Networking
cancel
Showing results for 
Search instead for 
Did you mean: 

Slow host name resolution - nsswitch and DNS

SOLVED
Go to solution
Chris Gardner
Occasional Advisor

Slow host name resolution - nsswitch and DNS

I have an issue on HP-UX 11.23 where host name resolution is slow when the DNS server is not reachable.
Name-service switch is set to use FILES first, then DNS.

As a test, a simple IPF rule that blocks outgoing port 53 simulates DNS failure.
When DNS is available (firewall is off), nslookup is quick and checks FILES first as expected.
When DNS is blocked (firewall is on), nslookup waits for a DNS timeout before checking FILES.

My aim for putting FILES first is to avoid DNS timeouts but it doesn't seem to be working as expected.
Any advice on how to make it behave?

thanks,
Chris

-----

Following is the relevant info...
$ cat /etc/hosts
127.0.0.1 localhost loopback qqqq
10.44.88.93 hpuxt02
10.44.90.1 dns01

$ cat /etc/resolv.conf
nameserver 10.44.90.1

$ cat /etc/nsswitch.conf
hosts: files dns
ipnodes: files dns

$ cat /etc/opt/ipf/ipf.conf
block out from any to any port = 53

$ time nslookup qqqq ### Firewall is off.
Using /etc/hosts on: hpuxt02

looking up FILES
Name: localhost
Address: 127.0.0.1
Aliases: loopback, qqqq

real 0m0.031s
user 0m0.020s
sys 0m0.020s

$ time nslookup qqqq #### Firewall is on.
*** Can't find server name for address 10.44.90.1: Timed out
*** Default servers are not available
Using /etc/hosts on: hpuxt02

looking up FILES
Name: localhost
Address: 127.0.0.1
Aliases: loopback, qqqq

real 1m15.016s
user 0m0.010s
sys 0m0.010s
10 REPLIES
Pete Randall
Outstanding Contributor

Re: Slow host name resolution - nsswitch and DNS

In my experience, HP has always insisted that the nsswitch entry look like this:

hosts: files[NOTFOUND=continue UNAVAIL=continue] dns [NOTFOUND=continue UNAVAIL=continue TRYAGAIN=return] nis

I'm not sure it would make any difference for you but it won't hurt to try it.


Pete

Pete
Chris Gardner
Occasional Advisor

Re: Slow host name resolution - nsswitch and DNS

The man page suggests the following defaults will be applied if nothing is explicitly stated:
[SUCCESS=return NOTFOUND=continue UNAVAIL=continue TRYAGAIN=continue]

I tried adding them to nsswitch but as suspected it hasn't made any difference.

It's frustrating that 'nslookup' insists on waiting for a DNS timeout before checking the FILES entry which it should have done first off.
Pete Randall
Outstanding Contributor

Re: Slow host name resolution - nsswitch and DNS

Chris,

Grasping at straws because I have no clue:

1) I have no hosts entry for my dns server (dns01)

2) It appears that you have no "domain" declaration in your resolv.conf

3) The nslookup that takes so long is looking for the dns server's alias - have you tried looking for another server that exists in the hosts file?


Pete

Pete
Bill Hassell
Honored Contributor

Re: Slow host name resolution - nsswitch and DNS

Yes, files then DNS is the recommended order for nsswitch.conf and is mandatory if your DNS server is not dependable.

>> *** Can't find server name for address 10.44.90.1: Timed out

Fix this first. The resolver is trying to validate that the DNS server is correct. It's not much of a validation but it is there.

>> 1m15.016s

This approximately 2*30 seconds where 30 seconds is the timeout waiting for a dead DNS server. Do you have 2 DNS lines in /etc/resolv.conf?

Try using nsquery rather than nslookup. It tends to provide better details than nslookup:

# nsquery hosts hp.com

Using "files [NOTFOUND=continue UNAVAIL=continue] dns" for the hosts policy.

Searching /etc/hosts for hp.com
hp.com was NOTFOUND

Switch configuration: Allows fallback

Searching dns for hp.com
Hostname: hp.com
Aliases:
Address: 15.192.45.21 15.192.45.22 15.192.45.138 15.192.45.139 15.200.2.21 15.200.30.21 15.200.30.22 15.200.30.23 15.200.30.24 15.216.110.21 15.216.110.22 15.216.110.139 15.216.110.140
Switch configuration: Terminates Search



You can also test each DNS server individually with nslookup:

nslookup qqqqq 10.44.90.1





Bill Hassell, sysadmin
rick jones
Honored Contributor

Re: Slow host name resolution - nsswitch and DNS

Nslookup is not known for hewing strictly to the dictates of the nsswitch.conf file. Notice the bit in the nslookup output where it complains about not being able to find a name for the DNS server IP address. That is the part timing-out, and I believe that is happening even before it is trying to find the IP for "qqqq."

The suggestions to use another tool are goodness.
there is no rest for the wicked yet the virtuous have no pillows
Nafez ALNajjar
Frequent Advisor

Re: Slow host name resolution - nsswitch and DNS

Hi,
try:
1-#time ping qqqq###Firewall is off

2-#time ping qqqq###Firewall is on

and if you have the same time then the problem is with the behavior of the "nslookup" tool .

also try to clear or remove the "resolv.conf" file.

in order to simulate the stub resolver there is a tool that i have been using with linux ,that is "gethostip" -not sure if available for hp-ux!- also thereis the gethostip tool.
VK2COT
Honored Contributor
Solution

Re: Slow host name resolution - nsswitch and DNS

Hello,

Please try one of the following:

a) Set environment variables RES_RETRY and
RES_RETRANS. Type the following export
commands at the HP-UX prompt:

# export RES_RETRY=1
# export RES_RETRANS=250

This sets the retransmission value to 1 and
the time between each retransmission to 250
milliseconds.

Do not specify a value less than 200
milliseconds for the RES_RETRANS environment
variable.

You can set the timeout values with the
environment variables RES_RETRY and
RES_RETRANS for individual clients only.

b) Specify the retransmission time and the
time between each retransmission by using
the options retrans and retry in the
/etc/resolv.conf configuration file.

retry 1
retrans 400

This sets the retransmission value to 1 and
the time between each retransmission to 400
milliseconds.

Cheers,

VK2COT
VK2COT - Dusan Baljevic
Chris Gardner
Occasional Advisor

Re: Slow host name resolution - nsswitch and DNS

Further testing confirms that 'nslookup' doesn't follow nsswitch.conf settings very closely.
I also see delays when logging in (SSH), probably due to reverse lookups of the client.

Thankfully, 'nsquery' and Oracle programs behave themselves and follow nsswitch.conf properly.

I'll use FILES for those programs that do the right thing and use 'retry' & 'retrans' to limit the delay for things that still insist on checking DNS.

Thanks all.
Chris Gardner
Occasional Advisor

Re: Slow host name resolution - nsswitch and DNS

.
crichton
Occasional Visitor

Re: Slow host name resolution - nsswitch and DNS

Your problem is probably the IPV6 lookups - try changing your ipnodes entry to: ipnodes: files [NOTFOUND=return UNAVAIL=return TRYAGAIN=return]
to ignore IPV6 lookups.