In message <aanlktiku23pyyjizeddlmmoi7rwvbuxp8wxoudeow...@mail.gmail.com>, Khou ry Brazil writes: > Hi, > > I've noticed some speed and reliability issues with my BIND9 boxes > relating to uncached external queries. External queries that return NX > seem to be the worst offenders in these tests and are what I've > focused on during my testing. I've confirmed it using a simple > benchmarking tool called DNS Benchmark and some simple testing on my > part. DNS Benchmark points out that my BIND9 boxes "aren't reliable" > because "lookup requests that are dropped and ignored by nameservers > cause significant delays in Internet access" to quote the software. > DNS Benchmark compares your name servers against external name servers > and it shows my boxes as 86% reliable compared to the general list > (which includes the level 3 servers, Cox, Symantec, etc) which are, > for the most part at 100%. I'm guessing this has to do with the > software timing out. > > Doing a simple test using nslookup doing uncached external lookups (on > ubuntu and one windows client): > No delay using nslookup or dig directly from my bind boxes to the > external name servers. This indicates to me that the bottle neck > doesn't exist between my internal and ISP's name servers. > No delay when using nslookup or dig from a client machine on my > network to the external name servers. This indicates to me that the > client isn't the issue. > A long delay with ubuntu clients looking up against my internal BIND > boxes; Timeouts with Windows and nslookup (due to its shorter > timeout). > > Internal queries are fast using all of the above tests (the BIND box > forwards to different internal name servers that are authoritative for > our internal name space). This indicates to me that it isn't my bind > boxes being slow in general. > > Is it normal to see slow responses when querying for uncached > non-existent domains? I've noticed that other external queries could > be faster, but these are really bad. When I query my internal bind > boxes that are authoritative for my internal domain directly they > respond instantly for NX domains. I don't admin those though so have > no insight into their configuration beyond the fact that they run on > some nix flavor and are BIND* boxes. > > Thanks for any insight.
Try asking your ISP's nameserver with "dig +dnssec". I suspect that your firewall/NAT doesn't handle the larger responses. > _______________________________________________ > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
