network traffic etherealed, need your help on the records (LONG)

Discussion in 'Linux Networking' started by Wenjie, Aug 30, 2003.

  1. Wenjie

    Wenjie Guest

    Hello again!


    To resolve the network performance problem, I consulted with
    my ISP and also took the suggestions here to use the ethereal
    tool.

    My ISP told me that owing to virus etc, the bandwidth to/fro
    outside of the country is decreased 'for the time being'. I
    clearly saw that some of my slowed-down network connections
    were caused (at least from the appearance) by the bad DNS
    service from my ISP:

    Time Source Destination Protocol Info
    15.9449098 172.24.12.1 my_isp_name_server_ip DNS Standard
    query A mail.yahoo.com
    15.975595 my_isp_name_server_ip 172.24.12.1 DNS Standard
    query response, Server failure


    I also encountered a series of weird entries when testing
    my website. My website is served with dynamic DNS, and the
    service provider is outside of the country. There is a
    router+ADSL modem between the actual server (172.24.12.1)
    and outside. The weird entries (*):

    Time Source Destination Protocol Info
    0.000000 172.24.12.1 my_isp_name_server_ip DNS
    Standard query A www.mywebsite.com
    0.031077 my_isp_name_server_ip 172.24.12.1 DNS
    Standard query response, Server failure
    0.031243 172.24.12.1 my_isp_name_server_ip DNS
    Standard query A www.mywebsite.com
    5.031925 172.24.12.1 my_isp_name_server_ip DNS
    Standard query A www.mywebsite.com.mywebsite.com (*)
    5.071077 my_isp_name_server_ip 172.24.12.1 DNS
    Standard query response, Server failure
    ....
    5.900000 172.24.12.1 my_isp_name_server_ip DNS
    Standard query A mail.yahoo.com
    5.031077 my_isp_name_server_ip 172.24.12.1 DNS
    Standard query response, Server failure
    5.033243 172.24.12.1 my_isp_name_server_ip DNS
    Standard query A mail.yahoo.com.mywebsite.com (*)
    10.033243 172.24.12.1 my_isp_name_server_ip DNS
    Standard query A mail.yahoo.com.mywebsite.com (*)
    ....


    Could someone explain the entries above? Could I have
    made some mistakes on the configuration? FYI, I commentted
    out the entry in /etc/hosts to disable local name resolution.

    Is my conclusion feasible (DNS problem caused the slowing-down
    of the network connections?)?

    The summary from the ethereal said the Avg. bytes/sec is 1059.921
    oops. Could I argue with this figure with my ISP? (ADSL service
    with 512K inbound/outbound speed). Or shall I use some net
    connections without the DNS problem? (If the website is totally
    inside the country, it is about 20KB/s for instance).

    And almost every time my Mozilla connecting to some website,
    there is a time lag of 'connection'... That should be another
    topic...
     
    Wenjie, Aug 30, 2003
    #1
    1. Advertisements

  2. You could always run your own caching nameserver (your CD may have a
    caching nameserver package or bind9). I have been doing that since the
    DNS of my adsl ISP (SBC) was laggy when I first got it 1/2002. You can
    also add zones for your LAN per DNS HOWTO.

    Just do not use your ISP's nameservers for forwarders if they are giving
    you trouble now (you do not really need forwarders). And limit it to
    listening on loopback and LAN with listen-on { 127/8; 172.24/16; }; or
    whatever so it will only answer queries from your local network (it will
    still resolve public names).
     
    David Efflandt, Aug 30, 2003
    #2
    1. Advertisements

  3. Is your firewall blocking ping? Does your ISP block incoming port 80.
    Local DNS is not going to help if they cannot access you by IP.
    It is best not to alter the 127.0.0.1 line. Either assign hostname or
    aliases to your nic IP, or an extra loopback IP like 127.0.0.2.

