
I've got a strange issue. As soon as I create a queue in Queue Tree with any of 'global' interfaces as parent (global-in, global-out, global-total) - and even when I don't route any packets through that queue - I'm getting troubles with DNS resolving, but very strange ones - 'dig' works perfectly, nslookup - too, but when I try to open any site with a web browser - it just stucks on 'Looking up <hostname>' for 5-6 seconds, then it resolves it successfully and opens really fast. I'm using RouterOS 5.8 on a Mikrotik RB1100AHx2. I've tried assigning queues to interfaces and in that case DNS works perfectly without any delay. Thanks for help!
 
LtFlash
just joined
Topic Author
Posts: 4
Joined: Tue Mar 27, 2012 5:17 am

Re: Queue Tree, global-in and DNS issues

Tue Mar 27, 2012 6:47 am

I've digged a bit further and found that actually when browser starts, (i used lynx for test) it sends out two queries - for ipv4 address (type A) and for ipv6 (type AAAA). In case when no queue is attached to global interfaces you can see following on tcpdump:
14:24:18.856759 IP 203.221.50.196.58034 > 203.12.160.35.53: 13212+ A? www.voipline.net.au. (37)
14:24:18.856768 IP 203.221.50.196.58034 > 203.12.160.35.53: 33877+ AAAA? www.voipline.net.au. (37)
14:24:18.870752 IP 203.12.160.35.53 > 203.221.50.196.58034: 13212 1/2/0 A 119.31.227.252 (113)
14:24:18.870833 IP 203.12.160.35.53 > 203.221.50.196.58034: 33877 0/1/0 (125)
14:24:18.871523 IP 203.221.50.196.37148 > 203.12.160.35.53: 32298+ A? www.voipline.net.au. (37)
14:24:18.871533 IP 203.221.50.196.37148 > 203.12.160.35.53: 40200+ AAAA? www.voipline.net.au. (37)
14:24:18.885689 IP 203.12.160.35.53 > 203.221.50.196.37148: 32298 1/2/0 A 119.31.227.252 (113)
14:24:18.885699 IP 203.12.160.35.53 > 203.221.50.196.37148: 40200 0/1/0 (125)
But in case when any queue is attached to any of global interfaces following happens:
14:26:04.866738 IP 203.221.50.196.53321 > 203.12.160.35.53: 18947+ A? www.voipline.net.au. (37)
14:26:04.866747 IP 203.221.50.196.53321 > 203.12.160.35.53: 27424+ AAAA? www.voipline.net.au. (37)
14:26:04.881162 IP 203.12.160.35.53 > 203.221.50.196.53321: 18947 1/2/0 A 119.31.227.252 (113)
14:26:09.871435 IP 203.221.50.196.53321 > 203.12.160.35.53: 18947+ A? www.voipline.net.au. (37)
14:26:09.885949 IP 203.12.160.35.53 > 203.221.50.196.53321: 18947 1/2/0 A 119.31.227.252 (113)
14:26:09.886057 IP 203.221.50.196.53321 > 203.12.160.35.53: 27424+ AAAA? www.voipline.net.au. (37)
14:26:09.899832 IP 203.12.160.35.53 > 203.221.50.196.53321: 27424 0/1/0 (125)
14:26:09.900654 IP 203.221.50.196.44580 > 203.12.160.35.53: 12441+ A? www.voipline.net.au. (37)
14:26:09.900663 IP 203.221.50.196.44580 > 203.12.160.35.53: 59679+ AAAA? www.voipline.net.au. (37)
14:26:09.914695 IP 203.12.160.35.53 > 203.221.50.196.44580: 12441 1/2/0 A 119.31.227.252 (113)
14:26:14.904970 IP 203.221.50.196.44580 > 203.12.160.35.53: 12441+ A? www.voipline.net.au. (37)
14:26:14.918765 IP 203.12.160.35.53 > 203.221.50.196.44580: 12441 1/2/0 A 119.31.227.252 (113)
14:26:14.918864 IP 203.221.50.196.44580 > 203.12.160.35.53: 59679+ AAAA? www.voipline.net.au. (37)
14:26:14.933469 IP 203.12.160.35.53 > 203.221.50.196.44580: 59679 0/1/0 (125)
As you can see, responses for ipv6 addresses are lost, causing delays. I thought it might be related to the fact that ipv6 is disabled on a router, but actually it's an ipv4 query for ipv6 address, so why would router drop it when queue is running on interface, taking into account that no rules are in firewall and no packets are being routed into that queue?
 
