Hi everyone,
I've just joine the list as I am having an issue with our CentOS servers.
The domain resolution is extremely slow from the application but doing an nslookup gives an immediate response. All the applications have the same issue, as do all the servers.
I have been looking for the solution all over the web and all I have found are references to disabling ipv6. - By setting enable_ipv6 = no in /etc/sysconfig/network, which is already done on all the machines. - By blacklisting the ip6 module, which is not an option as it is used by the bonding module. Just for the sake of it, I tried it and, as expected, the bonding module did not come back up.
If bad comes to worse, I could set up host entries for the main machines in /etc/hosts, but I really am trying to avoid that.
Any suggestions?
Thanks
Gabriel Tabares
On 23/08/2010 13:20, Joseph L. Casale wrote:
/etc/nsswitch.conf and /etc/host.conf
Both files are the default ones from CentOS:
nsswitch.conf: (comments removed) --------------
passwd: files shadow: files group: files hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files netmasks: files networks: files protocols: files rpc: files services: files
netgroup: nisplus
publickey: nisplus
automount: files nisplus aliases: files nisplus
hosts.conf: -----------
order hosts,bind
Before I forget, we're running CentOS 5.5 on x86_64.
Thanks
Gabriel
On 23/08/2010 13:28, Joseph L. Casale wrote:
Both files are the default ones from CentOS:
So what do the host names look like that the application attempts to resolve, fully qualified or not? What does your cli based query look like?
My resolv.conf is:
search mydomain.com nameserver 10.3.2.2
The hostname of the machines is set to a FQDN server.mydomain.com.
The time it takes for the queries does not change whether we use the FQDN or just the hostname.
See below for an example (I stopped the mail server so the connection was refused).
#time telnet md-mail02.mydomain.com 25 (long wait) Trying 10.2.9.2... telnet: connect to address 10.2.9.2: Connection refused telnet: Unable to connect to remote host: Connection refused
real 0m20.005s user 0m0.000s sys 0m0.005s
#time telnet md-mail02 25 (long wait) Trying 10.2.9.2... telnet: connect to address 10.2.9.2: Connection refused telnet: Unable to connect to remote host: Connection refused
real 0m10.004s user 0m0.001s sys 0m0.002s
#time telnet 10.2.9.2 25 (no wait) Trying 10.2.9.2... telnet: connect to address 10.2.9.2: Connection refused telnet: Unable to connect to remote host: Connection refused
real 0m0.005s user 0m0.001s sys 0m0.002s
Nslookup responds immediately:
#time nslookup my-mail02.mydomain.com Server: 10.2.2.254 Address: 10.2.2.254#53
Non-authoritative answer: Name: my-mail02.mydomain.com Address: 10.2.9.2
real 0m0.006s user 0m0.003s sys 0m0.003s
#time nslookup my-mail02 Server: 10.2.2.254 Address: 10.2.2.254#53
Non-authoritative answer: Name: my-mail02.mydomain.com Address: 10.2.9.2
real 0m0.005s user 0m0.001s sys 0m0.004s
On Mon, August 23, 2010 15:43, Gabriel Tabares wrote:
On 23/08/2010 13:28, Joseph L. Casale wrote:
Both files are the default ones from CentOS:
So what do the host names look like that the application attempts to resolve, fully qualified or not? What does your cli based query look like?
My resolv.conf is:
search mydomain.com nameserver 10.3.2.2
The hostname of the machines is set to a FQDN server.mydomain.com.
The time it takes for the queries does not change whether we use the FQDN or just the hostname.
See below for an example (I stopped the mail server so the connection was refused).
The problems can sometimes be caused by not having reverse-DNS records for your hosts. Can you resolve to names (any name) from an IP address? e.g. nslookup 10.2.9.2?
It doesn't matter if it doesn't resolve to the rigt name, just that it resolves to something (and avoids the timeout)...
