slow DNS lookups from firewall

To: debian-user@lists.debian.org
Subject: slow DNS lookups from firewall
From: Chris Evans <stats@psyctc.org>
Date: Sat, 8 Jan 2005 15:41:04 +0000
Message-id: <[🔎] 51076404.20050108154104@psyctc.org>
Reply-to: Chris Evans <stats@psyctc.org>

I have a small home network of two Debian stable machines and two
Windoze portables (boo hiss but my work and spouse's require that).
I'm hitting something that's puzzling me which is that DNS lookups
from the firewall machine are slow whether directly or from the
Windoze machines behind while DNS lookups from the Debian server
in the DMZ on my network are much faster.  However, it gets to the
ADSL router through the firewall machine.  Firewalling is done by
Shorewall 1.2 (i.e. Debian stable 'Woody' distro like everything else on the
two machines) with the DMZ masqueraded whereas the Windoze machines on
the local network are DNAT.

Here's are some timings e.g.:
FIREWALL:
time host leeds.ac.uk 213.120.62.98
leeds.ac.uk A record currently not present at inh2dns02.imsnet2.btopenworld.com
real    0m27.379s
user    0m0.010s
sys     0m0.000s
firewall:/etc/shorewall# time host leeds.ac.uk 213.120.62.98
leeds.ac.uk A record currently not present at inh2dns02.imsnet2.btopenworld.com
real    0m1.040s
user    0m0.000s
sys     0m0.010s
firewall:/etc/shorewall# time host www.leeds.ac.uk 213.120.62.98
www.leeds.ac.uk         A       129.11.21.9
real    0m2.394s
user    0m0.000s
sys     0m0.000s


DMZ machine:
time host leeds.ac.uk 213.120.62.98
leeds.ac.uk A record currently not present at inh2dns02.imsnet2.btopenworld.com
real    0m0.107s
user    0m0.020s
sys     0m0.000s
www:/etc# time host www.leeds.ac.uk 213.120.62.98
www.leeds.ac.uk         A       129.11.21.9
real    0m0.129s
user    0m0.010s
sys     0m0.020s

The Windoze machines (W2k and XPProf) are slowish in line with the
firewall timings with the XP machine tolerating it and the 2k machine
timing out repetedly).

I'm baffled: the firewall machine has two ethernet ports on the
motherboard (eth1 & eth2: via-rhine) and a PCI card (eth0: RTL8139).
Shorewall maps those:
eth0 -- to the ADSL router
eth1 -- to the local network via a Belkin 8 port 100/1k switch
eth2 -- to the DMZ

The firewall is the faster of the two machines (1002 MHz Centaur
VIA Nehemiah stepping 03 with 491456k RAM running 2.4.19 kernel cf 273MHz AMD-K6tm w/ MME
stepping 00 and 131072k RAM running 2.4.18)

Something is presumably intervening in the DNS lookups from and via
the firewall by the local network that isn't intervening for the
lookups the server passes through the firewall by masquerading. The
shorewall rules allow domain (port 53) access to the net from the
firewall, the dmz and the local network and there are no iptables
complaints matching the slow lookups in /var/log/messages so I don't
think I've simply misconfigured my iptables rules to disallow lookups!

I'm sure likely culprits are obvious to those who know more about
iptables and masquerading/DNAT than I do.  Hugely appreciate
suggestions and advice as this is really slowing things down to a
crawl.

TIA,

Chris

Reply to:

Prev by Date: Re: More woes from earlier upgrade
Next by Date: Re: KDE messed up after dist-upgrade
Previous by thread: Re: More on sound issue
Next by thread: Re: slow DNS lookups from firewall
Index(es):
- Date
- Thread