LtFlash
just joined
Topic Author
Posts: 4
Joined: Tue Mar 27, 2012 5:17 am

Re: Queue Tree, global-in and DNS issues

Tue Mar 27, 2012 10:19 am

Upgraded router to 5.14, no changes. As soon as I assign any queue to 'global-XXX' interface - DNS is broken. Re-created all queues to use just interfaces - works perfectly.
 
DynStatic
Frequent Visitor
Frequent Visitor
Posts: 92
Joined: Thu Feb 18, 2010 3:11 am

Queue Tree, global-in and DNS issues

Tue Mar 27, 2012 4:41 pm

If you are using the mikrotik as a DNS cache system, you'll need to increase the max DNS packet size from the default 512 to at least 4096 or 8192.

When making the requests, the DNS client is likely switching from udp mode to two mode because the returned size is going to be too big for a single udp packet. Make sure you arnt blocking tcp 53.
 
User avatar
shade
newbie
Posts: 31
Joined: Fri Jan 14, 2011 7:40 pm
Location: Russia,Maykop

Re: Queue Tree, global-in and DNS issues

Sun Oct 28, 2012 10:41 pm

I have same issue from RouterOS 4 to last RoutersOS 5.21
It was not important for me while I have one big IP segment (I just placed DNS server in that segment, so DNS-traffic was not gone via Mikrotik). But now I am splitting one big segment into smaller segments and I didn't want to place DNS server in every small segment.

To reproduce this problem I make a stand

DNS-server (Linux/bind IP 10.7.3.10/24) connected to RB-750 via interface ether3-slave-local with IP 10.7.3.1/24
DNS-client (Linux/ssh IP 10.7.2.10/24) connected to RB-750 ether2-master-local with IP 10.7.2.1/24
Note 1: I don't use nscd and other caching, to reproduce this disable nscd if you use it on both, at client and server for a clear experiment
Note 2: interface ether2-master-local and ether2-master-local is not in switch (master port = none), so we have two IP segments 10.7.3.0/24 and 10.7.2.0/24 and routing between them.

some DNS requests are lost, usually AAAA. They are lost only when they come together in short time. If I make such requests by hand, one by one, with nslookup they are not lost. But then it Web-brouser or ssh-client try to resolve domain, it make to requests in short time, A responded, AAAA lost.

Good scenario (when there are not any queues)
at DNS-client, I make a call
$ ssh mkpnet.ru

in that time, on DNS-client in tshark (wireshark) sniffer I see following:
shade:/home/alex # tshark -i eth0 -R"dns && ((ip.src==10.7.2.10 && ip.dst==10.7.3.10) || (ip.src==10.7.3.10 && ip.dst==10.7.2.10))"
OOPS: dissector table "sctp.ppi" doesn't exist
Protocol being registered is "Datagram Transport Layer Security"
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
 13.039545    10.7.2.10 -> 10.7.3.10    DNS 69 Standard query 0xb767  A mkpnet.ru
 13.039613    10.7.2.10 -> 10.7.3.10    DNS 69 Standard query 0x25e2  AAAA mkpnet.ru
 13.040778    10.7.3.10 -> 10.7.2.10    DNS 255 Standard query response 0xb767  A 192.168.11.4
 13.040970    10.7.3.10 -> 10.7.2.10    DNS 117 Standard query response 0x25e2
one request for A, one request for AAAA, one response for A, one response for AAAA

on DNS-server:
home:~ # tshark -i eth0 -R"dns && ((ip.src==10.7.2.10 && ip.dst==10.7.3.10) || (ip.src==10.7.3.10 && ip.dst==10.7.2.10))"
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
  4.150101    10.7.2.10 -> 10.7.3.10    DNS Standard query A mkpnet.ru
  4.150148    10.7.2.10 -> 10.7.3.10    DNS Standard query AAAA mkpnet.ru
  4.150941    10.7.3.10 -> 10.7.2.10    DNS Standard query response A 192.168.11.4
  4.151190    10.7.3.10 -> 10.7.2.10    DNS Standard query response
one request for A, one request for AAAA, one response for A, one response for AAAA