#time telnet md-mail02.mydomain.com 25 (long wait) Trying 10.2.9.2... telnet: connect to address 10.2.9.2: Connection refused telnet: Unable to connect to remote host: Connection refused
real 0m20.005s user 0m0.000s sys 0m0.005s
#time telnet md-mail02 25 (long wait) Trying 10.2.9.2... telnet: connect to address 10.2.9.2: Connection refused telnet: Unable to connect to remote host: Connection refused
real 0m10.004s user 0m0.001s sys 0m0.002s
#time telnet 10.2.9.2 25 (no wait) Trying 10.2.9.2... telnet: connect to address 10.2.9.2: Connection refused telnet: Unable to connect to remote host: Connection refused
real 0m0.005s user 0m0.001s sys 0m0.002s
Nslookup responds immediately:
#time nslookup my-mail02.mydomain.com Server: 10.2.2.254 Address: 10.2.2.254#53
Non-authoritative answer: Name: my-mail02.mydomain.com Address: 10.2.9.2
real 0m0.006s user 0m0.003s sys 0m0.003s
#time nslookup my-mail02 Server: 10.2.2.254 Address: 10.2.2.254#53
Non-authoritative answer: Name: my-mail02.mydomain.com Address: 10.2.9.2
On Mon, Aug 23, 2010 at 9:48 AM, Giles Coochey giles@coochey.net wrote:
The problems can sometimes be caused by not having reverse-DNS records for your hosts. Can you resolve to names (any name) from an IP address? e.g. nslookup 10.2.9.2?
If this is a reverse-lookup problem and you can't have a reverse-lookup zone (I worked at a company where the Windows admins refused to create one when we asked them to do so!), you can add "[NOTFOUND=return]" to the hosts line in nsswitch.conf after "dns" otherwise your dns server will forward the query out to the net (assuming that your egress rules allow it to do so) and an answer will be returned by the some servers set up for this purpose on the net - called blackhole-something, IIRC.
On 23/08/2010 15:56, Tom H wrote:
On Mon, Aug 23, 2010 at 9:48 AM, Giles Coocheygiles@coochey.net wrote:
The problems can sometimes be caused by not having reverse-DNS records for your hosts. Can you resolve to names (any name) from an IP address? e.g. nslookup 10.2.9.2?
One more thing, if this is the case, why does the nslookup respond straight away? Is the destination server trying to somehow validate the host where the connection came from?
If this is a reverse-lookup problem and you can't have a reverse-lookup zone (I worked at a company where the Windows admins refused to create one when we asked them to do so!),
I don't think it does reverse lookups. We are using a Juniper firewall to do the DNS for the internal network. It also caches DNS for some outside domains. I will have to look into this.
you can add "[NOTFOUND=return]" to the hosts line in nsswitch.conf after "dns" otherwise your dns server will forward the query out to the net (assuming that your egress rules allow it to do so) and an answer will be returned by the some servers set up for this purpose on the net - called blackhole-something, IIRC.
I have added that line to the configuration and connection still take a long time to resolve the address.
On Mon, Aug 23, 2010 at 11:08 AM, Gabriel Tabares gabriel.tabares@roboreus.com
One more thing, if this is the case, why does the nslookup respond straight away? Is the destination server trying to somehow validate the host where the connection came from?
It's entirely possible (and probable) that the mail server is attempting to do a reverse looking up the originating host. When the lookup times out, the connection goes through.
If the command
ping my-mail02.mydomain.com
returns immediately with data, that would support that theory.
M
On 8/23/2010 10:08 AM, Gabriel Tabares wrote:
One more thing, if this is the case, why does the nslookup respond straight away? Is the destination server trying to somehow validate the host where the connection came from?
Some servers do, some don't. The ones that do are often just trying to log a name instead of the connecting IP address so you might be able to reconfigure the servers. It doesn't matter if this lookup fails as long as the response comes quickly. But, your earlier post indicated that you only had a private DNS server. If you request something it doesn't know, what happens? Does it attempt to resolve from public servers that are firewalled? And if so does the firewall block with an 'icmp denied' response or just silently drop the request or response? In the latter case, the server and application are forced to wait for the timeout.
In my opinion the 'right' solution to reverse-dns is to always make sure your own server responds to all the private address range zones and any public ranges you control even if you don't have complete or correct information for them. No one else will either so you might as well not bother the upstream servers with queries caused by your bad configuration.
Greetings,
On Wed, Aug 25, 2010 at 9:08 PM, Les Mikesell lesmikesell@gmail.com wrote:
On 8/23/2010 10:08 AM, Gabriel Tabares wrote:
Some servers do, some don't.
Have you tried google's DNS servers 8.8.8.8 IP and one more IP I can't recollect exactly
Regards,
Rajagopal
On 25/08/2010 17:44, Rajagopal Swaminathan wrote:
Greetings,
On Wed, Aug 25, 2010 at 9:08 PM, Les Mikeselllesmikesell@gmail.com wrote:
On 8/23/2010 10:08 AM, Gabriel Tabares wrote:
Some servers do, some don't.
