DNS Slow to Resolve

[jbahillo]

Hello christian:

That's a really good question. I'm not fully sure, but I think it should not. Why would you need so? That would only add latency to the answer when the zentyal itself is an authoritative server for that domain

[christian]

Sure, it adds latency if you configure forwarder  but you will configure forwarder in order to add some feature and you get latency only when cache is not populated.
Then based on you explanation, what would be the difference between forwarders compared to DNS server relying on Zentyal DNS configuration at network level.

If goal is not to use forwarder before local DNS check, then when DNS server receives request, either Zentyal is authoritative and thus checks locally or Zentyal is  not and will check root DNS but there is no benefit having forwarders isn't it (except perhaps some increase in speed for some domains handles by forwarders you have configured.

My assumption is that if you have, e.g. another DNS server for same DNS domain but without DNS synchro (yes it can exist, think e.g. to someone having deployed Zentyal in 2 different locations    Zentyal doesn't provide any embedded feature to synchronize DNS zones isn't it  ) then using forwarders and assuming if work like I explained (and not like you explain), then you will be able to resolve names that are maintained on the other Zentyal DNS server for same domain name.

Well, this is my current understanding but you are the owner here and I'm a poor lonesome user  , so just tell us how it works in the real life

[jbahillo]

If goal is not to use forwarder before local DNS check, then when DNS server receives request, either Zentyal is authoritative and thus checks locally or Zentyal is  not and will check root DNS but there is no benefit having forwarders isn't it (except perhaps some increase in speed for some domains handles by forwarders you have configured.

I think that the benefits of a forwarder are:

• Increase speed (your ISP provider checks will be surely faster (or they should) than checks against a root server)
• Possibility of getings results for a domain which has not been propagated to the Internet. So imagine you run zentyal-domain.lan here, and you have another zentyal (or any other DNS server) which runs zentyal-foo.lan Then configuring that second dns server as a forwarder would allow you to resolve that second domain.
  

My assumption is that if you have, e.g. another DNS server for same DNS domain but without DNS synchro (yes it can exist, think e.g. to someone having deployed Zentyal in 2 different locations    Zentyal doesn't provide any embedded feature to synchronize DNS zones isn't it  ) then using forwarders and assuming if work like I explained (and not like you explain), then you will be able to resolve names that are maintained on the other Zentyal DNS server for same domain name.

Well, this is my current understanding but you are the owner here and I'm a poor lonesome user  , so just tell us how it works in the real life

Well I would not say I'm the owner, and surely there may be some aspects that you know better than me , hehe.
I understand your approach, and will do some tests to get which is the actual approach it is taking. And you're right there is not options to add master/slave nor primary /secondary dns servers out of the box, but of course you still can edit the template if you need so

[Lonniebiz]

It definitely checks its own local records first (the ones that you've manually added to it and also the ones it has already cached from a previous up-steam lookup).

If it cannot resolve the domain's IP locally, only then does it asked the forwarders, and if there are no forwarders, it asks the (slower) root servers.

Consider the method you suggested to me for being able to access my websites on the local LAN. You said to add each domain to Zentyal's dns, giving each the local IP of the internal windows webserver.

I had these forwarders (mentioned above) in place at the time you suggested that, and tried your suggestion, and it worked just fine.

If Zentyal had asked the forwarders BEFORE itself, I wouldn't have resolved a private IP, the forwarders would have given the public IP instead. So, it does not ask the forwards before itself.

Furthermore, the client doesn't even know that the forwarders exist. As far as the client is concerned, it only knows to use Zentyal for DNS. Zentyal may get its answers locally, from forwarders, or from root servers, but none of this is revealed to the client (from my understanding).

I've done comparative test with and without forwarders using namebench:
http://code.google.com/p/namebench/

I've mentioned these test above. Forwarders increased performance by as much as a second in some cases. Before I implemented them, surfing the web seemed laggy behind Zentyal.

[christian]

Furthermore, the client doesn't even know that the forwarders exist. As far as the client is concerned, it only knows to use Zentyal for DNS. Zentyal may get its answers locally, from forwarders, or from root servers, but none of this is revealed to the client (from my understanding).

I don't think anyone is having different understanding. Client side, you're only aware of DNS server that has been configured either manually or pushed by DHCP 

I've done comparative test with and without forwarders using namebench:
http://code.google.com/p/namebench/
I've mentioned these test above. Forwarders increased performance by as much as a second in some cases. Before I implemented them, surfing the web seemed laggy behind Zentyal.

I've no doubt neither that forwarders improve performance, mainly if you run benchmark  or if you run platform without any cache 
On a day-to-day activity, I've no doubt about what you report but can't correlate with my own experience. I'm not using forwarders and don't have any performance problem. On the other hand, I'm using HTTP proxy in explicit mode, perhaps reason why I've different experience.
Still I'm surprised, aside benchmark, that lack of forwarders is really impacting performance if cache is enabled.

For what concerns sequence, indeed, extract from my sandbox server (I just made some tests)

Code: [Select]

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        forward first;
        forwarders {
             192.168.20.1;
        };

but as this is part of the global option, it comes after local zones.

[Lonniebiz]

Ok, I have few comments.

Although I've seen performance gains by adding forwarders, I can imagine circumstances where someone would not. For example, lets say your Zentyal server is located so close to the root server that it (the root server) can reply faster than GoogleDNS or OpenDNS. In this case you wouldn't benefit from a forwarder.

