[CentOS] resolving names it is really slow slow with CentOS5.x using named

Mon May 25 15:24:15 UTC 2009
carlopmart <carlopmart at gmail.com>

Les Mikesell wrote:
> carlopmart wrote:
>> Les Mikesell wrote:
>>> carlopmart wrote:
>>>> Lars Hecking wrote:
>>>>>> options {
>>>>>>          directory "/var/named";
>>>>>>          dump-file "/var/named/data/cache_dump.db";
>>>>>>          statistics-file "/var/named/data/named_stats.txt";
>>>>>>          memstatistics-file "/var/named/data/named_mem_stats.txt";
>>>>>>          listen-on port 53 { 127.0.0.1; 172.25.50.10; };
>>>>>>          version "DNS Server v2.0";
>>>>>>          dnssec-enable no;
>>>>>>          query-source port 53;
>>>>>>          forwarders { 208.67.220.220; 208.67.222.222; };
>>>>>> };
>>>>>  
>>>>>> As you can see, I need to use "query-source port" param too with forwarders to
>>>>>> resolv names (and this is really really ugly).
>>>>>  
>>>>>  Explicit query-source port breaks port randomisation and is highly insecure.
>>>>>  Your problem may be an incorrectly configured firewall that only accepts
>>>>>  outgoing queries originating from source port 53 - it needs to accept all
>>>>>  outgoing queries for destination port 53.
>>>>>
>>>>>
>>>> Thanks lars. Correctly, firewall could be the problem, but it isn't. Because 
>>>> Ubuntu and Windows 2003/2008 doesn't have problems with it ... and resolves 
>>>> perfectly ... And I don't have configured this firewall to accept dns queries 
>>>> originating from source port 53 ...
>>>>
>>> What does 'dig' show about your access to the root servers without 
>>> forwarders and with and without forcing the query-source port?  Compare 
>>> it to the Ubuntu system.  Maybe there's something wrong with the root 
>>> hints file - or maybe your border firewall is blocking all udp to this 
>>> box but permitting it to the DNS servers that work.
>>>
>> Thanks Les, but I have checked it before post this problem. Ubuntu and CentOS 
>> have the same file to do querys to root servers ...
> 
> And the results of 'dig' on each?
> 
>> I have find a temporary solution: reduce the MTU on CentOS server (1440) ...I 
>> need to investigate why centOS loses some packages and ubuntu doesn't ....
> 
> Are you routing through tunnels?
> 
> 
No, all hosts (firewall and CentOS DNS server) are connected to GByte network.

-- 
CL Martinez
carlopmart {at} gmail {d0t} com