[CentOS] resolving names it is really slow slow with CentOS5.x using named

Mon May 25 13:20:46 UTC 2009
Paul Bijnens <Paul.Bijnens at xplanation.com>

On 2009-05-25 13:21, carlopmart wrote:
> Paul Bijnens wrote:
>> On 2009-05-25 12:51, carlopmart wrote:
>>>   I have a problem using named with different CentOS5 servers (2 servers): all 
>>> they are really slow to resolv any internet address and most of time fails to 
>>> resolv. This situation differs if I use "forwarders" servers like opendns: 
>>> resolving names it is really really quickly. And I don't understand why.
>>>
>>>   On the other hand I have tested three DNS servers using Windows 2003, Windows 
>>> 2008 and Ubuntu hardy and these problems doesn't occurs (I don't need to 
>>> configure forwarders on any of them): all resolves any name and really fast.
>>>
>>>   IPv6 is disabled on both CentOS servers. Somebody knows why these dns servers 
>>> are slow??
>>
>> My crystal ball is in repair.  Could you in the meantime add some more
>> hints, e.g. your config files, and how you diagnosed the slowness.
>>
>> My CentOS5 DNS-servers do resolve really quickly, with or without forwarders.
>>
>>
> Ok, my named.conf:
> 
> //
> // named.conf
> //
> 
> options {
>          directory "/var/named";
>          dump-file "/var/named/data/cache_dump.db";
>          statistics-file "/var/named/data/named_stats.txt";
>          memstatistics-file "/var/named/data/named_mem_stats.txt";
>          listen-on port 53 { 127.0.0.1; 172.25.50.10; };
>          version "DNS Server v2.0";
>          dnssec-enable no;
>          query-source port 53;
>          forwarders { 208.67.220.220; 208.67.222.222; };
> };
> 
> logging {
>          channel security_channel {
>                  file "/var/named/data/security.log" versions 3 size 1m;
>                  severity debug;
>                  print-time yes;
>                  print-category yes;
>                  print-severity yes;
>          };
>          channel default {
>                  syslog local4;
>                  severity info;
>                  print-category yes;
>                  print-severity yes;
>          };
>          channel query_log {
>                  file "/var/named/data/query.log" versions 3 size 1m;
>                  print-time yes;
>          };
>          category security {
>                  security_channel;
>                  default;
>          };
>          category queries {
>                  query_log;
>          };
>          channel default_debug {
>                  file "/var/named/data/named.run";
>                  severity dynamic;
>          };
>          category lame-servers { null; };
>          category default { default; };
> };
> 
> controls {
>          inet 127.0.0.1 allow { localhost; } keys { rndckey; };
> };


When you're not using forwarding, the dns server should have some basic knowledge
of the root servers.  So add something like:

   // prime the server with knowledge of the root servers
   zone "." {
           type hint;
           file "/path/to/the/file/having/named.root";
   };

And the file itself can be downloaded (and updated now and then) from:

http://www.internic.net/zones/named.root

And to avoid forwarding on silly resolutions for localhost or 127.x.x.x
you can do the same with a local "type master" zone for those two zones
as well:

   // be authoritative for the localhost forward and reverse zones
   zone "localhost" {
         type master;
         file "/path/to/the/file/having/localhost.zone";
   };
   zone "127.in-addr.arpa" {
         type master;
         file "/path/to/the/file/having/ptr-127.zone";
   };







-- 
Paul Bijnens, Xplanation Technology Services        Tel  +32 16 397.525
Interleuvenlaan 86, B-3001 Leuven, BELGIUM          Fax  +32 16 397.552
***********************************************************************
* I think I've got the hang of it now:  exit, ^D, ^C, ^\, ^Z, ^Q, ^^, *
* quit, ZZ, :q, :q!, M-Z, ^X^C, logoff, logout, close, bye, /bye, ~., *
* stop, end, ^]c, +++ ATH, disconnect,  halt,  abort,  hangup,  KJOB, *
* ^X^X,  :D::D,  kill -9 1,  kill -1 $$,  shutdown,  init 0,  Alt-F4, *
* Alt-f-e, Ctrl-Alt-Del, Alt-SysRq-reisub, Stop-A, AltGr-NumLock, ... *
* ...  "Are you sure?"  ...   YES   ...   Phew ...   I'm out          *
***********************************************************************