Have you tried google's DNS servers 8.8.8.8 IP and one more IP I can't recollect exactly
External DNS is not available as the servers are firewalled from the outside. When I open DNS access to the outside, the issue does not seem to appear.
On 8/28/10 9:23 AM, Gabriel Tabares wrote:
On 25/08/2010 17:44, Rajagopal Swaminathan wrote:
Greetings,
On Wed, Aug 25, 2010 at 9:08 PM, Les Mikeselllesmikesell@gmail.com wrote:
On 8/23/2010 10:08 AM, Gabriel Tabares wrote:
Some servers do, some don't.
Have you tried google's DNS servers 8.8.8.8 IP and one more IP I can't recollect exactly
External DNS is not available as the servers are firewalled from the outside. When I open DNS access to the outside, the issue does not seem to appear.
That means something is looking up names in domains or addresses in reverse zones that your private server isn't answering. And that the attempts to contact the outside servers aren't being quickly answered by an ICMP 'no route' or 'administratively denied' response from your router or firewall - so you wait for the timeout. All of these can be fixed.
On Wed, 25 Aug 2010, Les Mikesell wrote:
To: centos@centos.org From: Les Mikesell lesmikesell@gmail.com Subject: Re: [CentOS] Slow domain resolution problem
On 8/23/2010 10:08 AM, Gabriel Tabares wrote:
One more thing, if this is the case, why does the nslookup respond straight away? Is the destination server trying to somehow validate the host where the connection came from?
Some servers do, some don't. The ones that do are often just trying to log a name instead of the connecting IP address so you might be able to reconfigure the servers. It doesn't matter if this lookup fails as long as the response comes quickly. But, your earlier post indicated that you only had a private DNS server. If you request something it doesn't know, what happens? Does it attempt to resolve from public servers that are firewalled? And if so does the firewall block with an 'icmp denied' response or just silently drop the request or response? In the latter case, the server and application are forced to wait for the timeout.
In my opinion the 'right' solution to reverse-dns is to always make sure your own server responds to all the private address range zones and any public ranges you control even if you don't have complete or correct information for them. No one else will either so you might as well not bother the upstream servers with queries caused by your bad configuration.
-- Les Mikesell lesmikesell@gmail.com _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
It might help identify the problem by installing and running wireshark:
[root]# yum info wireshark*
1683 packages excluded due to repository priority protections Installed Packages Name : wireshark Arch : i386 Version : 1.0.11 Release : 1.el5_5.5 Size : 40 M Repo : installed Summary : Network traffic analyzer URL : http://www.wireshark.org/ License : GPL Description: Wireshark is a network traffic analyzer for Unix-ish operating : systems. : : This package lays base for libpcap, a packet capture and filtering : library, contains command-line utilities, contains plugins and : documentation for wireshark. A graphical user interface is packaged : separately to GTK+ package.
Name : wireshark-gnome Arch : i386 Version : 1.0.11 Release : 1.el5_5.5 Size : 1.6 M Repo : installed Summary : Gnome desktop integration for wireshark and wireshark-usermode URL : http://www.wireshark.org/ License : GPL Description: Contains wireshark for Gnome 2 and desktop integration file
That should give you some clues as to what's happening.
Kind Regards,
Keith Roberts
----------------------------------------------------------------- Websites: http://www.php-debuggers.net http://www.karsites.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------
On Mon, 23 Aug 2010, Tom H wrote:
To: CentOS mailing list centos@centos.org From: Tom H tomh0665@gmail.com Subject: Re: [CentOS] Slow domain resolution problem
On Mon, Aug 23, 2010 at 9:48 AM, Giles Coochey giles@coochey.net wrote:
The problems can sometimes be caused by not having reverse-DNS records for your hosts. Can you resolve to names (any name) from an IP address? e.g. nslookup 10.2.9.2?
If this is a reverse-lookup problem and you can't have a reverse-lookup zone (I worked at a company where the Windows admins refused to create one when we asked them to do so!), you can add "[NOTFOUND=return]" to the hosts line in nsswitch.conf after "dns" otherwise your dns server will forward the query out to the net (assuming that your egress rules allow it to do so) and an answer will be returned by the some servers set up for this purpose on the net - called blackhole-something, IIRC. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Not sure if it is RDNS.
