Hey Louis, Thanks For the feedback. Indeed I do understand if someone want to have a fast DNS resolution. However there are things which are not under our domain and control. For example the root DNS servers can be unreachable for a second or more sometimes to specific areas. I cannot change the way how optic communication cables are managed but I can control my windows or proxy. Since the proxy can be tuned easily compared to the root servers themselves or any other lower level DNS services I might choose to use a proxy. In the ISP world the provider have two or more DNS servers which sometimes can respond slower then expected. It's a fact that we need two or more DNS servers but when you manage a DNS server or start a BIND recursive server you will able to see this issue. On the first recursive request for a link with 20-80+ ms delay it is possible that either a packet lost on the way or that the overall response is higher then 10 seconds. The only reasonable solution I can see is to set the clients or the proxy according to the environment. For example a local on premise DNS caching service(dnsmasq, unbound, bind) should help a bit to some cases. The next level is to pre-warm the cache for the root servers. If this doesn't help fix the Clients windows timeout from 2 seconds to more..(10-15). If the above seems to not resolve the issues then and only then it's the proxy time. I think I found the basic way to define this in The Windows registry but not sure. These documents can describe this issue at: https://docs.microsoft.com/en-us/previous-versions//cc977482(v=technet.10)?redirectedfrom=MSDN https://serverfault.com/questions/431207/adjust-windows-dns-timeout-similar-to-the-linux-resolv-conf https://thehotery.name/windows/network/dns https://groups.google.com/g/microsoft.public.windows.inetexplorer.ie6.browser/c/TrUhaEZEtIw/m/dZOB6Z8AvN0J The default registry key is not present but the value is: ## START of text file Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "DNSQueryTimeouts"=hex(7):31,00,00,00,32,00,00,00,32,00,00,00,34,00,00,00,38,00,00,00,00,00 ## END of text file A modified one is: ## START of text file Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] "DNSQueryTimeouts"=hex(7):34,00,00,00,38,00,00,00,38,00,00,00,31,00,36,00,00,00,33,00,32,00,00,00,00,00 ## END of text file I have not tested it yet but if it does but in Windows nslookup you can change the timeout using: set timeout=10 and test the server for timeout issues. This is common to see in windows that the first lookup would fail after 2 seconds but the next one will get a result. If the client will wait enough he will receive the packet and the resolution fast compared to a fully recursive one every time. I think that this timeout deserve a wiki page. Thanks, Eliezer ---- Eliezer Croitoru Tech Support Mobile: +972-5-28704261 Email: ngtech1ltd@xxxxxxxxx On Wed, Dec 30, 2020 at 12:57 PM L.P.H. van Belle <belle@xxxxxxxxx> wrote: > > And, yes i agree, DNS over TLS might be slower, but really, if you have to wait seconds for a DNS reply... imagine.. > Lots of websites have 10-20 hosts in them, if you have to wait 10 sec for a website, well, im gone already then. > > Thats why i also showed the direct tests my internal Authoritive DNS servers. ( and i can pick any host, will show the same results ). > > All im saying is, before you are going to hunt for "possible" problems. > Make sure the resolving is perfectly setup. > It will fix at least a lot of problems. > > I just dont like Dns over HTTPS.. > https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/ > > https://www.samknows.com/blog/dns-over-https-performance > > Good articles to read. > > Enjoy. > > Greetz, > > Louis > > > > -----Oorspronkelijk bericht----- > > Van: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens > > Klaus Westkamp > > Verzonden: woensdag 30 december 2020 10:57 > > Aan: squid-users@xxxxxxxxxxxxxxxxxxxxx > > Onderwerp: Re: Anyone has experience with Windows clients > > DNS timeout > > > > > > Hi, > > > > i fully agree with Amos. I experience several seconds delay these days > > in resolving names. > > > > Using google, which is having a very fast and heavily caching dns, > > is not a good example for recreating this effect. > > > > I could imagine that the seveal DNS encryption methods, > > DNS-over-TLS and -over-HTTPS, that are only supported by some > > adding to that delay, as they require more overhead > > and also the client has to find out which method is supported and which > > not > > > > Cheers, > > > > Klaus Westkamp > > > > > > On 