Hai Elizer, > -----Oorspronkelijk bericht----- > Van: NgTech LTD [mailto:ngtech1ltd@xxxxxxxxx] > Verzonden: woensdag 30 december 2020 13:37 > Aan: L.P.H. van Belle > CC: squid-users@xxxxxxxxxxxxxxxxxxxxx > Onderwerp: Re: Anyone has experience with Windows clients > DNS timeout > > Hey Louis, > Thanks For the feedback. > > Indeed I do understand if someone want to have a fast DNS resolution. > However there are things which are not under our domain and control. > For example the root DNS servers can be unreachable for a second or > more sometimes to specific areas. Now this im having here also, took me 6 months but my internet provider is now finaly going to fix it. Often its out of bandwith.. in my case this was a change they did in the background. In the netherlands i know lots of fiber providers dont monitor there bandwith, i builded some monitoring servers for one of them, thats how i know. They dont care because the just say, ah.. fiber sufficient bandwith.. :-/ > I cannot change the way how optic communication cables are managed but > I can control my windows or proxy. > Since the proxy can be tuned easily compared to the root servers > themselves or any other lower level DNS services I might choose to use > a proxy. Test agains other dns servers and track the route there are using.. in my above problem i tracked this from 5 different providers to find the problem point. > In the ISP world the provider have two or more DNS servers which > sometimes can respond slower then expected. > It's a fact that we need two or more DNS servers but when you manage a > DNS server or start a BIND recursive server you will able to see this > issue. > On the first recursive request for a link with 20-80+ ms delay it is > possible that either a packet lost on the way or that the overall > response is higher then 10 seconds. Also here, if you can monitor your devices, check if you see UDP loss/reject. > The only reasonable solution I can see is to set the clients or the > proxy according to the environment. both will and should work.. > > For example a local on premise DNS caching service(dnsmasq, unbound, > bind) should help a bit to some cases. > The next level is to pre-warm the cache for the root servers. > If this doesn't help fix the Clients windows timeout from 2 seconds to > more..(10-15). Thats still in my opinion the first one you need to track and find where The delay is happening. > If the above seems to not resolve the issues then and only then it's > the proxy time. > > I think I found the basic way to define this in The Windows registry > but not sure. > These documents can describe this issue at: > > https://docs.microsoft.com/en-us/previous- > versions//cc977482(v=technet.10)?redirectedfrom=MSDN > https://serverfault.com/questions/431207/adjust-windows-dns-timeout- > similar-to-the-linux-resolv-conf > https://thehotery.name/windows/network/dns > https://groups.google.com/g/microsoft.public.windows.inetexplorer.ie6.brow > ser/c/TrUhaEZEtIw/m/dZOB6Z8AvN0J > > The default registry key is not present but the value is: > ## START of text file > Windows Registry Editor Version 5.00 > > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] > "DNSQueryTimeouts"=hex(7):31,00,00,00,32,00,00,00,32,00,00,00,34,00,00,00, > 38,00,00,00,00,00 > ## END of text file > > A modified one is: > ## START of text file > Windows Registry Editor Version 5.00 > > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] > "DNSQueryTimeouts"=hex(7):34,00,00,00,38,00,00,00,38,00,00,00,31,00,36,00, > 00,00,33,00,32,00,00,00,00,00 > ## END of text file > Beware, you can change that, but i know some parts in windows use some windowsDNS, and if you disable/change that, you MS Store might also stop working. fingered that out the hard way. :-( > > I have not tested it yet but if it does but in Windows nslookup you > can change the timeout using: > set timeout=10 > > and test the server for timeout issues. > This is common to see in windows that the first lookup would fail > after 2 seconds but the next one will get a result. > If the client will wait enough he will receive the packet and the > resolution fast compared to a fully recursive one every time. > > I think that this timeout deserve a wiki page. > > Thanks, > Eliezer > > ---- > Eliezer Croitoru > Tech Support > Mobile: +972-5-28704261 > Email: ngtech1ltd@xxxxxxxxx > On Wed, Dec 30, 2020 at 12:57 PM L.P.H. van Belle <belle@xxxxxxxxx> wrote: > > > > And, yes i agree, DNS over TLS might be slower, but really, if you have > to wait seconds for a DNS reply... imagine.. > > Lots of websites have 10-20 hosts in them, if you have to wait 10 sec > for a website, well, im gone already then. > > > > Thats why i also showed the direct tests my internal Authoritive DNS > servers. ( and i can pick any host, will show the same results ). > > > > All im saying is, before you are going to hunt for "possible" problems. > > Make sure the resolving is perfectly setup. > > It will fix at least a lot of problems. > > > > I just dont like Dns over HTTPS.. > > https://www.zdnet.com/article/dns-over-https-causes-more-problems-than- > it-solves-experts-say/ > > > > https://www.samknows.com/blog/dns-over-https-performance > > > > Good articles to read. > > > > Enjoy. > > > > Greetz, > > > > Louis > > > > > > > -----Oorspronkelijk bericht----- > > > Van: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] > Namens > > > Klaus Westkamp > > > Verzonden: woensdag 30 december 2020 10:57 > > > Aan: squid-users@xxxxxxxxxxxxxxxxxxxxx > > > Onderwerp: Re: Anyone has experience with Windows > clients > > > DNS