Regarding your setup, I can think of circumstances where even you would see performance gains by using a forwarder:

Run namebench on a workstation that is consuming your Zentyal dns. namebench will compare your Zentyal DNS with other DNS providers and rank it against them. It will suggested the fastest dns for you in your area. If any are faster than your Zentyal, you will benefit (performance-wise) from adding them as forwarders in Zentyal.

Even if you have dns caching enabled, you will still see performance gains each time you access a domain that is not already cached.

Even if you have HTTP Proxy caching enabled, you will still see performance gains each time you access a website that is not already cached.

Likewise, I will benefit from implementing the dns caching and HTTP proxy, as you have done. So, I will be looking into that. I've seen the checkbox for "Enable transparent DNS cache". Is it that simple? As for HTTP proxy, I'm going to read the Zentyal documentation for that tonight.

[Lonniebiz]

Christian, I just encountered a weird circumstance where domain forwarders were queried before local DNS.

I recently added a Zentyal gateway to a network that already had 2 Zentyal servers on the internal LAN that were both handling domain controlling and dns.

The gateway was working fine without being joined to the domain, but I decided that I wanted it to be aware of the computer *names* inside the LAN (not just their IPs). So I configured this Zentyal gateway as a 3rd domain controller (I knew of no other way to officially join it to the domain). Previously, before doing this, I had already added domain forwarders to this gateway's dns.

Until I removed these dns forwarders, I was unable to ping computers on the internal LAN by their name. The Gateway would try to resolve the local names using the dns forwarders first. After I removed them, I was able to ping by name.

This behavior was contrary to my own understanding, and I thought I would report it back to this thread for you to see. Apparently, DNS forwarder's order of operations is a little more tricky when using a gateway as an additional (3rd) domain controller and dns.

[christian]

My initial understand was that forwarders were requested fist but I confirm I was wrong. Looking at bind configuration makes this pretty clear.
I'm also, at least for the time being  convinced that this is not matter of circumstances 

This said, I've to admit that I don't know what Samba 4 integration brings in term of DNS to the regular DNS server.
I can understand that some synchronization may occur between the internal DNS used by Samba but I'm not sure it has an impact on DNS service (I mean the one visible to end-users).
Furthermore, except is there is some magic trick here that would enable DNS replication (synchronization) when DC is configured, I really can't see any relationship between DNS service and domain controller neither link between DNS and the fact that Zentyal would be configured as a gateway 

Zentyal DNS, when not manually configured client side, will be inherited from DHCP.

Back to your "explanation", from my standpoint, you do not tell enough of your configuration to allow understanding of what really occurs.
You have 3 DNS servers (because 3 Zentyal servers)
Are all these 3 DNS servers synchronized in term of content ? (do yo describe same zone in these 3 DNS?)
Which one(s) is (are) pushed by DHCP (BTW are you using DHCP ?)

What does forwarders bring here ?
if you try to resolve fqdn for which your DNS is authoritative, I don't think forwarders will be involved unless, please check this, forwarders directive is configured within local zone section.

I my understanding correct ?

[Lonniebiz]

I don't know exactly how being an additional domain controller effects regular DNS either. One thing it does, when you make a Zentyal server an additional domain controller, is it joins the Zentyal server to the current Zentyal domain. That alone would likely increase its awareness of computer names on the LAN, most likely.

I don't know how to join a Zentyal server to a domain without making it an additional domain controller. Perhaps this is something I've overlooked in the documentation.

Before adding the gateway, the internal LAN had two Zentyal Servers that each have just one interface with private IPs.

Zentyal1 is the Primary Domain Controller, DNS, and DHCP Pool 1
Zentyal2 is an additional domain controller, DNS and DHCP Pool 2

There are no manual DNS entries on either of this servers. Somehow, I guess via Samba and DHCP, they know all the IPs and names of all the computers on the LAN. Maybe Samba has is own dns that gets check before the regular dns . . . I'm not sure how this works.

Both of these servers have one interface with a private IP. They are not gateways. But when one is down, the other provides the same services.

Later, I added a 3rd Zentyal server to act solely as a Gateway for monitoring bandwidth, so I could quickly identify which workstations are abusing bandwidth at any given time. This gateway was not joined to the domain, so when I would go to the Tools in the Zentyal web interface (of the gateway), and try to ping a machine by name on the internal LAN, it couldn't resolve the IP.

So, I then installed the file sharing module so I could make this gateway a 3rd additional domain controller. I didn't know how to join it to the domain any other way, and I knew it would lead to being able to resolving computers by name from this Zentyal Gateway.

However, because I had domain forwarders on this Gateway, I was unable to ping computers by name in the internal LAN. Instead, it would try to get the ip from the forwarder DNS server, which obviously didn't know the IP of this internal workstations, servers, etc.

After removing the dns forwarder from the gateway, I was able to ping these same computers by name from the gateway.

So, I don't understand why, but I'm just reporting my findings.

[jbahillo]

Hi there:

This said, I've to admit that I don't know what Samba 4 integration brings in term of DNS to the regular DNS server.
I can understand that some synchronization may occur between the internal DNS used by Samba but I'm not sure it has an impact on DNS service (I mean the one visible to end-users).

Bind has configured the dlz plugin in order to include on its answers those zones provided by samba internal dns configuration. Nevertheless, as you said before, this should not have an impact on DNS performance.

[christian]

Well my point was not really about use of Samba DNS but potential capability to bring some DNS synchro thanks to Samba.
But I suppose it just doesn't exist (still the "one single box" general design, even if LDAP, e.g. does replicate)