Slow DNS requests?

I need some help with my outbound requests, which seem much slower that
I think they should. I'm really uncertain of where to look, so I will
tell you what I think might contribute to the problem. I think that the
delay is in resolving the DNS requests.

First a bit of background.

I am running Suse 9.1 on a dual-boot machine in a personal home network.
The problem is apparent on Linux, but not on WinXp on the same
machine. Here is the topology best as I can map it using clumsy ASCII

Charter.net 3 Mbps
|
V
Linksys BEFSR41
| | | |
| | | ---> Linksys WAP54G
| | |
| | > n/c
| |
| |> Dell 400SC Suse 9.1/WinXP
|
> guest

Machines connected via the WAP54G run fine.
Guest machines connected via CAT5 to the BEFSR41 run fine.
When running WinXP on the Dell connected via CAT5 to the BEFST41 runs fine.

Here's the problem. Running the Dell connected via the same CAT5 to the
BEFSR41 seem very slow in resolving the host name. As soon as the host
name is resolved, performance seems to improve dramatically for that
connection. Subsequent net connection requests are slowed again.

The "slowness" is anything from a few seconds to a dozen seconds or
more. This is apparent when requesting a Web page via a browser
(Firefox or Mozilla). Or by pinging a URL style page (e.g., ping
www.yahoo.com). Or requesting downloads from a remote POP. etc.

In the BEFSR41, I am running DHCP. The Charter.net DNS entered into the
setup there are 241.151.8.210, 241.151.8.211 and 66.189.130.5. I do not
remember where I got those, but it must have been from Charter.net when
I set the system up over a year ago. When I search the Charter.net
support site now, it does not talk about DNS addresses. It almost seems
to go a long way to avoid the subject.

In Suse, I use Yast to enter the DNS setup page. These values seem to
be stored in the file /etc/resolv.conf. It offers one set of entries
for "Name Servers" and a different set for "Domain Search". Under Name
Servers, I have entered the same IPs as shown above in the BEFSR41.
Under Domain Search, I have entered charter.net for lack of something
more clever.

All of that may be a red herring. Hopefully you can point me in the
right direction. I have made a few tweaks in the entries on Suse, and
it had both positive and negative effects on the search, but none seem
to make it as fast as I think is correct.

Another area is my iptables blocking file. I run a small http server,
and as soon as I started it several months ago, the hackers tried to
break in. From the logs, I can see the IPs of the attacking clients. I
read a bit about iptables, and figured that I could block these clients
out by dropping their IP address. I have about 50 entries in the table
so far. Here is the rest of my iptable, which is the default. Perhaps
this is causing my problem -- I hope that you can direct me.

# syntax
#from the sample script
#!/bin/sh

IPTABLES=/usr/sbin/iptables

case "$1" in
start)
echo -n "Starting IP Firewall and NAT..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

# Clear old rules
$IPTABLES -X
$IPTABLES -F
$IPTABLES -Z

# INPUT Rules - Add to this section the ports you wish to explicitly
allow connections on
# Below are some common services that are commonly used
# Comment out the lines to disable access to these services
# The port numbers for other services you may wish to allow can be
found in the /etc/services file

$IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j
ACCEPT #Allows connections you start

$IPTABLES -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT #Allow FTP
Connections
$IPTABLES -A INPUT -i eth0 -p udp --dport 21 -j ACCEPT

$IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT #SSH Connections

$IPTABLES -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT #HTTP Connections

$IPTABLES -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT #SSL Connections

$IPTABLES -A INPUT -i eth0 -p tcp --dport 137 -j ACCEPT #SAMBA related
ports
$IPTABLES -A INPUT -i eth0 -p tcp --dport 138 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p udp --dport 138 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p udp --dport 139 -j ACCEPT

# Allow pings, but reject the rest
$IPTABLES -A INPUT -i eth0 -p icmp -j ACCEPT
$IPTABLES -A INPUT -i eth0 -j REJECT
#here are the ones that I want to exclude, based upon their recent
attacks on my system.
$IPTABLES -A INPUT -s xxx.xx.xxx.xx/24 -j DROP
$IPTABLES -A INPUT -s yyy.yy.yy.yyy/24 -j DROP
(repeats about 45-50 times with varying IPs).

echo "done."
;;
(stop and restart cases follow then esac)



