[squid-users] Anyone has experience with Windows clients DNS timeout

NgTech LTD ngtech1ltd at gmail.com
Wed Dec 30 12:37:00 UTC 2020 

Hey Louis,
Thanks For the feedback.

Indeed I do understand if someone want to have a fast DNS resolution.
However there are things which are not under our domain and control.
For example the root DNS servers can be unreachable for a second or
more sometimes to specific areas.
I cannot change the way how optic communication cables are managed but
I can control my windows or proxy.
Since the proxy can be tuned easily compared to the root servers
themselves or any other lower level DNS services I might choose to use
a proxy.
In the ISP world the provider have two or more DNS servers which
sometimes can respond slower then expected.
It's a fact that we need two or more DNS servers but when you manage a
DNS server or start a BIND recursive server you will able to see this
issue.
On the first recursive request for a link with 20-80+ ms delay it is
possible that either a packet lost on the way or that the overall
response is higher then 10 seconds.
The only reasonable solution I can see is to set the clients or the
proxy according to the environment.

For example a local on premise DNS caching service(dnsmasq, unbound,
bind) should help a bit to some cases.
The next level is to pre-warm the cache for the root servers.
If this doesn't help fix the Clients windows timeout from 2 seconds to
more..(10-15).
If the above seems to not resolve the issues then and only then it's
the proxy time.

I think I found the basic way to define this in The Windows registry
but not sure.
These documents can describe this issue at:

https://docs.microsoft.com/en-us/previous-versions//cc977482(v=technet.10)?redirectedfrom=MSDN
https://serverfault.com/questions/431207/adjust-windows-dns-timeout-similar-to-the-linux-resolv-conf
https://thehotery.name/windows/network/dns
https://groups.google.com/g/microsoft.public.windows.inetexplorer.ie6.browser/c/TrUhaEZEtIw/m/dZOB6Z8AvN0J

The default registry key is not present but the value is:
## START of text file
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"DNSQueryTimeouts"=hex(7):31,00,00,00,32,00,00,00,32,00,00,00,34,00,00,00,38,00,00,00,00,00
## END of text file

A modified one is:
## START of text file
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"DNSQueryTimeouts"=hex(7):34,00,00,00,38,00,00,00,38,00,00,00,31,00,36,00,00,00,33,00,32,00,00,00,00,00
## END of text file


I have not tested it yet but if it does but in Windows nslookup you
can change the timeout using:
set timeout=10

and test the server for timeout issues.
This is common to see in windows that the first lookup would fail
after 2 seconds but the next one will get a result.
If the client will wait enough he will receive the packet and the
resolution fast compared to a fully recursive one every time.

I think that this timeout deserve a wiki page.

