[squid-users] Anyone has experience with Windows clients DNS timeout

Klaus Westkamp klaus at westkamp.net
Wed Dec 30 09:57:21 UTC 2020


Hi,

i fully agree with Amos. I experience several seconds delay these days 
in resolving names.

Using google, which is having a very fast and heavily caching dns,
is not a good example for recreating this effect.

I could imagine that the seveal DNS encryption methods,
DNS-over-TLS and -over-HTTPS, that are only supported by some
adding to that delay, as they require more overhead
and also the client has to find out which method is supported and which not

Cheers,

Klaus Westkamp


On 30/12/2020 09:07, L.P.H. van Belle wrote:
> Hai Elizer
>
> Sorry, im not fully agreeing with Amos here..
>
> If you DNS is taking 7-10 sec, i would investigate why the dns is that slow.
> Something is off, that simple.
>
>
> A small example of my dns resolving to internet and my lan dnsservers.
>
> time dig a www.google.nl @8.8.8.8  @internet dns
> real    0m0.115s
>
> real    0m0.031s	@lan dns, lookup 1.
> real    0m0.016s	@lan dns, lookup 2. (cached one)
>
> So, in my opinion 7-10 seconds timeout is really off.
> In the last we..
>
> Is the lan dns set as an authoritive server.
> Are the pc's correctly registering in the dns with there primary DNS domain.
>
> in resolv.conf make sure the primaryDns domain is first in resolv.conf
> primary.dnsdomain.tld = output of $(hostname -d)
>
> search primary.dnsdomain.tld  (optional extra, other.dnsdomain.tld dnsdomain.tld )
> nameserver 192.168.1.1
> nameserver 192.168.1.2
> nameserver 192.168.1.3
> nameserver 192.168.1.4
> nameserver 192.168.1.5
>
> # these are the options to look into also. ( in this order )
> options edns0		# allowed 4096 byte packages.
> options rotate		# if you have more then 1 dns server this can help.
> options timeout:3	
> options no-check-names	# dont check for invalid characters such as underscore (_), non-ASCII, or control characters.
>
>
> Check the following.
> - the DNS server tries to query first to the internet.
> fix might be, resolving (search line) in /etc/resolv.conf
>
> ipv4 / ipv6, try disableing ipv6 on the windows clients.
> Dns is Non authoritive where it might be needed to set it to Authoritive.
> Dns server is missing forwaring to the authoritive server.
> Routing and routing orders
> Are EDNS (4096bytes) big packages allowed
> And is the firewall allowing UDP and TCP packages on port 53
>
> I run 3 samba-AD dns servers with Bind9_DLZ
> My proxy runs a Bind9 caching and forwarding setup.
> The primay DNS domain is forwarded to the Samba-AD dns server.
> These are the Authoritive servers.
>
> This is on average my slowest querie 0.1-0.2 sec  ( on the samba dns )
> i checked the last year in my monitoring.
> Normal is 0.03-0.01 sec
>
> If there are problems in samba these days its 80% of all cases a resolving setup problem.
>
> I hope this gave you some ideas.
>
>
> Greetz,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] Namens
>> NgTech LTD
>> Verzonden: dinsdag 29 december 2020 21:02
>> Aan: Squid Users
>> Onderwerp: [squid-users] Anyone has experience with Windows clients DNS
>> timeout
>>
>> I have seen this issue on Windows clients over the past.
>> Windows nslookup shows that the query has timed out after 2 seconds.
>> On Linux and xBSD I have researched this issue and have seen that:
>> the DNS server is doing a recursive lookup and it takes from 7 to 10++
>> seconds sometimes.
>> When I pre-warn the DNS cache and the results are cached it takes
>> lower then 500 ms for a response to be on the client side and then
>> everything works fine.
>>
>> I understand that Windows DNS client times out..
>> When using froward proxy with squid or any other it works as expected
>> since the DNS resolution is done on the proxy server.
>> However for this issue I believe that this timeout should be increased
>> instead of moving to DNS over HTTPS.
>>
>> I would like to hear if anyone has any resolution for this issue on
>> the Windows clients side.
>>
>> Thanks,
>> Eliezer
>>
>> ----
>> Eliezer Croitoru
>> Tech Support
>> Mobile: +972-5-28704261
>> Email: ngtech1ltd at gmail.com
>> _______________________________________________
>> squid-users mailing list
>> squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users



More information about the squid-users mailing list