Slow DNS in 10.4.2 - 20 seconds

Question

Level 1

5 points

Slow DNS in 10.4.2 - 20 seconds

A fresh installed os x 10.4 server was to take over the
task of internal DNS, but... Every first lookup to a new
external domain takes around 20 seconds.
I have:
- Updated the cache file from FTP.RS.INTERNIC.NET
- Installed all updates from Apple to today (incl. 10.4.2)

Extensive testing and comparing with the old internal DNS
(a 486DX2-66 running Linux/Slackware and Bind) shows:
- They both respond intantely on requests about locally
defined domains (defined in the DNS itself).
- They both respond instantly on requests about domains
that was recently asked about, i.e. that are in the cache.
- At a request about a external domain that is not in the
cache there is a big difference. The DX2-66 responds
immediately - os x 10.4.2 responds after approx. 20 seconds.

The local surfers are not pleased!

Looking around in this forum and on the net I have found
some advises that I don't know how to apply:
- Turn off IPv6 (how do I do that?).
- Upgrade Bind, by downloading new source, installing the
developer sw, compile and install (I could do that, but I
think that if that is neseccary, then Apple should do it
for me. as well as for everyone else).
- Apples implementation of Bind have a problem with the
AAAA-records from the root DNS servers that have replaced
the A-records. How do I as a user, deal with that?

Please anyone, how do I get reasonable speed on DNS?
Please also, tell me what exactly is going on!

Some more details on the setup:
- osx server is 1,25 Ghz G4 with 1 Gbyte (no heavy load).
- It sit's on LAN behind firewall with NAT and have
a 192.168.1.x ip-adress.
- External connection is slow, but not that slow (2 Mbit/s).

Posted on Sep 8, 2005 3:02 AM

Reply

Answer 1

Sep 10, 2005 12:09 AM in response to Bo Svensson

You could first try to turn off IPv6 in "Network" pane (where you enter the machine IP).

But adding forwarders (your ISP's nameservers) to the /etc/named.conf file usually "does wounders".

-----------------------snip------------------------
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;

// # add this:

forwarders {
<your ISP DNS server#1 IP here>;
<your ISP DNS server#2 IP here>;
<your ISP DNS server#n IP here>;
};
forward only;
listen-on {127.0.0.1; <your server IP here>; };
allow-transfer {none;};

// # to here
----------------------------

If you really want 9.3.x BIND Darwin Ports/Port authority has it "ready to install". Haven't tried that myself yet though.

Reply

Answer 2

Bo Svensson Author

Level 1

5 points

Sep 8, 2005 10:22 AM in response to Bo Svensson

Some more info I have found about BIND (named):
- IPv6 and AAAA can slow down lookups considerably.
- Apple uses Bind 9.2.2 in os x server 10.4.2
- In Bind 9.3.1 there is a new feature:
If you put
OPTIONS="-4"
in
/etc/named.conf
it disables the IPv6 behavour that can cause the
slowdown in DNS lookups.

Now the question is:
- Should I download a tar-ball of the Bind source from
ISC or should I wait until Apple does it?

If I do it, I will come back and report the result.

/Bo S

Reply

Answer 3

davidh

Level 4

1,896 points

Sep 10, 2005 7:52 PM in response to Leif Carlsson

I totally agree with Leif

I needed a forwarders statement anyway, and with that in-place, I get millisecond lookups, for domains not yet looked up, I get 6 to 20 millisecond lookups. For the first one, then usually 2-3 ms after that.

Reply

Answer 4

Sep 15, 2005 1:55 PM in response to Leif Carlsson

I am having the same issue with slow DNS lookup, I have 1 Xserve being used for Internal DNS and one Xserve for External DNS, Do I add the forwarders to the internal DNS to forward to the private IP address of my External DNS and then add the forwarders to my external DNS to forward to my ISP.

Reply

Answer 5

Bo Svensson Author

Level 1

5 points

Sep 19, 2005 12:51 AM in response to Leif Carlsson

Leif,
the idea of my setup with two dns servers, one internal
and one external is to allow the servers on dmz, to be
referenced by the same name by internal and external users.
The dmz servers have private ip adresses to internal users
that start with 192.168., and public ip adresses to the rest
of the world. I don't know how to handle that with a master
slave setup, if at all possible. The only way I know to
make the world (especially the local domains and servers
on the local dmz) look the same to internal and and external
users is with two different dns servers.
And yes, I could cache through a local ISP, but there are
some reasons why the default setup of Bind is to cache from
the root dns servers.
Caching from local ISP or me upgrading to Bind 9.3 in osx server I consider workarounds, rather than solutions.
I can live with that for a while. But since the dns server is
part of a server bought from and put together by Apple Computer Inc.
I strongly belive that they should provide a permanent solution
to this.

Bo Svensson

Reply

Answer 6

Sep 19, 2005 6:38 AM in response to Bo Svensson

OK, as DMZ is in a private IP range I see the problem of having all IP's / names in the same DNS setup if using the same domainname.

(There is also something ZyXEL call "NAT loopback" where you can use public IPs to find DMZ private IPs. Maybe not possible with your setup though.)

There is "thing" called "views" in BIND that supposed to fix that, but I don't know how to use it (yet).

And you are the SOA for your own domain then? Secondary DNS is your ISP or is it the other way around? Or you have two public DNSes?

About the "caching (lookup?) from" ISP or root servers it's your choice. But I think the reason why the default is root servers ofcourse is BIND doesn't know where you setup your machine or what ISP you have. Makes sense?

I have at least seen significant speedup with ISP forwarders ("forward only").

Reply

Answer 7

UptimeJeff

Level 4

3,479 points

Sep 21, 2005 9:49 AM in response to Bo Svensson

Why not leave your public DNS with your registrar (or ISP). This will resolve all public lookups and will be more reliable, off more redundnacy, faster, etc etc.

For your internal lookups, run your own DNS on your LAN.
This server will not be authoratative in reality (your whois records don't point to it), but it thinks it's authoratative so doesn't forward the requests.
If you put the forwarding statements in, as described in thread above, this will still all work.

All computers on your LAN are set to use your internal DNS server. When a user performs a DNS lookup, it hits your internal DNS server, if the zone is not local the request is forwarded if the zone is local (your server on DMZ) then it will respond with the appropriae private IP Address.

Jeff

Reply

Answer 8

Sep 15, 2005 2:08 PM in response to Todd Haskins

Forward to the ISP DNSes directly.

If you want your internal DNS to host your external domain too, do zone transfer to the internal one (setup as slave) for that domain.

Reply