timeout > > > > > > > > > Hi, > > > > > > i fully agree with Amos. I experience several seconds delay these days > > > in resolving names. > > > > > > Using google, which is having a very fast and heavily caching dns, > > > is not a good example for recreating this effect. > > > > > > I could imagine that the seveal DNS encryption methods, > > > DNS-over-TLS and -over-HTTPS, that are only supported by some > > > adding to that delay, as they require more overhead > > > and also the client has to find out which method is supported and > which > > > not > > > > > > Cheers, > > > > > > Klaus Westkamp > > > > > > > > > On 30/12/2020 09:07, L.P.H. van Belle wrote: > > > > Hai Elizer > > > > > > > > Sorry, im not fully agreeing with Amos here.. > > > > > > > > If you DNS is taking 7-10 sec, i would investigate why the dns is > that > > > slow. > > > > Something is off, that simple. > > > > > > > > > > > > A small example of my dns resolving to internet and my lan > dnsservers. > > > > > > > > time dig a www.google.nl @8.8.8.8 @internet dns > > > > real 0m0.115s > > > > > > > > real 0m0.031s @lan dns, lookup 1. > > > > real 0m0.016s @lan dns, lookup 2. (cached one) > > > > > > > > So, in my opinion 7-10 seconds timeout is really off. > > > > In the last we.. > > > > > > > > Is the lan dns set as an authoritive server. > > > > Are the pc's correctly registering in the dns with there primary DNS > > > domain. > > > > > > > > in resolv.conf make sure the primaryDns domain is first in > resolv.conf > > > > primary.dnsdomain.tld = output of $(hostname -d) > > > > > > > > search primary.dnsdomain.tld (optional extra, other.dnsdomain.tld > > > dnsdomain.tld ) > > > > nameserver 192.168.1.1 > > > > nameserver 192.168.1.2 > > > > nameserver 192.168.1.3 > > > > nameserver 192.168.1.4 > > > > nameserver 192.168.1.5 > > > > > > > > # these are the options to look into also. ( in this order ) > > > > options edns0 # allowed 4096 byte packages. > > > > options rotate # if you have more then 1 dns server > this can > > > help. > > > > options timeout:3 > > > > options no-check-names # dont check for invalid characters such > as > > > underscore (_), non-ASCII, or control characters. > > > > > > > > > > > > Check the following. > > > > - the DNS server tries to query first to the internet. > > > > fix might be, resolving (search line) in /etc/resolv.conf > > > > > > > > ipv4 / ipv6, try disableing ipv6 on the windows clients. > > > > Dns is Non authoritive where it might be needed to set it to > > > Authoritive. > > > > Dns server is missing forwaring to the authoritive server. > > > > Routing and routing orders > > > > Are EDNS (4096bytes) big packages allowed > > > > And is the firewall allowing UDP and TCP packages on port 53 > > > > > > > > I run 3 samba-AD dns servers with Bind9_DLZ > > > > My proxy runs a Bind9 caching and forwarding setup. > > > > The primay DNS domain is forwarded to the Samba-AD dns server. > > > > These are the Authoritive servers. > > > > > > > > This is on average my slowest querie 0.1-0.2 sec ( on the samba dns > ) > > > > i checked the last year in my monitoring. > > > > Normal is 0.03-0.01 sec > > > > > > > > If there are problems in samba these days its 80% of all cases a > > > resolving setup problem. > > > > > > > > I hope this gave you some ideas. > > > > > > > > > > > > Greetz, > > > > > > > > Louis > > > > > > > >> -----Oorspronkelijk bericht----- > > > >> Van: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] > > > Namens > > > >> NgTech LTD > > > >> Verzonden: dinsdag 29 december 2020 21:02 > > > >> Aan: Squid Users > > > >> Onderwerp: Anyone has experience with Windows clients > DNS > > > >> timeout > > > >> > > > >> I have seen this issue on Windows clients over the past. > > > >> Windows nslookup shows that the query has timed out after 2 > seconds. > > > >> On Linux and xBSD I have researched this issue and have seen that: > > > >> the DNS server is doing a recursive lookup and it takes from 7 to > 10++ > > > >> seconds sometimes. > > > >> When I pre-warn the DNS cache and the results are cached it takes > > > >> lower then 500 ms for a response to be on the client side and then > > > >> everything works fine. > > > >> > > > >> I understand that Windows DNS client times out.. > > > >> When using froward proxy with squid or any other it works as > expected > > > >> since the DNS resolution is done on the proxy server. > > > >> However for this issue I believe that this timeout should be > increased > > > >> instead of moving to DNS over HTTPS. > > > >> > > > >> I would like to hear if anyone has any resolution for this issue on > > > >> the Windows clients side. > > > >> > > > >> Thanks, > > > >> Eliezer > > > >> > > > >> ---- > > > >> Eliezer Croitoru > > > >> Tech Support > > > >> Mobile: +972-5-28704261 > > > >> Email: ngtech1ltd@xxxxxxxxx > > > >> _______________________________________________ > > > >> squid-users mailing list > > > >> squid-users@xxxxxxxxxxxxxxxxxxxxx > > > >> http://lists.squid-cache.org/listinfo/squid-users > > > > _______________________________________________ > > > > squid-users mailing list > > > > squid-users@xxxxxxxxxxxxxxxxxxxxx > > > > http://lists.squid-cache.org/listinfo/squid-users > > > > > > _______________________________________________ > > > squid-users mailing list > > > squid-users@xxxxxxxxxxxxxxxxxxxxx > > > http://lists.squid-cache.org/listinfo/squid-users > > > > _______________________________________________ > > squid-users mailing list > > squid-users@xxxxxxxxxxxxxxxxxxxxx > > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
