[CentOS] resolving names it is really slow slow with CentOS5.x using named

Mon May 25 11:21:50 UTC 2009
carlopmart <carlopmart at gmail.com>

Paul Bijnens wrote:
> On 2009-05-25 12:51, carlopmart wrote:
>>   I have a problem using named with different CentOS5 servers (2 servers): all 
>> they are really slow to resolv any internet address and most of time fails to 
>> resolv. This situation differs if I use "forwarders" servers like opendns: 
>> resolving names it is really really quickly. And I don't understand why.
>>
>>   On the other hand I have tested three DNS servers using Windows 2003, Windows 
>> 2008 and Ubuntu hardy and these problems doesn't occurs (I don't need to 
>> configure forwarders on any of them): all resolves any name and really fast.
>>
>>   IPv6 is disabled on both CentOS servers. Somebody knows why these dns servers 
>> are slow??
> 
> 
> My crystal ball is in repair.  Could you in the meantime add some more
> hints, e.g. your config files, and how you diagnosed the slowness.
> 
> My CentOS5 DNS-servers do resolve really quickly, with or without forwarders.
> 
> 
Ok, my named.conf:

//
// named.conf
//

options {
         directory "/var/named";
         dump-file "/var/named/data/cache_dump.db";
         statistics-file "/var/named/data/named_stats.txt";
         memstatistics-file "/var/named/data/named_mem_stats.txt";
         listen-on port 53 { 127.0.0.1; 172.25.50.10; };
         version "DNS Server v2.0";
         dnssec-enable no;
         query-source port 53;
         forwarders { 208.67.220.220; 208.67.222.222; };
};

logging {
         channel security_channel {
                 file "/var/named/data/security.log" versions 3 size 1m;
                 severity debug;
                 print-time yes;
                 print-category yes;
                 print-severity yes;
         };
         channel default {
                 syslog local4;
                 severity info;
                 print-category yes;
                 print-severity yes;
         };
         channel query_log {
                 file "/var/named/data/query.log" versions 3 size 1m;
                 print-time yes;
         };
         category security {
                 security_channel;
                 default;
         };
         category queries {
                 query_log;
         };
         channel default_debug {
                 file "/var/named/data/named.run";
                 severity dynamic;
         };
         category lame-servers { null; };
         category default { default; };
};

controls {
         inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

As you can see, I need to use "query-source port" param too with forwarders to 
resolv names (and this is really really ugly).

And some examples:

  - Using "query-source port" and "forwarders" directives:

   [root at thranduil data]# nslookup
   > bugs.centos.org
   Server:         127.0.0.1
   Address:        127.0.0.1#53

   Non-authoritative answer:
   Name:   bugs.centos.org
   Address: 72.232.194.162

    .. all it is normal and really fast.


  - Disabling "query-source port" and "forwarders" directives:

   [root at thranduil data]# nslookup
   > www.google.com
   ;; connection timed out; no servers could be reached

   first attempt fails ...

   root at thranduil data]# nslookup
   > www.google.com
   ;; connection timed out; no servers could be reached

   second attempt fails and ..

   root at thranduil data]# nslookup
   > www.google.com
   Server:         127.0.0.1
   Address:        127.0.0.1#53

   Non-authoritative answer:
   www.google.com  canonical name = www.l.google.com.
   Name:   www.l.google.com
   Address: 209.85.227.99
   Name:   www.l.google.com
   Address: 209.85.227.103
   Name:   www.l.google.com
   Address: 209.85.227.104
   Name:   www.l.google.com
   Address: 209.85.227.147

   .. at third attempt works ...

  same tests using ubuntu hardy without using "query-source" and "forwarders" 
directives, works.

  Do you need more info??

-- 
CL Martinez
carlopmart {at} gmail {d0t} com