DNS lookup for a system on the same subnet

Hi,

I am new to networking on Linux, but can find my way around. I am
hoping this is the correct group to post my question in... if not
please point me in the right direction.

We have a Redhat linux system w/ Tomcat running (192.168.2.253), and
a Windows system with MS SQL server(192.168.2.254), which our tomcat
apps access.

The DB access is extremely slow, so I used Ethereal to capture
packets, and what I noticed was that the Linux box was doing DNS
lookups with the ISP's DNS servers for looking up the Windows box
(192.168.2.254). I did notice an ARP packet much later: "who has
192.168.2.254".

From my limited knowledge, this doesn't make sense; shouldn't the
Linux box just do the ARP lookup, since the other system is on the
same subnet?

ifconfig gives the following:

eth0 Link encap:Ethernet HWaddr 00:0F:20:7A:F9:F6
inet addr:192.168.2.253 Bcast:192.168.2.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:597483 errors:0 dropped:0 overruns:0 frame:0
TX packets:217629 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:62154341 (59.2 Mb) TX bytes:43471241 (41.4 Mb)
Interrupt:18

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:244 errors:0 dropped:0 overruns:0 frame:0
TX packets:244 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:18295 (17.8 Kb) TX bytes:18295 (17.8 Kb)

Thanks for any help!
Jay

On 2005-01-11, Jay <root@127.0.0.1> wrote:
> packets, and what I noticed was that the Linux box was doing DNS
> lookups with the ISP's DNS servers for looking up the Windows box

The question is: why is your Tomcat server using your ISP DNS at all?
Shouldn't he use the internal DNS/host file for internal IPs/names?

Davide

--
PC's are designed by a committee of people who are in different companies
in different countries and who never talk to each other.
And nobody speaks the same language and they hate each other...
-- Derick Siddoway & Chris Adams

> On 2005-01-11, Jay <root@127.0.0.1> wrote:
> > packets, and what I noticed was that the Linux box was doing DNS
> > lookups with the ISP's DNS servers for looking up the Windows box
>
> The question is: why is your Tomcat server using your ISP DNS at all?
> Shouldn't he use the internal DNS/host file for internal IPs/names?

Good point. Maybe /etc/hosts hasn't been set up correctly to include
the LAN hosts.

dnsmasq may help here: it can do local lookups from /etc/hosts, forward
everything else upstream, and cache the results to give a faster
response to future queries.

--
To reply by email, replace "deadspam.com" by "alumni.utexas.net"

Jay wrote:
> Hi,
>
> I am new to networking on Linux, but can find my way around. I am
> hoping this is the correct group to post my question in... if not
> please point me in the right direction.
>
> We have a Redhat linux system w/ Tomcat running (192.168.2.253), and
> a Windows system with MS SQL server(192.168.2.254), which our tomcat
> apps access.
>
> The DB access is extremely slow, so I used Ethereal to capture
> packets, and what I noticed was that the Linux box was doing DNS
> lookups with the ISP's DNS servers for looking up the Windows box
> (192.168.2.254). I did notice an ARP packet much later: "who has
> 192.168.2.254".
>
> From my limited knowledge, this doesn't make sense; shouldn't the
> Linux box just do the ARP lookup, since the other system is on the
> same subnet?

If the Linux box is looking for a _name_ then the sequence is:
1) look up name and fetch IP x.x.x.x
2) check for IP x.x.x.x in arp cahce
3) not there, send arp request broadcast to subnet (who has IP
x.x.x.x?)
4) store IP x.x.x.x in arp cache
5) use MAC address to place the IP packet in ethernet frame and set up
connection

> ifconfig gives the following:
>
> eth0 Link encap:Ethernet HWaddr 00:0F:20:7A:F9:F6
> inet addr:192.168.2.253 Bcast:192.168.2.255
> Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:597483 errors:0 dropped:0 overruns:0 frame:0
> TX packets:217629 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:62154341 (59.2 Mb) TX bytes:43471241 (41.4 Mb)
> Interrupt:18
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:244 errors:0 dropped:0 overruns:0 frame:0
> TX packets:244 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:18295 (17.8 Kb) TX bytes:18295 (17.8 Kb)

Without an entry in /etc/hosts (eg.) Linux must lookup the name of Win
host. Since you don't have a DNS name server, it uses your ISP's.
This _should_ time out unless you have some reason for placing a DNS
record for Win box there. Real question I have is how _is_ it
resolving Win name at all? What is output of $ /sbin/route ? Output
of $ /sbin/route -n ?