I had similar issues on Fedora, and for me it was to do with IP6.
Konqueror web browser took ages to load a page. IIRC Firefox handled it OK.
Try Googling for 'uninstalling ipv6 linux'
That solved the Konqueror DNS problem for me. Yours could be a different issue.
Here's the results of going to the ShieldsUp page at https://www.grc.com/x/ne.dll?bh0bkyd2
Your Internet connection has no Reverse DNS
Many Internet connection IP addresses are associated with a DNS machine name. (But yours is not.) The presence of "Reverse DNS", which allows the machine name to be retrieved from the IP address, can represent a privacy and possible security concern for Internet consumers since it may uniquely and persistently identify your Internet account — and therefore you — and may disclose other information, such as your geographic location.
When present, reverse DNS is supported by Internet service providers. But no such lookups are possible with your current Internet connection address (81.168.74.150). That's generally a good thing.
Another thing is how many DNS IP addresses do you have in /etc/resolv.conf?
I only had one DNS IP address thanks to NetworkManager on F12. And that DNS host went down at my ISP end!
I use four IP addresses now in my reslov.conf file.
Kind Regards,
Keith Roberts
----------------------------------------------------------------- Websites: http://www.php-debuggers.net http://www.karsites.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------
Not sure if it is RDNS.
I had similar issues on Fedora, and for me it was to do with IP6.
Konqueror web browser took ages to load a page. IIRC Firefox handled it OK.
Try Googling for 'uninstalling ipv6 linux'
I already tried that. The /etc/sysconfig/network has the IPV6_ENABLE=no. Disabling the ip6 modules is not feasible, as the bonding module depends on it.
Another thing is how many DNS IP addresses do you have in /etc/resolv.conf?
I don't have an ISP DNS, but the address of the internal DNS server, which has all the mappings for our domain.
Thanks for your help, I'll keep on trying :)
Regards,
Gabriel
On 8/25/10 7:26 AM, Gabriel Tabares wrote:
Not sure if it is RDNS.
I had similar issues on Fedora, and for me it was to do with IP6.
Konqueror web browser took ages to load a page. IIRC Firefox handled it OK.
Try Googling for 'uninstalling ipv6 linux'
I already tried that. The /etc/sysconfig/network has the IPV6_ENABLE=no. Disabling the ip6 modules is not feasible, as the bonding module depends on it.
Another thing is how many DNS IP addresses do you have in /etc/resolv.conf?
I don't have an ISP DNS, but the address of the internal DNS server, which has all the mappings for our domain.
Do you have two of them? The usual cause of noticeable slowness is that the first one is not responding so you fail to the 2nd. Or you are looking up unqualified hostnames and the clients have several domains in their search list and the one that succeeds isn't first.
If your main DNS server is slow, you could run a caching version locally - just add your main server as a 'forwarder' in named.conf and set resolve.conf to use 127.0.0.1 first.
On 23/08/2010 14:48, Giles Coochey wrote:
On Mon, August 23, 2010 15:43, Gabriel Tabares wrote:
On 23/08/2010 13:28, Joseph L. Casale wrote:
Both files are the default ones from CentOS:
So what do the host names look like that the application attempts to resolve, fully qualified or not? What does your cli based query look like?
My resolv.conf is:
search mydomain.com nameserver 10.3.2.2
The hostname of the machines is set to a FQDN server.mydomain.com.
The time it takes for the queries does not change whether we use the FQDN or just the hostname.
See below for an example (I stopped the mail server so the connection was refused).
The problems can sometimes be caused by not having reverse-DNS records for your hosts. Can you resolve to names (any name) from an IP address? e.g. nslookup 10.2.9.2?
It doesn't matter if it doesn't resolve to the rigt name, just that it resolves to something (and avoids the timeout)...