Thanks in advance for any help,

73 de Jim

Jim R wrote:
> I need some help with my outbound requests, which seem much slower that
> I think they should. I'm really uncertain of where to look, so I will
> tell you what I think might contribute to the problem. I think that the
> delay is in resolving the DNS requests.
>
> First a bit of background.
>
> I am running Suse 9.1 on a dual-boot machine in a personal home network.
> The problem is apparent on Linux, but not on WinXp on the same
> machine. Here is the topology best as I can map it using clumsy ASCII
>
> Charter.net 3 Mbps
> |
> V
> Linksys BEFSR41
> | | | |
> | | | ---> Linksys WAP54G
> | | |
> | | > n/c
> | |
> | |> Dell 400SC Suse 9.1/WinXP
> |
> > guest
>
> Machines connected via the WAP54G run fine.
> Guest machines connected via CAT5 to the BEFSR41 run fine.
> When running WinXP on the Dell connected via CAT5 to the BEFST41 runs fine.
>
> Here's the problem. Running the Dell connected via the same CAT5 to the
> BEFSR41 seem very slow in resolving the host name. As soon as the host
> name is resolved, performance seems to improve dramatically for that
> connection. Subsequent net connection requests are slowed again.
>
> The "slowness" is anything from a few seconds to a dozen seconds or
> more. This is apparent when requesting a Web page via a browser
> (Firefox or Mozilla). Or by pinging a URL style page (e.g., ping
> www.yahoo.com). Or requesting downloads from a remote POP. etc.
>
> In the BEFSR41, I am running DHCP. The Charter.net DNS entered into the
> setup there are 241.151.8.210, 241.151.8.211 and 66.189.130.5. I do not
> remember where I got those, but it must have been from Charter.net when
> I set the system up over a year ago. When I search the Charter.net
> support site now, it does not talk about DNS addresses. It almost seems
> to go a long way to avoid the subject.

Normally, your DHCP server will tell your machine what name servers to
use. Most likely, your name server is your router. Check what your
windows machines use as a name server. But it should all be done
automatically for you by your system.

Your name service requests are evidently cached somewhere (which is why
a second request for the IP address of the same name is much faster than
the first.

>
> In Suse, I use Yast to enter the DNS setup page. These values seem to
> be stored in the file /etc/resolv.conf. It offers one set of entries
> for "Name Servers" and a different set for "Domain Search". Under Name
> Servers, I have entered the same IPs as shown above in the BEFSR41.
> Under Domain Search, I have entered charter.net for lack of something
> more clever.
>
> All of that may be a red herring. Hopefully you can point me in the
> right direction. I have made a few tweaks in the entries on Suse, and
> it had both positive and negative effects on the search, but none seem
> to make it as fast as I think is correct.
>
> Another area is my iptables blocking file. I run a small http server,
> and as soon as I started it several months ago, the hackers tried to
> break in. From the logs, I can see the IPs of the attacking clients. I
> read a bit about iptables, and figured that I could block these clients
> out by dropping their IP address. I have about 50 entries in the table
> so far. Here is the rest of my iptable, which is the default. Perhaps
> this is causing my problem -- I hope that you can direct me.

Well, each packet arriving has to pass through a linear search of 50 IP
addresses. That could well cause a noticeable delay.

>
> # syntax
> #from the sample script
> #!/bin/sh
>
> IPTABLES=/usr/sbin/iptables
>
> case "$1" in
> start)
> echo -n "Starting IP Firewall and NAT..."
> echo "1" > /proc/sys/net/ipv4/ip_forward

Unless your server has two ethernet interfaces, you don't need IP
forwarding or NAT

Robert

> echo "1" > /proc/sys/net/ipv4/tcp_syncookies
>
> # Clear old rules
> $IPTABLES -X
> $IPTABLES -F
> $IPTABLES -Z
>
> # INPUT Rules - Add to this section the ports you wish to explicitly
> allow connections on
> # Below are some common services that are commonly used
> # Comment out the lines to disable access to these services
> # The port numbers for other services you may wish to allow can
> be found in the /etc/services file
>
> $IPTABLES -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j
> ACCEPT #Allows connections you start
>
> $IPTABLES -A INPUT -i eth0 -p tcp --dport 21 -j ACCEPT #Allow FTP
> Connections
> $IPTABLES -A INPUT -i eth0 -p udp --dport 21 -j ACCEPT
>
> $IPTABLES -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT #SSH
> Connections
>
> $IPTABLES -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT #HTTP
> Connections
>
> $IPTABLES -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT #SSL
> Connections
>
> $IPTABLES -A INPUT -i eth0 -p tcp --dport 137 -j ACCEPT #SAMBA
> related ports
> $IPTABLES -A INPUT -i eth0 -p tcp --dport 138 -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -p udp --dport 138 -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -p udp --dport 139 -j ACCEPT
>
> # Allow pings, but reject the rest
> $IPTABLES -A INPUT -i eth0 -p icmp -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -j REJECT
> #here are the ones that I want to exclude, based upon their recent
> attacks on my system.
> $IPTABLES -A INPUT -s xxx.xx.xxx.xx/24 -j DROP
> $IPTABLES -A INPUT -s yyy.yy.yy.yyy/24 -j DROP
> (repeats about 45-50 times with varying IPs).
>
> echo "done."
> ;;
> (stop and restart cases follow then esac)
>
>
>
> Thanks in advance for any help,
>
> 73 de Jim

On Tue, 14 Mar 2006, in the Usenet newsgroup comp.os.linux.networking, in
article <ahvhe3-(E-Mail Removed)>, Jim R wrote:

>I am running Suse 9.1 on a dual-boot machine in a personal home network.
>The problem is apparent on Linux, but not on WinXp on the same machine.
>Here is the topology best as I can map it using clumsy ASCII

OK, first thing to check is to see if your system is asking for IPv6
addresses before asking for IPv6. Do that by using 'tcpdump' and
watching the packets. You _don't_ want to see a 'AAAA' query. 'A' and
'PTR' queries are fine, but not 'AAAA'. IPv6 may be the coming thing, and
many Linux distributions are capable of it, but the world isn't there yet.