Thanks,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd at gmail.com
On Wed, Dec 30, 2020 at 12:57 PM L.P.H. van Belle <belle at bazuin.nl> wrote:
>
> And, yes i agree, DNS over TLS might be slower, but really, if you have to wait seconds for a DNS reply... imagine..
> Lots of websites have 10-20 hosts in them, if you have to wait 10 sec for a website, well, im gone already then.
>
> Thats why i also showed the direct tests my internal Authoritive DNS servers. ( and i can pick any host, will show the same results ).
>
> All im saying is, before you are going to hunt for "possible" problems.
> Make sure the resolving is perfectly setup.
> It will fix at least a lot of problems.
>
> I just dont like Dns over HTTPS..
> https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/
>
> https://www.samknows.com/blog/dns-over-https-performance
>
> Good articles to read.
>
> Enjoy.
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens
> > Klaus Westkamp
> > Verzonden: woensdag 30 december 2020 10:57
> > Aan: squid-users at lists.squid-cache.org
> > Onderwerp: Re: [squid-users] Anyone has experience with Windows clients
> > DNS timeout
> >
> >
> > Hi,
> >
> > i fully agree with Amos. I experience several seconds delay these days
> > in resolving names.
> >
> > Using google, which is having a very fast and heavily caching dns,
> > is not a good example for recreating this effect.
> >
> > I could imagine that the seveal DNS encryption methods,
> > DNS-over-TLS and -over-HTTPS, that are only supported by some
> > adding to that delay, as they require more overhead
> > and also the client has to find out which method is supported and which
> > not
> >
> > Cheers,
> >
> > Klaus Westkamp
> >
> >
> > On 30/12/2020 09:07, L.P.H. van Belle wrote:
> > > Hai Elizer
> > >
> > > Sorry, im not fully agreeing with Amos here..
> > >
> > > If you DNS is taking 7-10 sec, i would investigate why the dns is that
> > slow.
> > > Something is off, that simple.
> > >
> > >
> > > A small example of my dns resolving to internet and my lan dnsservers.
> > >
> > > time dig a www.google.nl @8.8.8.8  @internet dns
> > > real    0m0.115s
> > >
> > > real    0m0.031s    @lan dns, lookup 1.
> > > real    0m0.016s    @lan dns, lookup 2. (cached one)
> > >
> > > So, in my opinion 7-10 seconds timeout is really off.
> > > In the last we..
> > >
> > > Is the lan dns set as an authoritive server.
> > > Are the pc's correctly registering in the dns with there primary DNS
> > domain.
> > >
> > > in resolv.conf make sure the primaryDns domain is first in resolv.conf
> > > primary.dnsdomain.tld = output of $(hostname -d)
> > >
> > > search primary.dnsdomain.tld  (optional extra, other.dnsdomain.tld
> > dnsdomain.tld )
> > > nameserver 192.168.1.1
> > > nameserver 192.168.1.2
> > > nameserver 192.168.1.3
> > > nameserver 192.168.1.4
> > > nameserver 192.168.1.5
> > >
> > > # these are the options to look into also. ( in this order )
> > > options edns0               # allowed 4096 byte packages.
> > > options rotate              # if you have more then 1 dns server this can
> > help.
> > > options timeout:3
> > > options no-check-names      # dont check for invalid characters such as
> > underscore (_), non-ASCII, or control characters.
> > >
> > >
> > > Check the following.
> > > - the DNS server tries to query first to the internet.
> > > fix might be, resolving (search line) in /etc/resolv.conf
> > >
> > > ipv4 / ipv6, try disableing ipv6 on the windows clients.
> > > Dns is Non authoritive where it might be needed to set it to
> > Authoritive.
> > > Dns server is missing forwaring to the authoritive server.
> > > Routing and routing orders
> > > Are EDNS (4096bytes) big packages allowed
> > > And is the firewall allowing UDP and TCP packages on port 53
> > >
> > > I run 3 samba-AD dns servers with Bind9_DLZ
> > > My proxy runs a Bind9 caching and forwarding setup.
> > > The primay DNS domain is forwarded to the Samba-AD dns server.
> > > These are the Authoritive servers.
> > >
> > > This is on average my slowest querie 0.1-0.2 sec  ( on the samba dns )
> > > i checked the last year in my monitoring.
> > > Normal is 0.03-0.01 sec
> > >
> > > If there are problems in samba these days its 80% of all cases a
> > resolving setup problem.
> > >
> > > I hope this gave you some ideas.
> > >
> > >
> > > Greetz,
> > >
> > > Louis
> > >
> > >> -----Oorspronkelijk bericht-----
> > >> Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org]
> > Namens
> > >> NgTech LTD
> > >> Verzonden: dinsdag 29 december 2020 21:02
> > >> Aan: Squid Users
> > >> Onderwerp: [squid-users] Anyone has experience with Windows clients DNS
> > >> timeout
> > >>
> > >> I have seen this issue on Windows clients over the past.
> > >> Windows nslookup shows that the query has timed out after 2 seconds.
> > >> On Linux and xBSD I have researched this issue and have seen that:
> > >> the DNS server is doing a recursive lookup and it takes from 7 to 10++
> > >> seconds sometimes.
> > >> When I pre-warn the DNS cache and the results are cached it takes
> > >> lower then 500 ms for a response to be on the client side and then
> > >> everything works fine.
> > >>
> > >> I understand that Windows DNS client times out..
> > >> When using froward proxy with squid or any other it works as expected
> > >> since the DNS resolution is done on the proxy server.
> > >> However for this issue I believe that this timeout should be increased
> > >> instead of moving to DNS over HTTPS.
> > >>
> > >> I would like to hear if anyone has any resolution for this issue on
> > >> the Windows clients side.
> > >>
> > >> Thanks,
> > >> Eliezer
> > >>
> > >> ----
> > >> Eliezer Croitoru
> > >> Tech Support
> > >> Mobile: +972-5-28704261
> > >> Email: ngtech1ltd at gmail.com
> > >> _______________________________________________
> > >> squid-users mailing list
> > >> squid-users at lists.squid-cache.org
> > >> http://lists.squid-cache.org/listinfo/squid-users
> > > _______________________________________________
> > > squid-users mailing list
> > > squid-users at lists.squid-cache.org
> > > http://lists.squid-cache.org/listinfo/squid-users
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list