DNS problems this morning -

Tim ignored_mailbox at yahoo.com.au
Tue Nov 13 14:59:31 UTC 2012 

Bob Goodwin:
> I always naively assumed they were used in the order listed, now
> you've introduced an element of doubt,

I used to presume that, especially when you're presented with a
configuration gadget that asked you to enter "primary" and "secondary"
name server addresses.  But that naming has disappeared, and others have
described how their systems worked in the ways that I mentioned (I mean
various OSs, not just Linux).

So, when using different OSs, as I am.  And when using OSs that get
updated, from time to time, it's best to test, rather than presume they
all work the way you expected them to.

> If it was I could give others the local and then the outside dns
> addresses, but no that may not work as expected.

It may well work fine, if all you ever ask the name servers to do is
resolve outside internet addresses.  But, if you have a LAN that
communicates with things within the LAN, by name, then *all* name
queries need to be answered by your LAN DNS server, as no external DNS
server can answer any queries about your internal LAN addresses, and
there's no way for you to say resolve this name from here, and the rest
from anywhere.  Your only solution to that conundrum is putting LAN
addresses in the hosts file, because that will be queried before asking
a DNS server.  Which rapidly becomes a nuisance on largish, or expanding
networks.  And doesn't work on networks with dynamically changing
addresses.

> I suppose I could test that scheme using two of my computers, one
> getting dns service from the other and see what happened when I shut
> down the dns of the pair.

Yes, all you can do is test, test, test.  Then hope that if things are
favourable, that they don't change in the next Fedora update.

My own tests have always seemed to indicate that Fedora tries the first
on the list, first; and only progresses down the list if there's no
response to the first name server; and will always try the first server
first, on each subsequent query.  But my test isn't definitive, I've
only done the following test, which isn't an exhaustive test of all the
possibilities.

     1. Run two name servers on different machines
     2. Have them both listed in /etc/resolv.conf
     3. Do numerous domain name queries
     4. Observe that all answers came from the first server
     5. Halt the first name server
     6. Do numerous domain name queries
     7. Observe that all answers came from the second server, with a
        slightly longer delay (noticeably slightly delayed, but the
        returned results only showed 16mS versus 5mS, and I don't think
        I should be able to observe such a difference, to the degree
        that I did)
     8. Restart the first name server
     9. Do numerous domain name queries
    10. Observer that all answers came from the first server

On point 7:  When the first server is answering, the results are
virtually instantaneous.  i.e. There's a result as soon as I hit the
enter key.  But when it has to wait for the second server to respond,
there's a noticeable wait after hitting enter, before anything comes
back.  I suspect the times returned in the results (in mS), are actually
the speed of the server being queried, ignoring the time waited before
attempting the second query.

I seem to recall that there is a way to set the timeout delay before
abandoning the first query, and querying the next server, but I don't
recall the details, and there's no man file for resolv.conf on this
installation of F17.  I don't know if there's configuration options
about always trying the first server, first.

The delay could be quite noticeable if trying to browse websites, and
pages incorporated content from other domain names.  You'd see content
slowly coming in, chunk by chunk.

I'm curious about the other person (in this thread) to mention the same
name server ordering issues, whether they've tested how their systems
worked, and if they knew which other ones worked in the ways they
mentioned.  Particularly, if they knew of one that randomly used any
server listed as one of your name servers.

> Whatever the problem yesterday it seems to be fixed today. The ISP
> dns appears to be working normally. However I am still interested in
> doing anything that improves operation.

ISP behaviour changes all the time.  Some of them will fiddle with their
equipment as much as you might fiddle with your own computer settings.

One of my prior ISPs was only one I'd ever seen admit any problems.  If
I wrote to them and said I had X type of troubles when I logged in at a
certain time, and said what IP I'd be assigned, but things worked fine
when I logged out and back in again, I'd get a reply back saying that
they'd had a look at the appropriate equipment and reset it, sometimes
mentioned that they'd noticed a problem with it.  Of course I don't know
if they were just placating me, but they didn't tell me to do something
to my computer, and blame me, like every other ISP has done.  They were
also, actually helpful with any other queries.  Unfortunately they got
bought out, and aren't the same people any more.

> > "Was it you that we had this discussion with before? I can never
>> remember who's doing what in threads, especially old or long-lasting
>> ones."

> Yes I had a similar problem affecting access to Newegg's site and
> they thought it was their problem? That was when I discovered I could
> no longer use Opendns.
> 
> I read somewhere that the ISP does this as a result of some caching
> they do to reduce traffic through the satellite link. That seemed
> plausible ...

But not necessary.  When you log into your ISP, it tells you the
addresses of their name servers, and your software uses them.  There's
no need to force all traffic, unavoidable, through them with a
transparent proxy.

Sure, it may help them not have to hand-hold customers through doing
manual network configuration.  But how many people do that, anymore?
The few who deliberately do it, ought to be able enough to work out how
to fix it when something goes wrong.


P.S.  There's a resolv.conf man file from Fedora 9 that includes this
interesting information:

timeout:n
   sets the amount of time the resolver will wait for a response from a
remote name server before retry-ing the query via a different name
server.  Measured in seconds, the default is RES_TIMEOUT (see
<resolv.h>).

attempts:n
   sets the number of times the resolver will send a query to its name
servers before giving up and returning an error to the calling
application.  The default is RES_DFLRETRY (see <resolv.h> ).

rotate
   sets RES_ROTATE in _res.options, which causes round robin selection
of nameservers from among those listed.  This has the effect of
spreading the query load among all listed servers, rather than having
all clients try the first listed server first every time.

I tried putting "rotate" into my Fedora 17 resolv.conf file, but I can't
see it making any difference.  The first name server always answers.

-- 
[tim at localhost ~]$ uname -rsvp
Linux 3.6.6-1.fc17.x86_64 #1 SMP Mon Nov 5 21:59:35 UTC 2012 x86_64

All mail to my mailbox is automatically deleted, there is no point
trying to privately email me, I will only read messages posted to the
public lists.

More information about the users mailing list