Period of Slow dns resolution and I need Help!!!!

[Joe Hardin]

Here's my setup:

Windows 2000 servers. Very stable and extremely stable intranet dns
resolution for over 2 years.

New Bell T-1 to the internet with a high end Symantec firewall.

Dns forwarding is setup on the internal Win 2K dns servers. They forward to
the Bell dns servers, (2 of them).

The firewall does not play a role in the dns forwarding, we had that
function disabled because it was slow.

*********************

Here's the problem:

You can have very good browsing for many hours in the day. When loading a
site like www.cnn.com, the site will start loading within 2-3 seconds and
the user is satisfied.

Then you'll go thru a period, where the wait for what appears to be external
resolution and the return of the http data to the browser will increase to
5-12 seconds. Very seldom will it timeout, but you know that something is
running slow and not efficiently. Bell provided 2 dns servers for us to
forward to, and they are properly setup on our internal dns servers.

I don't really know why we are experiencing this. Finally, when a webpage
loads, after that, any browsing to subsequent links on that page are very
fast. So if you are in a slow period and the home page of cnn loads after
10 seconds, then any other links on that page will load in 1-2 seconds.

Can anyone provide any direction? I would appreciate anyone's help or
advice. Sometimes there is advice to check the number of hops to a site,
but I don't know how many hop or latency is too much for a resolution.


Thanks again,

Joe Hardin
Taylorsville, MS

(e-mail address removed)

 

[Ace Fekay [MVP]]

In Joe Hardin <[email protected]> made a post then I commented below
:: Here's my setup:
::
:: Windows 2000 servers. Very stable and extremely stable intranet dns
:: resolution for over 2 years.
::
:: New Bell T-1 to the internet with a high end Symantec firewall.
::
:: Dns forwarding is setup on the internal Win 2K dns servers. They
:: forward to the Bell dns servers, (2 of them).
::
:: The firewall does not play a role in the dns forwarding, we had that
:: function disabled because it was slow.
::
:: *********************
::
:: Here's the problem:
::
:: You can have very good browsing for many hours in the day. When
:: loading a site like www.cnn.com, the site will start loading within
:: 2-3 seconds and the user is satisfied.
::
:: Then you'll go thru a period, where the wait for what appears to be
:: external resolution and the return of the http data to the browser
:: will increase to 5-12 seconds. Very seldom will it timeout, but you
:: know that something is running slow and not efficiently. Bell
:: provided 2 dns servers for us to forward to, and they are properly
:: setup on our internal dns servers.
::
:: I don't really know why we are experiencing this. Finally, when a
:: webpage loads, after that, any browsing to subsequent links on that
:: page are very fast. So if you are in a slow period and the home
:: page of cnn loads after 10 seconds, then any other links on that
:: page will load in 1-2 seconds.
::
:: Can anyone provide any direction? I would appreciate anyone's help
:: or advice. Sometimes there is advice to check the number of hops to
:: a site, but I don't know how many hop or latency is too much for a
:: resolution.
::
::
:: Thanks again,
::
:: Joe Hardin
:: Taylorsville, MS
::
:: (e-mail address removed)

Wow, this was cross-posted to many newsgroups. Since it's a DNS question, I
would think this post would be beneficial to keep it to the DNS
newsgroup(s). However, I replied to all of them to benefit everyone to see a
response.

That said, not sure what DNS addresses they provided you that you are using
for forwarding. Did you confirm they can be used as a forwarder? You can
test this yourself as well, just by using:
nslook -d2
You will see a question and answer in the top portion. Recursion Desired
would be the question, Recursion Available would be the answer in the answer
section. If you do not see Recurison Available, that will tell us they
cannot be used as a forwarder. If this is the case, your DNS server is
reverting to the Root Hints, which can show a *slight* delay, but not
always.

Here's an example using server 4.2.2.2 (one of GTE's servers) which show
Recursion is available in the "Got Answer" section. You can see where I
typed in 'server 4.2.2.2'. That changed the focus for nslookup to use
4.2.2.2 instead of my 192.168.5.200 DNS server.

------------------------------------------
C:\>nslookup -d2
------------
Default Server: london.nwtraders.msft
Address: 192.168.5.200
(I snipped the extra stuff here...)

server 4.2.2.2

------------
SendRequest(), len 38
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: query, want recursion
questions = 1, answers = 0, authority records = 0, additional = 0

QUESTIONS:
2.2.2.4.in-addr.arpa, type = PTR, class = IN

------------
------------
Got answer (190 bytes):
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion
avail.
questions = 1, answers = 1, authority records = 3, additional = 3
------------------------------------------


If you want, try 4.2.2.2 as the only forwarder and see if it improves.

--
Regards,
Ace

G O E A G L E S !!!
Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Joe Hardin]

Ace,

Thanks so much for answering, you've answered some of my questions before
and I appreciate it.

I've tried the nslookup -d2 query as you've suggested. (I've never used
that option of nslookup before). The first Bell dns IP is: 205.152.132.23
and it responded with: "recursion avail". I then tried the 2nd Bell dns
IP: 205.152.37.23 and the first time or so, it timed out with no response,
then after about a period of 90 seconds it responded properly with:
"recursion avail". Does that mean the 2nd server was down?

Can those servers be expected to go down very often? That makes me think
that I may want more than 2 forwarders in my internal dns system?

Also, please keep in mind on my internal dns servers I do not have recursion
enabled, (that is the box is "unchecked" if I remember correctly).

I would appreciate any additional comments.

Thanks again,

Joe Hardin
(e-mail address removed)


"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In Joe Hardin <[email protected]> made a post then I commented below
:: Ace,
::
:: Thanks so much for answering, you've answered some of my questions
:: before and I appreciate it.
::
:: I've tried the nslookup -d2 query as you've suggested. (I've never
:: used that option of nslookup before). The first Bell dns IP is:
:: 205.152.132.23 and it responded with: "recursion avail". I then
:: tried the 2nd Bell dns IP: 205.152.37.23 and the first time or so,
:: it timed out with no response, then after about a period of 90
:: seconds it responded properly with: "recursion avail". Does that
:: mean the 2nd server was down?
::
:: Can those servers be expected to go down very often? That makes me
:: think that I may want more than 2 forwarders in my internal dns
:: system?
::
:: Also, please keep in mind on my internal dns servers I do not have
:: recursion enabled, (that is the box is "unchecked" if I remember
:: correctly).
::
:: I would appreciate any additional comments.
::
:: Thanks again,
::
:: Joe Hardin
:: (e-mail address removed)
::

Hi Joe,

Glad I was able to help you out in the past.

I tried 205.152.37.23 and got time outs as well. I guess that baby's down.
If you use more than two forwarders, it will still behave with the delay if
it hits a bad one first. I would just eliminate this one and replace it with
a known good one, like 4.2.2.2. Keep the other one as the first one. I would
also enable recursion (the checkbox at the bottom of the forwarders tab).
This way if all the forwarders go down, at least it will use the Roots.

Ace