Re: Very slow DNS lookup with NetworkManager and dnsmasq

From: Marc Luethi <netztier bluewin ch>
To: networkmanager-list gnome org
Subject: Re: Very slow DNS lookup with NetworkManager and dnsmasq
Date: Sat, 17 Sep 2011 12:24:57 +0200

On Thu, 2011-09-15 at 15:49 +0300, Jarmo Hurri wrote:
> First, thank you for your very quick response, Dan. It helped a lot - at
> least in figuring out what the underlying causes could be.

I'd like to throw in another (remotely) possible cause that cost me
several days to figure out.

UDP Checksums and validation.

We had a DNS Server inside a firewall (Cisco FWSM running 2.3.x) that
did conditional zone forwarding to a set of DNS-Servers on the outside
thereof. 

That firewall had the feature "fixup DNS" active, so that it could
inspect udp/53 traffic for DNS lookups and replies, and once the reply
would arrive, it could instantly remove translation and connection
structs from it's tables and memory, so it would not have to keep them
until the "general UDP timeout" (i think it was 300s) would expire.

Problem was this: this "fixup" feature messed up the UDP checksum on the
_first_ outgoing datagram of a given DNS "connection", but not on the
subsequent ones [1]. As it ultimately turned out, the remote DNS server
did perform incoming UDP checksum validation, and therefore discarded
the first, but not the subsequent datagrams. Only if our local DNS
server retransmitted a second query, it instantly got an answer.

So you might want to investigate if...

- the windows machines that get fast answers do send UDP checksums at
all
- if your machine fills in the UDP checksum when running with dnsmasq
- if your machine fills in the UDP checksum when running without dnsmasq

- if DNS datagrams leaving your network have valid UDP checksums

- if either set of the fast/slow servers do UDP checksum validation on
incoming datagrams (while accepting datagrams that don't have a
checksum)
- if DNS datagrams arriving at the remote DNS server still have valid
UDP checksums.[2]

regards

Marc

[1] turning off "fixup DNS" was the solution. UDP checksums were correct
afterwards.
[2] it took quite a bit of negotiation until the DNS Admins were willing
to run tcpdump on their machines to see why our first DNS datagrams were
discarded...

Follow-Ups:
- Re: Very slow DNS lookup with NetworkManager and dnsmasq
  - From: Jarmo Hurri

References:
- Very slow DNS lookup with NetworkManager and dnsmasq
  - From: Jarmo Hurri
- Re: Very slow DNS lookup with NetworkManager and dnsmasq
  - From: Dan Williams
- Re: Very slow DNS lookup with NetworkManager and dnsmasq
  - From: Jarmo Hurri

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]