[squid-users] Anyone has experience with Windows clients DNS timeout

L.P.H. van Belle belle at bazuin.nl
Wed Dec 30 13:38:16 UTC 2020 

Hai Elizer,

> -----Oorspronkelijk bericht-----
> Van: NgTech LTD [mailto:ngtech1ltd at gmail.com]
> Verzonden: woensdag 30 december 2020 13:37
> Aan: L.P.H. van Belle
> CC: squid-users at lists.squid-cache.org
> Onderwerp: Re: [squid-users] Anyone has experience with Windows clients
> DNS timeout
> 
> Hey Louis,
> Thanks For the feedback.
> 
> Indeed I do understand if someone want to have a fast DNS resolution.
> However there are things which are not under our domain and control.

> For example the root DNS servers can be unreachable for a second or
> more sometimes to specific areas.
Now this im having here also, took me 6 months but my internet provider 
is now finaly going to fix it. Often its out of bandwith.. 
in my case this was a change they did in the background. 
In the netherlands i know lots of fiber providers dont monitor there bandwith, i builded some monitoring servers for one of them, thats how i know. They dont care because the just say, ah.. fiber sufficient bandwith..
:-/ 

> I cannot change the way how optic communication cables are managed but
> I can control my windows or proxy.
> Since the proxy can be tuned easily compared to the root servers
> themselves or any other lower level DNS services I might choose to use
> a proxy.
Test agains other dns servers and track the route there are using.. 
in my above problem i tracked this from 5 different providers to find the problem point. 

> In the ISP world the provider have two or more DNS servers which
> sometimes can respond slower then expected.
> It's a fact that we need two or more DNS servers but when you manage a
> DNS server or start a BIND recursive server you will able to see this
> issue.
> On the first recursive request for a link with 20-80+ ms delay it is
> possible that either a packet lost on the way or that the overall
> response is higher then 10 seconds.
Also here, if you can monitor your devices, check if you see UDP loss/reject. 

> The only reasonable solution I can see is to set the clients or the
> proxy according to the environment.
both will and should work.. 

> 
> For example a local on premise DNS caching service(dnsmasq, unbound,
> bind) should help a bit to some cases.
> The next level is to pre-warm the cache for the root servers.
> If this doesn't help fix the Clients windows timeout from 2 seconds to
> more..(10-15).

Thats still in my opinion the first one you need to track and find where 
The delay is happening. 

> If the above seems to not resolve the issues then and only then it's
> the proxy time.
> 
> I think I found the basic way to define this in The Windows registry
> but not sure.
> These documents can describe this issue at:
> 
> https://docs.microsoft.com/en-us/previous-
> versions//cc977482(v=technet.10)?redirectedfrom=MSDN
> https://serverfault.com/questions/431207/adjust-windows-dns-timeout-
> similar-to-the-linux-resolv-conf
> https://thehotery.name/windows/network/dns
> https://groups.google.com/g/microsoft.public.windows.inetexplorer.ie6.brow
> ser/c/TrUhaEZEtIw/m/dZOB6Z8AvN0J
> 
> The default registry key is not present but the value is:
> ## START of text file
> Windows Registry Editor Version 5.00
> 
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
> "DNSQueryTimeouts"=hex(7):31,00,00,00,32,00,00,00,32,00,00,00,34,00,00,00,
> 38,00,00,00,00,00
> ## END of text file
> 
> A modified one is:
> ## START of text file
> Windows Registry Editor Version 5.00
> 
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
> "DNSQueryTimeouts"=hex(7):34,00,00,00,38,00,00,00,38,00,00,00,31,00,36,00,
> 00,00,33,00,32,00,00,00,00,00
> ## END of text file
> 

Beware, you can change that, but i know some parts in windows use some windowsDNS, and if you disable/change that, you MS Store might also stop working. fingered that out the hard way. :-( 