They don't resolve to anything:
Server: 10.2.2.254 Address: 10.2.2.254#53
Non-authoritative answer: *** Can't find 2.9.2.10.in-addr.arpa.: No answer
Authoritative answers can be found from:
#time telnet md-mail02.mydomain.com 25 (long wait) Trying 10.2.9.2... telnet: connect to address 10.2.9.2: Connection refused telnet: Unable to connect to remote host: Connection refused
real 0m20.005s user 0m0.000s sys 0m0.005s
#time telnet md-mail02 25 (long wait) Trying 10.2.9.2... telnet: connect to address 10.2.9.2: Connection refused telnet: Unable to connect to remote host: Connection refused
real 0m10.004s user 0m0.001s sys 0m0.002s
#time telnet 10.2.9.2 25 (no wait) Trying 10.2.9.2... telnet: connect to address 10.2.9.2: Connection refused telnet: Unable to connect to remote host: Connection refused
real 0m0.005s user 0m0.001s sys 0m0.002s
Nslookup responds immediately:
#time nslookup my-mail02.mydomain.com Server: 10.2.2.254 Address: 10.2.2.254#53
Non-authoritative answer: Name: my-mail02.mydomain.com Address: 10.2.9.2
real 0m0.006s user 0m0.003s sys 0m0.003s
#time nslookup my-mail02 Server: 10.2.2.254 Address: 10.2.2.254#53
Non-authoritative answer: Name: my-mail02.mydomain.com Address: 10.2.9.2
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, August 23, 2010 17:03, Gabriel Tabares wrote:
On 23/08/2010 14:48, Giles Coochey wrote:
On Mon, August 23, 2010 15:43, Gabriel Tabares wrote:
On 23/08/2010 13:28, Joseph L. Casale wrote:
The problems can sometimes be caused by not having reverse-DNS records for your hosts. Can you resolve to names (any name) from an IP address? e.g. nslookup 10.2.9.2?
It doesn't matter if it doesn't resolve to the rigt name, just that it resolves to something (and avoids the timeout)...
They don't resolve to anything:
Server: 10.2.2.254 Address: 10.2.2.254#53
Non-authoritative answer: *** Can't find 2.9.2.10.in-addr.arpa.: No answer
Authoritative answers can be found from:
Can you contact the network / DNS admins and ask them to create PTR records in the in-addr.arpa zone for your hosts? If not, someone posted a workaround for this for your nsswitch.conf file.
As I said - it doesn't normally matter what they set it to, except perhaps for email smart-hosts / gateways, just that the reverse lookups exist.
On 23/08/2010 16:07, Giles Coochey wrote:
On Mon, August 23, 2010 17:03, Gabriel Tabares wrote:
On 23/08/2010 14:48, Giles Coochey wrote:
On Mon, August 23, 2010 15:43, Gabriel Tabares wrote:
On 23/08/2010 13:28, Joseph L. Casale wrote:
The problems can sometimes be caused by not having reverse-DNS records for your hosts. Can you resolve to names (any name) from an IP address? e.g. nslookup 10.2.9.2?
It doesn't matter if it doesn't resolve to the rigt name, just that it resolves to something (and avoids the timeout)...
They don't resolve to anything:
Server: 10.2.2.254 Address: 10.2.2.254#53
Non-authoritative answer: *** Can't find 2.9.2.10.in-addr.arpa.: No answer
Authoritative answers can be found from:
Can you contact the network / DNS admins and ask them to create PTR records in the in-addr.arpa zone for your hosts? If not, someone posted a workaround for this for your nsswitch.conf file.
As I said - it doesn't normally matter what they set it to, except perhaps for email smart-hosts / gateways, just that the reverse lookups exist.
I will look into this. I am the network admin but, for the first time, we are using the firewall for DNS and it seems that it may be a lot more picky about resolution and way less configurable. It only proxies or resolves for a list of known hosts. I might end setting up an internal DNS server, as it will probably be easier than troubleshooting the firewall (how I hate firewall and their closed OSs!).
Thanks for your help
Gabriel
On Mon, 23 Aug 2010, Gabriel Tabares wrote:
To: centos@centos.org From: Gabriel Tabares gabriel.tabares@roboreus.com Subject: Re: [CentOS] Slow domain resolution problem
On 23/08/2010 13:28, Joseph L. Casale wrote:
Both files are the default ones from CentOS:
So what do the host names look like that the application attempts to resolve, fully qualified or not? What does your cli based query look like?
My resolv.conf is:
search mydomain.com nameserver 10.3.2.2
The hostname of the machines is set to a FQDN server.mydomain.com.
The time it takes for the queries does not change whether we use the FQDN or just the hostname.
Try this in your /etc/reolv.conf
# Eclipse ISP nameserver 212.104.130.9 nameserver 212.104.130.65
# OpenDNS nameserver 208.67.222.222 nameserver 208.67.220.220
Does that do anything?
