Re: [squid-users] DNS timeouts - unable to reduce timeout

On Sun, Nov 21, 2010 at 11:18:02AM -0200, Marcus Kool wrote:
> DNS lookups are done by the resolver.

They are done by the (libc) resolver if the program use the resolver API.
Squid does not use the resolver API, so it does not use this resolver.

> Options on Linux can be set in /etc/resolv.conf (see also man resolv.conf).
> The default timeout is only 5 seconds and any program, including Squid,
> that does a nameserver query should get an answer (including an error)
> in 5 seconds.
> In my case I have 3 nameservers in /etc/resolv.conf and the total
> timeout is 15 seconds.

Squid looks in the resolv.conf for the list of nameservers if you didn't
tell it any. That's all it uses the file for. As I understand it, the
rest is ignored.

Squid cannot use the standard resolver API as it blocks, and Squid cannot
hang around waiting for an answer like that, so it slings its own raw DNS
packets and does other work while waiting for any returning packets.

> Try "time nslookup -debug -d2 83.231.150.45" and see what
> your nameserver is doing.

The problem is not the nameserver - the problem is the client waiting so long
for the answer that it defeats its primary purpose of proxying.

I don't know how 'dns_timeout' isn't solving this, but a real-world test
doesn't lie.

> Marcus
>
> Nick Cairncross wrote:
> >Don't know if it's if use but could dnsmasq speed this up?

No. By definition an internet web proxy has raw internet access, so it
has no use for NAT or masquerading when doing its own DNS lookups.

DW

> >
> >On 19 Nov 2010, at 19:41, "declanw_at_is.bbc.co.uk" <declanw_at_is.bbc.co.uk>
> >wrote:
> >
> >>Hullo.
> >>
> >>I have a squid 3.1.9, which has an acl that needs to know the DNS domain
> >>name of a target IP (yes, I know it slows things down, but it has to stay)
> >>
> >>I have a lot of users viewing Flash streams hosted by Akamai, but Akamai's
> >>reverse DNS servers for e.g. 83.231.150.45 are currently completely dead.
> >>
> >>Squid is taking 90 seconds to give up on the reverse DNS lookup for
> >>http://83.231.150.45/fcs/ident2 and proceed with making the connection.
> >>Unfortunately, the Flash Player only seems to wait 30 seconds before it
> >>declares the content stream broken.
> >>
> >>I cannot find a setting to make squid timeout DNS faster.
> >>I have tried increasing 'negative_dns_ttl', but it didn't seem to have
> >>any effect.
> >>'dns_timeout 10 seconds' had no effect either, which suprised me.
> >>
> >>The only DNS option I am using is 'dns_nameservers 127.0.0.1' which points
> >>at a caching BIND. I am not using an external DNS resolver.
> >>
> >>Confused.
> >>
> >>DW
> >
> >The information contained in this e-mail is of a confidential nature and
> >is intended only for the addressee. If you are not the intended
> >addressee, any disclosure, copying or distribution by you is prohibited
> >and may be unlawful. Disclosure to any party other than the addressee,
> >whether inadvertent or otherwise, is not intended to waive privilege or
> >confidentiality. Internet communications are not secure and therefore
> >Conde Nast does not accept legal responsibility for the contents of this
> >message. Any views or opinions expressed are those of the author.
> >
> >The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square,
> >London W1S 1JU
> >
> >

-- 
Declan White
Internet Operations - Unix Engineer
Siemens IT Solutions and Services Ltd
T: +44 (0)1628 407759 / F: +44 (0)1628 407701
This e-mail contains confidential information and is for the exclusive
use of the addressee/s.  If you are not the addressee, then any
distribution, copying or use of this e-mail is prohibited. If received
in error, please advise the sender and delete it immediately.  We accept
no liability for any loss or damage suffered by any person arising from
use of this e-mail.
Regd No:	1203466 England
Regd Off:	Faraday House, Sir William Siemens Square, Frimley, Camberley, GU16 8QD
http://www.siemens.co.uk/it-solutions