Bad scenario, I have a simple queue on interface ether2-master-local (for example with limit-at/max-limit 10M)
at DNS-client
shade:/home/alex # tshark -i eth0 -R"dns && ((ip.src==10.7.2.10 && ip.dst==10.7.3.10) || (ip.src==10.7.3.10 && ip.dst==10.7.2.10))"
OOPS: dissector table "sctp.ppi" doesn't exist
Protocol being registered is "Datagram Transport Layer Security"
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
  6.103472    10.7.2.10 -> 10.7.3.10    DNS 69 Standard query 0xa725  A mkpnet.ru
  6.103491    10.7.2.10 -> 10.7.3.10    DNS 69 Standard query 0x5960  AAAA mkpnet.ru
  6.104812    10.7.3.10 -> 10.7.2.10    DNS 255 Standard query response 0xa725  A 192.168.11.4
 11.107952    10.7.2.10 -> 10.7.3.10    DNS 69 Standard query 0xa725  A mkpnet.ru
 11.109166    10.7.3.10 -> 10.7.2.10    DNS 255 Standard query response 0xa725  A 192.168.11.4
 11.109220    10.7.2.10 -> 10.7.3.10    DNS 69 Standard query 0x5960  AAAA mkpnet.ru
 11.109795    10.7.3.10 -> 10.7.2.10    DNS 117 Standard query response 0x5960 
one request for A
one request for AAAA
one response for A
wait for 5 seconds
again one request for A
again one response for A
one more requestion for AAAA
one more response for AAAA

at DNS-server
home:~ # tshark -i eth0 -R"dns && ((ip.src==10.7.2.10 && ip.dst==10.7.3.10) || (ip.src==10.7.3.10 && ip.dst==10.7.2.10))"
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
  0.000000    10.7.2.10 -> 10.7.3.10    DNS Standard query A mkpnet.ru
  0.000801    10.7.3.10 -> 10.7.2.10    DNS Standard query response A 192.168.11.4
  5.005182    10.7.2.10 -> 10.7.3.10    DNS Standard query A mkpnet.ru
  5.005980    10.7.3.10 -> 10.7.2.10    DNS Standard query response A 192.168.11.4
  5.006369    10.7.2.10 -> 10.7.3.10    DNS Standard query AAAA mkpnet.ru
  5.006647    10.7.3.10 -> 10.7.2.10    DNS Standard query response
one request for A
one response for A
wait 5 seconds
again request for A
again response for A
again request for AAAA
again response for AAA

DNS-client sends 2 AAAA requests, DNS-server receive only 1 AAAA request, where are lost the second AAAA request ?

I reproduce this issue on RB-750 and PC routers (x86) with RoutersOS 5.21
On RB-750 with RouterOS 6.0rc2 it seems to be fixed,
On x86 with RouterOS 6.0rc2 I doesn't test it yet.
Нерешаемых проблем нет — есть проблемы, которые никто не решает
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6621
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: Queue Tree, global-in and DNS issues

Tue Oct 30, 2012 2:34 pm

Thank you very much for your reports.
The problem will be fixed in the next v6.x RouterOS version.
 
User avatar
shade
newbie
Posts: 31
Joined: Fri Jan 14, 2011 7:40 pm
Location: Russia,Maykop

Re: Queue Tree, global-in and DNS issues

Mon Nov 26, 2012 4:10 pm

Tested ROS 5.22 on RB-750 - problem still exists
Нерешаемых проблем нет — есть проблемы, которые никто не решает
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Queue Tree, global-in and DNS issues

Mon Nov 26, 2012 4:31 pm

please try 6.0rc4, if you want link to download it either apply for dev packages or ask link in ticket you have opened at support about this issue.
 
User avatar
shade
newbie
Posts: 31
Joined: Fri Jan 14, 2011 7:40 pm
Location: Russia,Maykop

Re: Queue Tree, global-in and DNS issues

Mon Nov 26, 2012 4:43 pm

I tested in ROS 6.0rc1, 6.0rc2 on RB-750 - problem seems solved, but I cannot use install ROS 6.0rc* on x86 due not working keyboard [Ticket#2012102966000371].

I need this issue to be fixed on x86 (our production servers). Before put ROS 6.0rc on production I want to test it on offline server, but I can't because of not working keyboard in install procedure.
Нерешаемых проблем нет — есть проблемы, которые никто не решает

Who is online

Users browsing this forum: caspat, CheshirCa, Google [Bot] and 68 guests