![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
I have a problem where recursive DNS lookups are taking a long time. My setup is, Windows/Active Directory DNS on the internal network, and BIND forwarders on the DMZ. The Windows hosts resolve internal queries themselves, and for things not on the local network (DMZ or Internet) they do recursive lookups against the BIND servers in the DMZ. The BIND servers look to the Root Hints if they don't have answer.
It seems that lately when recursively looking up a site that doesn't exist in cache, will take a long time to resolve. If you do an nslookup from the command line, often the first attempt will fail, but then if you immediately try again, it works. Here's an example:
C:\Documents and Settings\user>nslookup www.airliners.net
Server: (mywindowsDNSserver).(mydomain).local
Address: (private IP address)
DNS request timed out.
timeout was 2 seconds.
*** Request to thecb-dwpad1.thecb.local timed-out
C:\Documents and Settings\user>nslookup www.airliners.net
Server: (mywindowsDNSserver).(mydomain).local
Address: (private IP address)
Non-authoritative answer:
Name: www.airliners.net
Address: 69.64.153.151
I'm just having a hard time figuring out where the problem is. I have poured over all the settings many times and everything looks correct. One think I did do was lower the forwarding timeout from 5 seconds to 2 seconds, but that didn't help.
I ran Steve Gibson's DNS performance benchmarking tool, located at the following site: http://www.grc.com/dns/benchmark.htm
This confirmed my seat-of-the-pants impression of DNS. Cached and uncached local lookups were in the hundredths of a second, but dot com lookups were over 5 seconds. In fact all of the public DNS servers were faster on dotcom lookups than my own DNS server sitting 20 feet away.
I really don't want to pull out the recursive lookups because this setup has worked great for me for many years. I need to have multiple zones on the DMZ based servers because it will give different addresses for internal and external lookups of our websites on the DMZ (due to NATting...) and BIND is great for that. But I am about at my wit's end on this problem.
Any ideas?
It seems that lately when recursively looking up a site that doesn't exist in cache, will take a long time to resolve. If you do an nslookup from the command line, often the first attempt will fail, but then if you immediately try again, it works. Here's an example:
C:\Documents and Settings\user>nslookup www.airliners.net
Server: (mywindowsDNSserver).(mydomain).local
Address: (private IP address)
DNS request timed out.
timeout was 2 seconds.
*** Request to thecb-dwpad1.thecb.local timed-out
C:\Documents and Settings\user>nslookup www.airliners.net
Server: (mywindowsDNSserver).(mydomain).local
Address: (private IP address)
Non-authoritative answer:
Name: www.airliners.net
Address: 69.64.153.151
I'm just having a hard time figuring out where the problem is. I have poured over all the settings many times and everything looks correct. One think I did do was lower the forwarding timeout from 5 seconds to 2 seconds, but that didn't help.
I ran Steve Gibson's DNS performance benchmarking tool, located at the following site: http://www.grc.com/dns/benchmark.htm
This confirmed my seat-of-the-pants impression of DNS. Cached and uncached local lookups were in the hundredths of a second, but dot com lookups were over 5 seconds. In fact all of the public DNS servers were faster on dotcom lookups than my own DNS server sitting 20 feet away.
I really don't want to pull out the recursive lookups because this setup has worked great for me for many years. I need to have multiple zones on the DMZ based servers because it will give different addresses for internal and external lookups of our websites on the DMZ (due to NATting...) and BIND is great for that. But I am about at my wit's end on this problem.
Any ideas?