> 
> I have not tested it yet but if it does but in Windows nslookup you
> can change the timeout using:
> set timeout=10
> 
> and test the server for timeout issues.
> This is common to see in windows that the first lookup would fail
> after 2 seconds but the next one will get a result.
> If the client will wait enough he will receive the packet and the
> resolution fast compared to a fully recursive one every time.
> 
> I think that this timeout deserve a wiki page.
> 
> Thanks,
> Eliezer
> 
> ----
> Eliezer Croitoru
> Tech Support
> Mobile: +972-5-28704261
> Email: ngtech1ltd at gmail.com
> On Wed, Dec 30, 2020 at 12:57 PM L.P.H. van Belle <belle at bazuin.nl> wrote:
> >
> > And, yes i agree, DNS over TLS might be slower, but really, if you have
> to wait seconds for a DNS reply... imagine..
> > Lots of websites have 10-20 hosts in them, if you have to wait 10 sec
> for a website, well, im gone already then.
> >
> > Thats why i also showed the direct tests my internal Authoritive DNS
> servers. ( and i can pick any host, will show the same results ).
> >
> > All im saying is, before you are going to hunt for "possible" problems.
> > Make sure the resolving is perfectly setup.
> > It will fix at least a lot of problems.
> >
> > I just dont like Dns over HTTPS..
> > https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-
> it-solves-experts-say/
> >
> > https://www.samknows.com/blog/dns-over-https-performance
> >
> > Good articles to read.
> >
> > Enjoy.
> >
> > Greetz,
> >
> > Louis
> >
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org]
> Namens
> > > Klaus Westkamp
> > > Verzonden: woensdag 30 december 2020 10:57
> > > Aan: squid-users at lists.squid-cache.org
> > > Onderwerp: Re: [squid-users] Anyone has experience with Windows
> clients
> > > DNS timeout
> > >
> > >
> > > Hi,
> > >
> > > i fully agree with Amos. I experience several seconds delay these days
> > > in resolving names.
> > >
> > > Using google, which is having a very fast and heavily caching dns,
> > > is not a good example for recreating this effect.
> > >
> > > I could imagine that the seveal DNS encryption methods,
> > > DNS-over-TLS and -over-HTTPS, that are only supported by some
> > > adding to that delay, as they require more overhead
> > > and also the client has to find out which method is supported and
> which
> > > not
> > >
> > > Cheers,
> > >
> > > Klaus Westkamp
> > >
> > >
> > > On 30/12/2020 09:07, L.P.H. van Belle wrote:
> > > > Hai Elizer
> > > >
> > > > Sorry, im not fully agreeing with Amos here..
> > > >
> > > > If you DNS is taking 7-10 sec, i would investigate why the dns is
> that
> > > slow.
> > > > Something is off, that simple.
> > > >
> > > >
> > > > A small example of my dns resolving to internet and my lan
> dnsservers.
> > > >
> > > > time dig a www.google.nl @8.8.8.8  @internet dns
> > > > real    0m0.115s
> > > >
> > > > real    0m0.031s    @lan dns, lookup 1.
> > > > real    0m0.016s    @lan dns, lookup 2. (cached one)
> > > >
> > > > So, in my opinion 7-10 seconds timeout is really off.
> > > > In the last we..
> > > >
> > > > Is the lan dns set as an authoritive server.
> > > > Are the pc's correctly registering in the dns with there primary DNS
> > > domain.
> > > >
> > > > in resolv.conf make sure the primaryDns domain is first in
> resolv.conf
> > > > primary.dnsdomain.tld = output of $(hostname -d)
> > > >
> > > > search primary.dnsdomain.tld  (optional extra, other.dnsdomain.tld
> > > dnsdomain.tld )
> > > > nameserver 192.168.1.1
> > > > nameserver 192.168.1.2
> > > > nameserver 192.168.1.3
> > > > nameserver 192.168.1.4
> > > > nameserver 192.168.1.5
> > > >
> > > > # these are the options to look into also. ( in this order )