Could be something in your lan setup you've not told us about, your
nsswitch lookup rules, and a couple of other things.

Why code request to Win box by name? Why not provide a name service on
lan? Why not make /etc/hosts entry for Win box on your Linux machine?
Do you need something like this?
http://www.thekelleys.org.uk/dnsmasq/doc.html

Start up ethereal, start a capture, clear the arp cache on Linux box,
make request for Win box by name, watch your packets and see what's
going onto the wire to resolve the name to IP, the IP to MAC, the SYN
request to set up connection. Fix the problem re: name resolution via
the means suited for your setup.

hth,
prg
email above disabled

Hi,

Thanks for the responses.

From some reading I found the following _might_ be the problem: Reverse
DNS lookups (even for local addresses - 192.168.x.x) timing out with
the ISP's nameservers. This problem also comes up when I SSH into the
box via VPN - after giving the password, it takes a few seconds (<10)
to get to the prompt.

If I do a traceroute from the Linux box (192.168.2.253) to the Windows
system (192.168.2.254), it is painfully slow, eventhough it is only one
hop --

# traceroute 192.168.2.254
traceroute to 192.168.2.254 (192.168.2.254), 30 hops max, 38 byte
packets
<<-- 15 sec delay -->>
1 192.168.2.254 (192.168.2.254) 0.160 ms 0.162 ms 0.093 ms

The packets I captured with tcpdump show that for the traceroute above,
it queries the two DNS servers at the ISP... after the first server
times-out, I see an ARP request "who has 192.168.2.254? Tell
192.168.2.253". Then for some reason, it queries the second DNS server,
and obviously that times-out as well.

When I rename the file /etc/resolv.conf - everything speeds up. The
apps on Tomcat are as fast as possible, and the traceroute to Windows
is also fast.

Also, when I add the windows box's IP to the /etc/hosts file, the
delays between the systems is gone.

However, I am not sure if either of these (renaming resolv.conf or
adding _all_ local systems to the hosts file) are the right way to fix
the problem or avoid future issues.

I read online some instructions on editing the named.conf file, but
would like to be sure if that is the way to go... I don't have this
file, though I do have a named.custom file. Any pointers?

Following are some of the files:

--- begin /etc/resolv.conf---
nameserver 205.171.3.65
nameserver 198.6.1.3
search
--- end /etc/resolv.conf---

--- begin /etc/hosts (real domain name replaced by xx) ---
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost
192.168.2.253 oakdev02.xx.com oakdev02
--- end /etc/hosts ---

--- begin /etc/named.custom ---
## named.custom - custom configuration for bind
#
# Any changes not currently supported by redhat-config-bind should be
# put in this file.
#

zone "." {
type hint;
file "named.ca";
};

options {
directory "/var/named/";
};

--- end /etc/named.custom ---

Note that there is no file "named.ca" on the system, and there are no
files under the directory /var/named/ .

Thanks for all the help!
Jay

Jay wrote:
> Hi,
>
> Thanks for the responses.
>
> From some reading I found the following _might_ be the problem:
Reverse
> DNS lookups (even for local addresses - 192.168.x.x) timing out with
> the ISP's nameservers. This problem also comes up when I SSH into the

> box via VPN - after giving the password, it takes a few seconds (<10)

> to get to the prompt.

