User profile for user: Maxplanar
Maxplanar Author
User level: Level 4
3,099 points

DNS server responses extremely slow

I set up the DNS Server running on my LAN (authoritative for a fully-owned domain), and I do believe it's correctly set up - reverse mapping works fine, no error messages in the logs or while watching tcpdump, etc. It's behind my NAT/Firewall, is set to be recursive (but I have not tweaked it to make it recursive only for the subnet). My problem is with the performance. Using this internal DNS server to provide DNS for my client machines on the LAN, internet lookups are awfully slow - perhaps five to ten seconds to bring up a major site. Leaving everything else the same on a client machine, and removing the references to the internal DNS server - thus using my ISP's DNS servers outside my LAN - the same site can by fully up in one second.

Is this major lag in performance simply caused by the fact that the ISP's DNS server is so often caching many many more sites than I could ever request from my own LAN? Or should I be looking for something specific to hunt down perfformance problems?

Quad G5; Dual G4; AI PB; B&W G3; PB G3; S900; PB180; 2 x mini; iPod; Shuffle, Mac OS X (10.4.6), Server is a Mini, running 10.4.6 OSX Server, AFP, DNS and Firewall

Posted on Apr 26, 2006 9:03 AM

Reply
10 replies
User profile for user: UptimeJeff
UptimeJeff
User level: Level 4
3,479 points

Apr 26, 2006 1:51 PM in response to Maxplanar

Currently, you name server is doing a lot of work to look-up each address. When you use your ISPs name server, it's really fast because it's cached the entries of tens of thousands of users. Most every domain you look-up is in cache, therefore a fast response because you're not waiting for a recursive lookup.

So the answer is simple...
You need to modify /etc/named.conf to include forwarders to your ISPs name servers.

Look at the code below. Insert the underlined parts into your named.conf in the same position. Replace 0.0.0.0 with the IP addresses of your ISPs name servers. Be very careful, no typos.

--- code ---

options {
directory "/var/named";
forwarders {
0.0.0.0;
0.0.0.0;
};
forward first;
recursion true;

-- end code ---

The leading spaces, which help visually didn't post. Just follow the same spacing (or tabs) that you see in the file.

Jeff
Reply
User profile for user: UptimeJeff
UptimeJeff
User level: Level 4
3,479 points

Apr 26, 2006 3:02 PM in response to Maxplanar

You can leave any other options in place.
For an internal dns server, the transfer option doesn't matter.

You might find that one of the ISPs name servers is faster than the other. Try this test:

dig @0.0.0.0 123.com
Replace 0.0.0.0 with the first name server you entered.
See how quick the reply is. If you do this test again, change the domain to anything else (abc.com, test.com, etc) as your dns server probably caches each lookup

Then do
dig @1.1.1.1 1234.com
Replace 1.1.1.1 with the second name server. Note the domain we're looking up is different. Every time you do this, change the domain.

Compare the response times of the first and second servers.
Whichever is faster, make the first entry in your forwarders (named.conf)

Your server should response 'almost' as quickly as the direct queries you made above because it's passing the look-up to the ISP.

Jeff
Reply
User profile for user: Maxplanar
Maxplanar Author
User level: Level 4
3,099 points

Apr 26, 2006 3:30 PM in response to UptimeJeff

You rock UptimeJeff!

Now things are working considerably better. During the course of investigation, I discovered that I had a horrible mistake on the server anyway - I had been testing the Firewall with various states, and had most recently left port 53 closed - I'd had it open, but closed everything for a test and forgot. Ooops. I'm sure that was causing drastic slowdowns, as I guess the external DNS queries weren't getting returned, in which case the server was falling back to failsafe. Now, however, with that port open, things are much better, however, it still is not as fast as going direct to the ISP DNS servers.

I wonder should I just revert to running AFP without internal LAN DNS? All documentation has indicated that running OSX Server without internal DNS is baaad, which is why I find myself here....
Reply
User profile for user: UptimeJeff
UptimeJeff
User level: Level 4
3,479 points

Apr 26, 2006 7:20 PM in response to Maxplanar

If your server is stand-alone, you can run without internal DNS.
If OD Master, you also can run without internal DNS but config of course needs to be correct. Many people say it's best to run with internal DNS, but it's not a requirement.

One reason to run internal DNS..
If you connect to your server by fqdn (host.domain.com).
Without internal DNS, the client will connect to the public IP (wan side of your router). If your router supports loopback, this will work- if it doesn't support loopback it won't work. Even if it does work, you are forcing your client-server traffic to be processed (NAT) by the router, incredibly inneficient (although a simple config for basic requirements). If you're moving big files with AFP, you don't want all traffic to go from client-router(NAT)-server-router(NAT)client. You can get around this by connecting using .local or IP addresses. So this all depends on your config, requirements, habits of the users, etc.

JJ
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

DNS server responses extremely slow

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up