Keith
On 23/08/2010 21:25, Keith Roberts wrote:
On Mon, 23 Aug 2010, Gabriel Tabares wrote:
To: centos@centos.org From: Gabriel Tabaresgabriel.tabares@roboreus.com Subject: Re: [CentOS] Slow domain resolution problem
On 23/08/2010 13:28, Joseph L. Casale wrote:
Both files are the default ones from CentOS:
So what do the host names look like that the application attempts to resolve, fully qualified or not? What does your cli based query look like?
My resolv.conf is:
search mydomain.com nameserver 10.3.2.2
The hostname of the machines is set to a FQDN server.mydomain.com.
The time it takes for the queries does not change whether we use the FQDN or just the hostname.
Try this in your /etc/reolv.conf
# Eclipse ISP nameserver 212.104.130.9 nameserver 212.104.130.65
# OpenDNS nameserver 208.67.222.222 nameserver 208.67.220.220
Keith, the issue happens resolving internal IP addresses. The servers do not have DNS access to the outside world, so using this would mean that nothing is resolved ;)
Gabriel Tabares wrote:
On 23/08/2010 21:25, Keith Roberts wrote:
On Mon, 23 Aug 2010, Gabriel Tabares wrote:
From: Gabriel Tabaresgabriel.tabares@roboreus.com On 23/08/2010 13:28, Joseph L. Casale wrote:
Both files are the default ones from CentOS:
<snip>
Keith, the issue happens resolving internal IP addresses. The servers do not have DNS access to the outside world, so using this would mean that nothing is resolved ;)
Really dumb question: do you have nisplus or nis running?
mark
On 25/08/2010 14:39, m.roth@5-cent.us wrote:
Gabriel Tabares wrote:
On 23/08/2010 21:25, Keith Roberts wrote:
On Mon, 23 Aug 2010, Gabriel Tabares wrote:
From: Gabriel Tabaresgabriel.tabares@roboreus.com On 23/08/2010 13:28, Joseph L. Casale wrote:
Both files are the default ones from CentOS:
<snip> > Keith, the issue happens resolving internal IP addresses. The servers do > not have DNS access to the outside world, so using this would mean that > nothing is resolved ;) Really dumb question: do you have nisplus or nis running?
mark
There's not such a thing as a dumb question!
No, I do not have NIS or NIS+ running.
On Wed, 25 Aug 2010, Gabriel Tabares wrote:
To: centos@centos.org From: Gabriel Tabares gabriel.tabares@roboreus.com Subject: Re: [CentOS] Slow domain resolution problem
On 23/08/2010 21:25, Keith Roberts wrote:
On Mon, 23 Aug 2010, Gabriel Tabares wrote:
To: centos@centos.org From: Gabriel Tabaresgabriel.tabares@roboreus.com Subject: Re: [CentOS] Slow domain resolution problem
On 23/08/2010 13:28, Joseph L. Casale wrote:
Both files are the default ones from CentOS:
So what do the host names look like that the application attempts to resolve, fully qualified or not? What does your cli based query look like?
My resolv.conf is:
search mydomain.com nameserver 10.3.2.2
The hostname of the machines is set to a FQDN server.mydomain.com.
The time it takes for the queries does not change whether we use the FQDN or just the hostname.
Try this in your /etc/reolv.conf
# Eclipse ISP nameserver 212.104.130.9 nameserver 212.104.130.65
# OpenDNS nameserver 208.67.222.222 nameserver 208.67.220.220
Keith, the issue happens resolving internal IP addresses. The servers do not have DNS access to the outside world, so using this would mean that nothing is resolved ;)
OK. IIRC did I see a domain name listed in your resolv.conf file? If so, would this not cause some sort of chicken-and-egg problem - ie what comes first?
Personally I stick with static IP addresses in my resolv.conf, like listed about.
Depending on how many machines you have on your LAN, would it be feasable to hard-code the domain -> IP addresses for those machines directly into the /etc/hosts file? That way you would not need any DNS on your LAN.
Kind Regards,
Keith Roberts
----------------------------------------------------------------- Websites: http://www.php-debuggers.net http://www.karsites.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------
Gabriel Tabares wrote:
On 23/08/2010 13:28, Joseph L. Casale wrote:
Both files are the default ones from CentOS:
So what do the host names look like that the application attempts to resolve, fully qualified or not? What does your cli based query look like?