    To see if your hostname resolves from gethostbyname (instead of just DNS)
    try this Perl script (call it gethost, run it as ./gethost your_hostname):

    #!/usr/bin/perl -w
    use Socket;
    use strict;
    my ($host,$ip,$rhost);
    if ($ARGV[0]) {
    $host = shift @ARGV;
    } else {
    die "Enter host you want to resolve on commandline\n";
    }
    print "Looking up: $host\n";
    $ip = join(".",unpack("C4",scalar gethostbyname($host)));
    print "IP: $ip\n";
    $rhost = gethostbyaddr(inet_aton($ip), AF_INET);
    print "Reverse lookup: $rhost\n";

    Your IP has no name so that could cause some DNS delays trying to resolve
    your connecting IP. Although, that is not usually a problem for web
    servers unless they have access controls based on hostnames.
    See if they can traceroute to your IP (check firewall logs). Set up
    apache on a different port and see if they can access it with that port in
    URL.
     
    David Efflandt, Aug 31, 2003
    #3
  4. Wenjie

    Wenjie Guest

    Is your firewall blocking ping? Does your ISP block incoming port 80.
    I have opened the PING service. My website works fine weeks ago. Could
    I try telnet myIP 80 to test whether my ISP blocking port 80? I access
    the website from within my LAN with no problems.
    I did some modifications on my local setorder hosts,bind
    multi on
    ting:
    /etc/hosts:
    127.0.0.1 localhost.localdomain localhost

    /etc/resolv.conf:
    domain mywebsite.com
    search mywebsite.com
    nameserver IP1_ISP_NS
    nameserver IP2_ISP_NS

    /etc/host.conf
    order hosts,bind
    multi on

    Did I obscure something above? (And I don't know what does 'multi on'
    mean).

    Reverse lookup failed. Otherwise I can get the IP from the name.
    Seems the dyndns is working again. What could impact the reverse
    lookup?

    Here is the dig www.mywebsite.com:
    ; <<>> DiG 9.2.1 <<>> www.mywebsite.com
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 52343
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;www.mywebsite.com. IN A

    ;; Query time: 119 msec
    ;; SERVER: IP1_ISP_NS#53(IP1_ISP_NS)
    ;; WHEN: Sun Aug 31 13:46:10 2003

    dig again succeeded:
    ; <<>> DiG 9.2.1 <<>> www.mywebsite.com
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36845
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;www.mywebsite.com. IN A

    ;; ANSWER SECTION:
    www.mywebsite.com. 120 IN A MY_PUB_ID

    ;; AUTHORITY SECTION:
    mywebsite.com. 120 IN NS ns1.dnsserviceprovider.com.
    mywebsite.com. 120 IN NS ns2.dnsserviceprovider.com.

    ;; Query time: 584 msec
    ;; SERVER: 202.96.209.5#53(202.96.209.5)
    ;; WHEN: Sun Aug 31 13:48:01 2003
    ;; MSG SIZE rcvd: 93

    ;; MSG SIZE rcvd: 33

    I have this in mind: could it be that because the slow and troublesome
    DNS lookup (showed in dig1), my friends have difficult to resolve the
    IP of mine? Should I do something here for the apache server? I currently
    set in httpd.conf:
    ServerName as www.mywebsite.com
    UseCanonicalName On
    I will manage to do that. Hmm, most of my friends don't know what is
    traceroute. Do you think I can test locally? For example could I use
    another PC in the LAN but set the gateway as provided by the ISP instead
    of the local LAN's router private IP?

    >...


    Thanks a lot!
    Wenjie
     
    Wenjie, Aug 31, 2003
    #4
  5. 'multi on' means that gethostbyname would try all available methods to
    resolve a name (in this case hosts, and then DNS).
    Your ISP is authority for reverse lookup of your public IP. You cannot do
    anything about that without cooperation of your ISP (unlikely where you
    are).
    Maybe your ISP's nameservers are overworked (busy).
    That should work as long as you keep your dynamic DNS up to date. But I
    am not sure what apache does if it cannot find its servername on a local
    IP when booting. So you might want to add the following to /etc/hosts:

    127.0.0.2 www.mywebsite.com
    Traceroute in some Windows versions like Win95/98 is called 'tracert'.
    Not sure what it is in WinNT/2k/XP.

    In order to tell if your website is accessible from internet, you need to
    check it from some other internet host. If you have another computer and
    dialup ppp account, you could disconnect that computer from LAN and try it
    from dialup.
     
    David Efflandt, Aug 31, 2003
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.