[compton ~]$ grep -c US IP.ADDR/stats/[ALR]* | grep -v :0
IP.ADDR/stats/APNIC:6
IP.ADDR/stats/ARIN:31349
[compton ~]$ grep -c US IP.ADDR/stats/IPv6.current.data
209
[compton ~]$

Translation: There were (as of mid February) 31355 IPv4 network assignments
and allocations in the US. Same date, there are but 209 IPv6 allocations and
no assignments in the US.

If this is the problem, try googling for 'SuSE ipv6 off' which should turn up
the magic hammer to use on YAST.

>In the BEFSR41, I am running DHCP. The Charter.net DNS entered into the
>setup there are 241.151.8.210, 241.151.8.211 and 66.189.130.5.

REJECT!!! The 241.151.8.x values are impossible. They _MIGHT_BE_
24.151.8.x... yeah, that looks likely. 24.151.8.210 and .211 are
nameservers 1 and 2 for ct.charter.com, while 66.189.130.5 is
ns1.plt.ny.charter.com, and all three are answering nameservice queries.

>I do not remember where I got those, but it must have been from Charter.net
>when I set the system up over a year ago. When I search the Charter.net
>support site now, it does not talk about DNS addresses. It almost seems
>to go a long way to avoid the subject.

Yeah, they don't want to scare people with those technical thingys. There's
a long way to find out, involving whois queries, and then asking the name
servers listed there. The "windoze" way is to use DHCP and hope that the
MSCE who set up the server didn't fumble-finger something.

>In Suse, I use Yast to enter the DNS setup page. These values seem to
>be stored in the file /etc/resolv.conf. It offers one set of entries
>for "Name Servers" and a different set for "Domain Search". Under Name
>Servers, I have entered the same IPs as shown above in the BEFSR41.

Fine - correct the tpyo, and things might get a little better.

>Under Domain Search, I have entered charter.net for lack of something
>more clever.

[compton ~]$ whatis resolver
resolver (5) - resolver configuration file
resolver [resolv] (5) - resolver configuration file
[compton ~]$

Look what gets into the /etc/resolv.conf file, and compare that to the
man page.

>Another area is my iptables blocking file. I run a small http server,
>and as soon as I started it several months ago, the hackers tried to
>break in. From the logs, I can see the IPs of the attacking clients. I
>read a bit about iptables, and figured that I could block these clients
>out by dropping their IP address. I have about 50 entries in the table
>so far.

I don't know what your Terms And Conditions are - most cable services get
all frowny about you running a server on a residential connection. Blocking
by individual IP addresses is a loosing battle - as of the middle of last
month, there were 1,331,371,776 IPv4 addresses in the USA alone - double
that world wide. I don't know how many people in the world you expect to
visit your site, but a better idea is to allow specific addresses (or even
blocks of addresses) rather than trying to block things individually.

> $IPTABLES -A INPUT -i eth0 -p tcp --dport 138 -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -p tcp --dport 139 -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -p udp --dport 138 -j ACCEPT
> $IPTABLES -A INPUT -i eth0 -p udp --dport 139 -j ACCEPT

I hope you are blocking that crap at your perimeter.

> # Allow pings, but reject the rest
> $IPTABLES -A INPUT -i eth0 -p icmp -j ACCEPT

You're accepting ICMP, not just pings.

You may want to look at the Security-Quickstart-HOWTO - it wasn't written
specific to SuSE, but it may give you better ideas. It should be on your
system, or grab it from the LDP.

Old guy

On Tue, 14 Mar 2006 18:36:43 -0600, (E-Mail Removed) (Moe Trin) wrote:

>>Another area is my iptables blocking file. I run a small http server,
>>and as soon as I started it several months ago, the hackers tried to
>>break in. From the logs, I can see the IPs of the attacking clients. I
>>read a bit about iptables, and figured that I could block these clients
>>out by dropping their IP address. I have about 50 entries in the table
>>so far.

To OP, there's a much easier ways to stop the bad web traffic, setup
virtual servers by name (under apache config), and forbid access by
IP number, the first default web server gets the unwanted traffic --
does wonders here

Any form of maintaining manual deny lists is doing donkey work the
'puter may be taught to do for you. Though I deny access to unwanted
web crawlers by CIDR simply so they don't clutter the logs with
'robots.txt' requests.

Grant.
--
Testing can show the presense of bugs, but not their absence.
-- Dijkstra