> > > > options edns0               # allowed 4096 byte packages.
> > > > options rotate              # if you have more then 1 dns server
> this can
> > > help.
> > > > options timeout:3
> > > > options no-check-names      # dont check for invalid characters such
> as
> > > underscore (_), non-ASCII, or control characters.
> > > >
> > > >
> > > > Check the following.
> > > > - the DNS server tries to query first to the internet.
> > > > fix might be, resolving (search line) in /etc/resolv.conf
> > > >
> > > > ipv4 / ipv6, try disableing ipv6 on the windows clients.
> > > > Dns is Non authoritive where it might be needed to set it to
> > > Authoritive.
> > > > Dns server is missing forwaring to the authoritive server.
> > > > Routing and routing orders
> > > > Are EDNS (4096bytes) big packages allowed
> > > > And is the firewall allowing UDP and TCP packages on port 53
> > > >
> > > > I run 3 samba-AD dns servers with Bind9_DLZ
> > > > My proxy runs a Bind9 caching and forwarding setup.
> > > > The primay DNS domain is forwarded to the Samba-AD dns server.
> > > > These are the Authoritive servers.
> > > >
> > > > This is on average my slowest querie 0.1-0.2 sec  ( on the samba dns
> )
> > > > i checked the last year in my monitoring.
> > > > Normal is 0.03-0.01 sec
> > > >
> > > > If there are problems in samba these days its 80% of all cases a
> > > resolving setup problem.
> > > >
> > > > I hope this gave you some ideas.
> > > >
> > > >
> > > > Greetz,
> > > >
> > > > Louis
> > > >
> > > >> -----Oorspronkelijk bericht-----
> > > >> Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org]
> > > Namens
> > > >> NgTech LTD
> > > >> Verzonden: dinsdag 29 december 2020 21:02
> > > >> Aan: Squid Users
> > > >> Onderwerp: [squid-users] Anyone has experience with Windows clients
> DNS
> > > >> timeout
> > > >>
> > > >> I have seen this issue on Windows clients over the past.
> > > >> Windows nslookup shows that the query has timed out after 2
> seconds.
> > > >> On Linux and xBSD I have researched this issue and have seen that:
> > > >> the DNS server is doing a recursive lookup and it takes from 7 to
> 10++
> > > >> seconds sometimes.
> > > >> When I pre-warn the DNS cache and the results are cached it takes
> > > >> lower then 500 ms for a response to be on the client side and then
> > > >> everything works fine.
> > > >>
> > > >> I understand that Windows DNS client times out..
> > > >> When using froward proxy with squid or any other it works as
> expected
> > > >> since the DNS resolution is done on the proxy server.
> > > >> However for this issue I believe that this timeout should be
> increased
> > > >> instead of moving to DNS over HTTPS.
> > > >>
> > > >> I would like to hear if anyone has any resolution for this issue on
> > > >> the Windows clients side.
> > > >>
> > > >> Thanks,
> > > >> Eliezer
> > > >>
> > > >> ----
> > > >> Eliezer Croitoru
> > > >> Tech Support
> > > >> Mobile: +972-5-28704261
> > > >> Email: ngtech1ltd at gmail.com
> > > >> _______________________________________________
> > > >> squid-users mailing list
> > > >> squid-users at lists.squid-cache.org
> > > >> http://lists.squid-cache.org/listinfo/squid-users
> > > > _______________________________________________
> > > > squid-users mailing list
> > > > squid-users at lists.squid-cache.org
> > > > http://lists.squid-cache.org/listinfo/squid-users
> > >
> > > _______________________________________________
> > > squid-users mailing list
> > > squid-users at lists.squid-cache.org
> > > http://lists.squid-cache.org/listinfo/squid-users
> >
> > _______________________________________________
> > squid-users mailing list
> > squid-users at lists.squid-cache.org
> > http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list