Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
932
Views
0
Helpful
3
Replies

5 second DNS request delay with Linux clients using IOS DNS server

dmcgrath.ca
Level 1
Level 1

‎05-19-2022 12:41 PM

Hi,

I have been having a problem with Linux clients that use the DNS server on a 1921 router, and was wondering if someone might have some ideas on what the problem below, might be. Worth mentioning, this problem doesn't seem to happen on a similarly configured 2901 router.

In terms of setup, the 1921 has ZBFW, provides DHCP, has local DNS host entries, also provides DNS forwarding, and is an HSRP pair with another 1921. Turning ZBFW off on the interfaces had no effect, and the test 2901 had no firewall configured at all. DNS queries on the router itself are fine, and even tried multiple CLI dig/nslookup calls from any Linux host, regardless of of speed, are fine; it's only DNS lookups via the OS call that fail when grouped together (in a Wireshark/DNS tx ID sense).

The problem is described in the following URLs:

http://philippecloutier.com/blogpost28-dig-1-and-other-DNS-clients-sometimes-taking-5-seconds-to-return-the-results-of-a-local-query

https://udrepper.livejournal.com/20948.html

https://www.math.tamu.edu/~comech/tools/linux-slow-dns-lookup/

The single-request option works, but can be tricky to shoehorn into different distributions. I do know that FreeBSD doesn't require the "option single-request" patch, but it is less than ideal to have to go around editing a bunch of Linux hosts to work around this problem. It should also be mentioned that 8.8.8.8/8.8.4.4/OpenDNS etc, all work perfect with the clients.

On a more technical note, it seems like the Wireshark (see attachment) is showing us that the query asks for the A and AAAA records, but randomly only gets a reply for one of them. Then the host delays the 5 seconds, and then asks for both the A and AAAA again to the same (or next, if multiple servers) DNS server, except this time it gets a response. When the entry is cached on the router, the problem goes away, and is thus only new lookups.

One thing that I noticed was that the queries all used the same src/dst ports, but different transaction IDs. It's not clear that this is related, but possibly someone here knows.

Anyway, that is the gist of the problem. I would love to know of a way to debug the DNS, but the results of a debug on a semi busy DNS are problematic since I fill my scroll back buffer in less than a second. Mostly, I am trying to figure out what happens to the initial request that is apparently being either ignored or dropped. Any suggestions on how to tackle this, are welcome!

 

Labels:
Preview file
175 KB
0 Helpful
3 Replies 3

marce1000
VIP
VIP

‎05-19-2022 11:27 PM

 

 - Basically don't use router as DNS server but a (separate) appliance , preferably. Sometimes routers gets loaded or you may get into race conditions when offering network services for clients.

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Georg Pauwen
VIP
VIP

‎05-19-2022 11:36 PM - edited ‎05-19-2022 11:42 PM

Hello,

 

interesting issue. Can you post the configuration of the 1921 ?

 

If you have 'ip cef' enabled, try and disable it (no ip cef)...

0 Helpful

dmcgrath.ca
Level 1
Level 1
In response to Georg Pauwen

‎05-20-2022 08:00 AM

Hi,

 

I neglected to mention that I did try with cef disabled, but had no effect. Also, FreeBSD is perfectly fine, it just appears to be Linux so far.

As for the config, I would have to redact like 90% of it, but I can say that the following general features are in use:

  • sub interfaces
  • IP SLAs
  • netflow
  • HSRP
  • Some QoS (will post the cmap's and pmaps)
  • EIGRP (stub)
  • DNS service
  • SSHv2 server
  • SNMP server
  • NTP client

The IPv6 is enabled (autoconfig) on the WAN interfaces on 2 diff DSL modems (192.168.1.0 and 2.0 networks), on both 1921's, where the HSRP is sitting. IPv6 unicast routing, however, is not enabled, and is only currently a client. IPv6 cef is also not enabled (and was tested enabled as well).

The cmap and pmap configuration is attached to this reply in the form of a nearly stripped to nothing config. Sorry, I don't feel comfortable having all the IP info and ACL's published to the internet

Worth mentioning is that I tried with the QoS stuff entirely disabled, as well as the firewall. I can't figure why the 2901 would be fine here, especially since these two routers are basically 99% idle aside from a few DNS queries a minute for the local DNS zone.

Preview file
4 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card