30/12/2020 09:07, L.P.H. van Belle wrote: > > > Hai Elizer > > > > > > Sorry, im not fully agreeing with Amos here.. > > > > > > If you DNS is taking 7-10 sec, i would investigate why the dns is that > > slow. > > > Something is off, that simple. > > > > > > > > > A small example of my dns resolving to internet and my lan dnsservers. > > > > > > time dig a www.google.nl @8.8.8.8 @internet dns > > > real 0m0.115s > > > > > > real 0m0.031s @lan dns, lookup 1. > > > real 0m0.016s @lan dns, lookup 2. (cached one) > > > > > > So, in my opinion 7-10 seconds timeout is really off. > > > In the last we.. > > > > > > Is the lan dns set as an authoritive server. > > > Are the pc's correctly registering in the dns with there primary DNS > > domain. > > > > > > in resolv.conf make sure the primaryDns domain is first in resolv.conf > > > primary.dnsdomain.tld = output of $(hostname -d) > > > > > > search primary.dnsdomain.tld (optional extra, other.dnsdomain.tld > > dnsdomain.tld ) > > > nameserver 192.168.1.1 > > > nameserver 192.168.1.2 > > > nameserver 192.168.1.3 > > > nameserver 192.168.1.4 > > > nameserver 192.168.1.5 > > > > > > # these are the options to look into also. ( in this order ) > > > options edns0 # allowed 4096 byte packages. > > > options rotate # if you have more then 1 dns server this can > > help. > > > options timeout:3 > > > options no-check-names # dont check for invalid characters such as > > underscore (_), non-ASCII, or control characters. > > > > > > > > > Check the following. > > > - the DNS server tries to query first to the internet. > > > fix might be, resolving (search line) in /etc/resolv.conf > > > > > > ipv4 / ipv6, try disableing ipv6 on the windows clients. > > > Dns is Non authoritive where it might be needed to set it to > > Authoritive. > > > Dns server is missing forwaring to the authoritive server. > > > Routing and routing orders > > > Are EDNS (4096bytes) big packages allowed > > > And is the firewall allowing UDP and TCP packages on port 53 > > > > > > I run 3 samba-AD dns servers with Bind9_DLZ > > > My proxy runs a Bind9 caching and forwarding setup. > > > The primay DNS domain is forwarded to the Samba-AD dns server. > > > These are the Authoritive servers. > > > > > > This is on average my slowest querie 0.1-0.2 sec ( on the samba dns ) > > > i checked the last year in my monitoring. > > > Normal is 0.03-0.01 sec > > > > > > If there are problems in samba these days its 80% of all cases a > > resolving setup problem. > > > > > > I hope this gave you some ideas. > > > > > > > > > Greetz, > > > > > > Louis > > > > > >> -----Oorspronkelijk bericht----- > > >> Van: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] > > Namens > > >> NgTech LTD > > >> Verzonden: dinsdag 29 december 2020 21:02 > > >> Aan: Squid Users > > >> Onderwerp: Anyone has experience with Windows clients DNS > > >> timeout > > >> > > >> I have seen this issue on Windows clients over the past. > > >> Windows nslookup shows that the query has timed out after 2 seconds. > > >> On Linux and xBSD I have researched this issue and have seen that: > > >> the DNS server is doing a recursive lookup and it takes from 7 to 10++ > > >> seconds sometimes. > > >> When I pre-warn the DNS cache and the results are cached it takes > > >> lower then 500 ms for a response to be on the client side and then > > >> everything works fine. > > >> > > >> I understand that Windows DNS client times out.. > > >> When using froward proxy with squid or any other it works as expected > > >> since the DNS resolution is done on the proxy server. > > >> However for this issue I believe that this timeout should be increased > > >> instead of moving to DNS over HTTPS. > > >> > > >> I would like to hear if anyone has any resolution for this issue on > > >> the Windows clients side. > > >> > > >> Thanks, > > >> Eliezer > > >> > > >> ---- > > >> Eliezer Croitoru > > >> Tech Support > > >> Mobile: +972-5-28704261 > > >> Email: ngtech1ltd@xxxxxxxxx > > >> _______________________________________________ > > >> squid-users mailing list > > >> squid-users@xxxxxxxxxxxxxxxxxxxxx > > >> http://lists.squid-cache.org/listinfo/squid-users > > > _______________________________________________ > > > squid-users mailing list > > > squid-users@xxxxxxxxxxxxxxxxxxxxx > > > http://lists.squid-cache.org/listinfo/squid-users > > > > _______________________________________________ > > squid-users mailing list > > squid-users@xxxxxxxxxxxxxxxxxxxxx > > http://lists.squid-cache.org/listinfo/squid-users > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
