[Cialug] Inconsistent consistently long DNS lookup times

Zachary Kotlarek zach at kotlarek.com
Tue Mar 9 23:22:58 CST 2010 

On Mar 9, 2010, at 10:18 PM, Colin Burnett wrote:

>> getaddrinfo



I'm guessing you're using glibc-2.9 or later. If that's the case, this is what's happening:

getaddrinfo(3) does parallel IPv6 and IPv4 lookups by default, since glibc-2.9. It waits for both requests to come back before it passes data upstream because many names with AAAA records also have A records, and you can't tell if that's true until you get both replies back. Unfortunately some DNS servers simply ignore AAAA requests. They should send back NXDOMAIN or some other NAK, but instead they just silently drop the request. When this happens glibc sits and waits for an AAAA reply that's not coming, retrying occasionally, and it takes a good long time to timeout and return what it got from the A reply.

This is (mostly) fixed in glibc-2.10, where the first lookup tries parallel A and AAAA lookups, but drops back to IPv4-only if it never gets replies to AAAA queries. Unfortunately "first" just means "first since this thread of glibc was loaded", so it can still be pretty slow for one-shot programs. Luckily 2.10 also adds a static workaround -- you can add "option single-request" to resolv.conf to force compatibility mode even on the first lookup.

Disabling IPv6 support in the kernel doesn't have any effect because glibc is not using IPv6, it's just sending AAAA queries over normal IPv4 DNS. It fixes Firefox and some other programs because those programs figure out that it's not worth asking for IPv6 addresses when there's no way to connect to those addresses. But the DNS resolver doesn't know if you might find the IPv6 info useful (you could just be running a lookup for reporting purpose, rather than attempting to open a connection), so it asks every time unless you tell it not to.

--

There are two options to make this go away. The first is to point to a DNS server that will reply to AAAA queries. It doesn't have to send useful answer to them -- it can just whine about how silly you are to ask and never provide any useful data -- but it needs to not silently ignore them. If you don't want to change DNS servers you could run a local DNS proxy to isolate yourself from the issue. It's pretty easy to setup bind or dnscache or somesuch to listen on your loopback and provide DNS caching without additional hardware.

The other option is to get a different glibc. 2.8 and earlier don't try AAAA queries at all. 2.10 and later try AAAA, but fail more gracefully when your DNS server is broken, and have an option bypass the troublesome behavior. And any version could be patched to disable AAAA queries, which is what a lot of distros did to avoid this issue when 2.9 came out.

	Zach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2746 bytes
Desc: not available
Url : http://cialug.org/pipermail/cialug/attachments/20100309/84b2007f/attachment.bin

More information about the Cialug mailing list