They _should_ time out -- this is good

> If I do a traceroute from the Linux box (192.168.2.253) to the
Windows
> system (192.168.2.254), it is painfully slow, eventhough it is only
one
> hop --

Still no $ /sbin/route -n output or explicit confirmation that .253 and
..254 are on the same subnet. Presume so. Means there are _no_ hops
between them. None of their frames to each other should enter a
router. Just ARP, build an ethernet frame, and ship off the packets.

> # traceroute 192.168.2.254
> traceroute to 192.168.2.254 (192.168.2.254), 30 hops max, 38 byte
> packets
> <<-- 15 sec delay -->>
> 1 192.168.2.254 (192.168.2.254) 0.160 ms 0.162 ms 0.093 ms
>
> The packets I captured with tcpdump show that for the traceroute
above,
> it queries the two DNS servers at the ISP... after the first server
> times-out, I see an ARP request "who has 192.168.2.254? Tell
> 192.168.2.253". Then for some reason, it queries the second DNS
server,
> and obviously that times-out as well.

For the traceroute, it indicates broken route tables or TCP settings.
My vote is broken route table(s). Or one _really_ messed up firewall.

Because you have provided no local means to resolve the _names_ the DNS
servers of the ISP are consulted (that's what your resolv.conf said to
do).

> When I rename the file /etc/resolv.conf - everything speeds up. The
> apps on Tomcat are as fast as possible, and the traceroute to Windows

> is also fast.

Did you clear the ARP caches of all the hosts before "testing"?

Not being able to see your routing tables on the hosts I cannot give
you any confident answer -- so I offer none. Your resolv.conf is
vanilla -- you don't need the search term if it's left blank. Boinking
source? You never know.

> Also, when I add the windows box's IP to the /etc/hosts file, the
> delays between the systems is gone.

That's what the hosts file is for -- name resolution. At one time they
were used and maintained by "hand" on the _entire_ internet. How times
change

> However, I am not sure if either of these (renaming resolv.conf or
> adding _all_ local systems to the hosts file) are the right way to
fix
> the problem or avoid future issues.

What populates resolv.conf? DHCP server? You? Except to say you need
it now or will some day, I can't really offer an answer. My RH
resolv.conf file reads like this (populated via DHCP):

; generated by /sbin/dhclient-script
nameserver 24.204.0.4
nameserver 24.204.0.5

That's the whole thing -- every byte, nothing added. Did you edit or
add anything to the output below? The banners? Is that the exact
file?

/etc/hosts is a perfectly viable solution if you can mangage the files
on each host on your lan. The link I gave you is based on them but can
provide better service across subnets and acts as a DNS cache -- fewer
lookups at the ISP.

> I read online some instructions on editing the named.conf file, but
> would like to be sure if that is the way to go... I don't have this
> file, though I do have a named.custom file. Any pointers?

For a lan of modest size named is overkill -- you'll spend more time
setting it up, maintaining it, understanding it than you'll ever spend
with something like dnsmasq. Modest is, say, < 50, depending on
physical location/spread and how valuable is an excuse to get out from
the desk. Might even go to 100 if it allowed me to meet interesting
co-workers ;-)

Once you've built your hosts files and placed them they are not likely
to change that much -- one or two, here and there, now and then.

They can provide an avenue for mischief, but I've never had any
problems with them.

> Following are some of the files:
>
> --- begin /etc/resolv.conf---
> nameserver 205.171.3.65
> nameserver 198.6.1.3
> search
> --- end /etc/resolv.conf---
>
> --- begin /etc/hosts (real domain name replaced by xx) ---
> # Do not remove the following line, or various programs
> # that require network functionality will fail.
> 127.0.0.1 localhost.localdomain localhost
> 192.168.2.253 oakdev02.xx.com oakdev02
> --- end /etc/hosts ---
>
[snip]

I would go with /etc/hosts if possible. I would make sure I understood
very well the ins-n-outs of bind's setup if I _needed_ to _deploy_ it.
My first efforts would be to find a means not to need it Get it
just a little wrong and you can mess up a network real fast -- with the
press of an ON button.

hth,
prg
email above disabled