From owner-freebsd-questions@FreeBSD.ORG Tue May 4 09:30:27 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D5E416A4CE for ; Tue, 4 May 2004 09:30:27 -0700 (PDT) Received: from watcher.puryear-it.com (ip-66-186-248-99.eatel.net [66.186.248.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD91343D4C for ; Tue, 4 May 2004 09:30:26 -0700 (PDT) (envelope-from dap99@i-55.com) Received: from localhost (unknown [127.0.0.1]) by watcher.puryear-it.com (Postfix) with ESMTP id 4A56134D1F for ; Tue, 4 May 2004 11:29:14 -0500 (CDT) Received: from watcher.puryear-it.com ([127.0.0.1]) by localhost (watcher.puryear-it.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 00246-02 for ; Tue, 4 May 2004 11:29:13 -0500 (CDT) Received: from yourqqh4336axf (localhost [127.0.0.1]) by watcher.puryear-it.com (Postfix) with SMTP id D743134D1E for ; Tue, 4 May 2004 11:29:12 -0500 (CDT) Message-ID: <056201c431f5$18bcc730$9501a8c0@yourqqh4336axf> From: "adp" To: Date: Tue, 4 May 2004 10:56:01 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2739.300 X-Virus-Scanned: by amavisd-new Subject: bind 8 slow inside freebsd jail X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 04 May 2004 16:30:27 -0000 I am running bind 8 inside a FreeBSD 4.9 jail. For some reason responses from our internal DNS servers (all of which run in jails) are very slow when resolving external hostnames. Here are some little factoids: 1. resolution of internal domain works great. it takes less than 1 second. 2. resolution of an external domain is very slow or times out. 3. resolution of an external domain that is in the dns server's cache is fast. So the problem with in trying to resolve external domains for the first time. I think this is related to our FreeBSD jail setup in some way because frankly I can't figure out anything else. We are using forwarders. If I dig with them the response is < 1 second. If I just dig for my root hints from our internal DNS servers it takes up to 20 seconds: # date; dig @ns2; date Tue May 4 10:50:18 CDT 2004 ; <<>> DiG 8.3 <<>> @ns2 ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27736 ;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13 ;; QUERY SECTION: ;; ., type = NS, class = IN ;; ANSWER SECTION: . 4d20h36m13s IN NS L.ROOT-SERVERS.NET. . 4d20h36m13s IN NS M.ROOT-SERVERS.NET. . 4d20h36m13s IN NS A.ROOT-SERVERS.NET. ... ... ;; Total query time: 6 msec ;; FROM: ns.domain.com to SERVER: 192.168.42.78 ;; WHEN: Tue May 4 10:50:38 2004 ;; MSG SIZE sent: 17 rcvd: 436 Tue May 4 10:50:38 CDT 2004 Has anyone seen this before? Our DNS servers ran fine, but then we went with FreeBSD jails and our response time seems to have gone way, way down. The server hosting the dns server has no real firewall: # ipfw l 00100 allow ip from any to any via lo0 00200 deny ip from any to 127.0.0.0/8 00300 deny ip from 127.0.0.0/8 to any 65000 allow ip from any to any 65535 deny ip from any to any And isn't heavily loaded: # uptime 10:53AM up 13 days, 12:02, 1 user, load averages: 0.19, 0.32, 0.32 network buffers seem fine: # netstat -m 32/544/18304 mbufs in use (current/peak/max): 32 mbufs allocated to data 26/492/4576 mbuf clusters in use (current/peak/max) 1120 Kbytes allocated to network (8% of mb_map in use) 0 requests for memory denied 0 requests for memory delayed 0 calls to protocol drain routines My root hints was just refreshed. My named.conf options {} : options { directory "/etc/namedb"; listen-on { 192.168.42.78; }; forward first; forwarders { aa.bb.cc.dd; ee.ff.gg.hh; }; allow-transfer { 127.0.0.1; 192.168.42.0/24; }; allow-recursion { 127.0.0.1; 192.168.42.0/24; }; //fetch-glue no; // we have a firewall between us and the Internet, so let's // go ahead and define our query source port query-source address 192.168.42.78 port 53; //named-xfer "/usr/libexec/named-xfer"; };