[Forwarding since Mike isn't subscribed as this address. -RD] ----- Forwarded message from [EMAIL PROTECTED] -----
Date: Fri, 27 Apr 2007 11:46:14 +0100 From: Mike Cardwell <[EMAIL PROTECTED]> To: [email protected] Subject: Re: ip-port.torhosts.nighteffect.us and exim * on the Thu, Apr 26, 2007 at 09:58:35AM -0700, Joseph B. Kowalski wrote: >> Just out of interest, why do lookups that return positive results >> take such a long time? This is what I typically get: >> >> server:~# time host 20.136.234.85.109.123.123.123.123.ip- >> port.torhosts.nighteffect.us >> 20.136.234.85.109.123.123.123.123.ip-port.torhosts.nighteffect.us has >> address 127.0.0.2 >> Host 20.136.234.85.109.123.123.123.123.ip-port.torhosts.nighteffect.us not >> found: 2(SERVFAIL) >> Host 20.136.234.85.109.123.123.123.123.ip-port.torhosts.nighteffect.us not >> found: 2(SERVFAIL) >> >> real 0m23.451s >> user 0m0.030s >> sys 0m0.010s >> >> The first line of response is pretty quick, then there are long >> delays >> before each SERVFAIL... >> >> If the lookup returns an NXDOMAIN, there are no SERVFAILS so the >> lookups are much faster. I'm not a DNS expert so I'm not sure what is >> happening that causes the SERVFAIL's... > > There are a couple of things going on here. First, the reason why > you see the first line returned from the 'host' command as > successful, followed by two 'SERVFAIL' lines is that the 'host' > command, by default, sends an 'A' request followed by an 'AAAA' > (IPv6 Lookup) and 'MX' (Mail Exchanger) request. The DNSEL server > only supports 'A' requests, and so in the case of the second and > third queries, the DNSEL server is actually returning a 'NOTIMP' > (Not Implemented) error message, and your local upstream DNS server > is returning that to you as a 'SERVFAIL' error message. If you run > the 'host' command with the "Type" flag set, you can prevent 'host' > from sending the 'AAAA' and 'MX' requests altogether, eliminating > the two error lines. For example, your query could be: > > time host -t A > 20.136.234.85.109.123.123.123.123.ip-port.torhosts.nighteffect.us That makes sense. And from testing, you were right. :) > Second, to address the speed issue, it's likely that your local > upstream DNS server has some method of operation that really slows > things down when there is an error returned from the DNSEL server, > like the two 'NOTIMP' messages I described above. It may be > retrying those same 'AAAA' and 'MX' requests several times before > returning the 'SERVFAIL' message to you, holding things up a bit. > So, the good news is, the speed issue is probably already gone just > by you using the "Type" flag with the 'host' command, like I > discussed above. Personally, I know there is no extra delay from > the DNSEL server when it's returning a 'SERVFAIL', 'NOTIMP', or > 'NXDOMAIN' message, as opposed to a successful lookup. Damn. I built the upstream dns server based on Bind with DLZ and a convoluted MySQL database to store the zones. Looks like I'm going to need to do some non-tor related fixing now. [snip further advice] > Please let me know if you have any other questions. I hope that > helped! Helped greatly thanks. Now to get fixing my Bind configuration! Mike ----- End forwarded message -----
