The issue is that when a desktop requests a DNS lookup, it times out before it comes back (5 seconds approx). You can immediately request the address again and everything works fine - a simple but annoying work around.
strange, I had the same problem on a box that was querying warrane.connect.com.au.
I could do a time host sol1.net and every single time it would be 10 secs delay before a response. I couldn't figure out what was wrong, and so just configure my local bind to not forward, hence look everything up via the root servers. Turns out that was faster then the 10sec delay off connect's name servers. Your upstream not forwarding off connect maybe?
I am running shorewall as well. I wonder if for some strange reason, it drops the first and maybe second packets, and the 10sec delay is because of some shorewall bug?
I just tried to duplicate the problem I had with warrane just now, and its not doing it - response is just fine now.... bugger.
dave -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