My resolv.conf is:
search mydomain.com nameserver 10.3.2.2
The hostname of the machines is set to a FQDN server.mydomain.com.
The time it takes for the queries does not change whether we use the FQDN or just the hostname.
See below for an example (I stopped the mail server so the connection was refused).
#time telnet md-mail02.mydomain.com 25 (long wait) Trying 10.2.9.2... telnet: connect to address 10.2.9.2: Connection refused telnet: Unable to connect to remote host: Connection refused
real 0m20.005s user 0m0.000s sys 0m0.005s
#time telnet md-mail02 25 (long wait) Trying 10.2.9.2... telnet: connect to address 10.2.9.2: Connection refused telnet: Unable to connect to remote host: Connection refused
real 0m10.004s user 0m0.001s sys 0m0.002s
#time telnet 10.2.9.2 25 (no wait) Trying 10.2.9.2... telnet: connect to address 10.2.9.2: Connection refused telnet: Unable to connect to remote host: Connection refused
real 0m0.005s user 0m0.001s sys 0m0.002s
Nslookup responds immediately:
#time nslookup my-mail02.mydomain.com Server: 10.2.2.254 Address: 10.2.2.254#53
Non-authoritative answer: Name: my-mail02.mydomain.com Address: 10.2.9.2
real 0m0.006s # Eclipse ISP nameserver 212.104.130.9 nameserver 212.104.130.65
# OpenDNS nameserver 208.67.222.222 nameserver 208.67.220.220user 0m0.003s sys 0m0.003s
#time nslookup my-mail02 Server: 10.2.2.254 Address: 10.2.2.254#53
Non-authoritative answer: Name: my-mail02.mydomain.com Address: 10.2.9.2
real 0m0.005s user 0m0.001s sys 0m0.004s
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
If your resolv.conf has:
nameserver 10.3.2.2
Why does nslookup say that it is querying server 10.2.2.254? Is your system multi-homed? Try changing resolv.conf to use 127.0.0.1, If your using bind, and you specifiy 127.0.0.1 I believe it will use local sockets instead of the IP stack for the query.
I would try dig (from the bind-utils package) You want to make sure that either your local server is authoritative for mydomain.com and for the reverse domain. This is confirmed by the 'aa' flag from dig (not sure of nslookup can do this). If it is not authoritative, then it must delegate to another nameserver that is. You should also get back a proper SOA record for both. Lack of proper authoritative SOA records for both your forward (mydomain.com) and reverse domains will cause the server to try to go out to the Internet for further resolution. If there is no internet access, this will hang. Even if you don't populate the reverse domain with records, it must still be authoritative. Minimally, I suggest a simple script to generate reverse entries for all of the ip addresses in your address space.
dig mydomain.com soa @127.0.0.1
dig 2.2.10.in-addr.arpa. soa @127.0.0.1
penguin> dig 2.2.10.in-addr.arpa. soa
; <<>> DiG 9.5.2-RedHat-9.5.2-1.fc10 <<>> 2.2.10.in-addr.arpa. soa ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21666 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION: ;2.2.10.in-addr.arpa. IN SOA
;; AUTHORITY SECTION: 2.2.10.in-addr.arpa. 14400 IN SOA ns1.mydomain.com. me.mydomain.com. 2010082600 3600 600 15552000 14400
;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sat Aug 28 13:09:51 2010 ;; MSG SIZE rcvd: 91
Nataraj
Hi everyone,
I am answering this here as I found a workaround.
I could not solve the solution when using the Juniper as the DNS server, so I reverted to using bind and that fixed the issue.
Thanks for the help, everybody.
Regards,
Gabriel
I've just joine the list as I am having an issue with our CentOS servers.
The domain resolution is extremely slow from the application but doing an nslookup gives an immediate response. All the applications have the same issue, as do all the servers.
I have been looking for the solution all over the web and all I have found are references to disabling ipv6.
- By setting enable_ipv6 = no in /etc/sysconfig/network, which is
already done on all the machines.
- By blacklisting the ip6 module, which is not an option as it is used
by the bonding module. Just for the sake of it, I tried it and, as expected, the bonding module did not come back up.
If bad comes to worse, I could set up host entries for the main machines in /etc/hosts, but I really am trying to avoid that.
Any suggestions?
Thanks
Gabriel Tabares