Anyone has experience with Windows clients DNS timeout

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Anyone has experience with Windows clients DNS timeout

Eliezer Croitoru-3
I have seen this issue on Windows clients over the past.
Windows nslookup shows that the query has timed out after 2 seconds.
On Linux and xBSD I have researched this issue and have seen that:
the DNS server is doing a recursive lookup and it takes from 7 to 10++
seconds sometimes.
When I pre-warn the DNS cache and the results are cached it takes
lower then 500 ms for a response to be on the client side and then
everything works fine.

I understand that Windows DNS client times out..
When using froward proxy with squid or any other it works as expected
since the DNS resolution is done on the proxy server.
However for this issue I believe that this timeout should be increased
instead of moving to DNS over HTTPS.

I would like to hear if anyone has any resolution for this issue on
the Windows clients side.

Thanks,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Anyone has experience with Windows clients DNS timeout

Amos Jeffries
Administrator
On 30/12/20 9:02 am, NgTech LTD wrote:

> I have seen this issue on Windows clients over the past.
> Windows nslookup shows that the query has timed out after 2 seconds.
> On Linux and xBSD I have researched this issue and have seen that:
> the DNS server is doing a recursive lookup and it takes from 7 to 10++
> seconds sometimes.
> When I pre-warn the DNS cache and the results are cached it takes
> lower then 500 ms for a response to be on the client side and then
> everything works fine.
>
> I understand that Windows DNS client times out..
> When using froward proxy with squid or any other it works as expected
> since the DNS resolution is done on the proxy server.
> However for this issue I believe that this timeout should be increased
> instead of moving to DNS over HTTPS.


The DNS timeout in Squid is 30sec for exactly this type of reason. 2
seconds is far too short to *guarantee* a recursive resolver is able to
perform all the work and many round-trip lookups that are needed.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Anyone has experience with Windows clients DNS timeout

L.P.H. van Belle
In reply to this post by Eliezer Croitoru-3
Hai Elizer

Sorry, im not fully agreeing with Amos here..

If you DNS is taking 7-10 sec, i would investigate why the dns is that slow.
Something is off, that simple.


A small example of my dns resolving to internet and my lan dnsservers.

time dig a www.google.nl @8.8.8.8  @internet dns
real    0m0.115s

real    0m0.031s @lan dns, lookup 1.
real    0m0.016s @lan dns, lookup 2. (cached one)

So, in my opinion 7-10 seconds timeout is really off.
In the last we..

Is the lan dns set as an authoritive server.
Are the pc's correctly registering in the dns with there primary DNS domain.

in resolv.conf make sure the primaryDns domain is first in resolv.conf
primary.dnsdomain.tld = output of $(hostname -d)

search primary.dnsdomain.tld  (optional extra, other.dnsdomain.tld dnsdomain.tld )
nameserver 192.168.1.1
nameserver 192.168.1.2
nameserver 192.168.1.3
nameserver 192.168.1.4
nameserver 192.168.1.5

# these are the options to look into also. ( in this order )
options edns0 # allowed 4096 byte packages.
options rotate # if you have more then 1 dns server this can help.
options timeout:3
options no-check-names # dont check for invalid characters such as underscore (_), non-ASCII, or control characters.


Check the following.
- the DNS server tries to query first to the internet.
fix might be, resolving (search line) in /etc/resolv.conf

ipv4 / ipv6, try disableing ipv6 on the windows clients.
Dns is Non authoritive where it might be needed to set it to Authoritive.
Dns server is missing forwaring to the authoritive server.
Routing and routing orders
Are EDNS (4096bytes) big packages allowed
And is the firewall allowing UDP and TCP packages on port 53

I run 3 samba-AD dns servers with Bind9_DLZ
My proxy runs a Bind9 caching and forwarding setup.
The primay DNS domain is forwarded to the Samba-AD dns server.
These are the Authoritive servers.

This is on average my slowest querie 0.1-0.2 sec  ( on the samba dns )
i checked the last year in my monitoring.
Normal is 0.03-0.01 sec

If there are problems in samba these days its 80% of all cases a resolving setup problem.

I hope this gave you some ideas.


Greetz,

Louis

> -----Oorspronkelijk bericht-----
> Van: squid-users [mailto:[hidden email]] Namens
> NgTech LTD
> Verzonden: dinsdag 29 december 2020 21:02
> Aan: Squid Users
> Onderwerp: [squid-users] Anyone has experience with Windows clients DNS
> timeout
>
> I have seen this issue on Windows clients over the past.
> Windows nslookup shows that the query has timed out after 2 seconds.
> On Linux and xBSD I have researched this issue and have seen that:
> the DNS server is doing a recursive lookup and it takes from 7 to 10++
> seconds sometimes.
> When I pre-warn the DNS cache and the results are cached it takes
> lower then 500 ms for a response to be on the client side and then
> everything works fine.
>
> I understand that Windows DNS client times out..
> When using froward proxy with squid or any other it works as expected
> since the DNS resolution is done on the proxy server.
> However for this issue I believe that this timeout should be increased
> instead of moving to DNS over HTTPS.
>
> I would like to hear if anyone has any resolution for this issue on
> the Windows clients side.
>
> Thanks,
> Eliezer
>
> ----
> Eliezer Croitoru
> Tech Support
> Mobile: +972-5-28704261
> Email: [hidden email]
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Anyone has experience with Windows clients DNS timeout

Klaus Westkamp

Hi,

i fully agree with Amos. I experience several seconds delay these days
in resolving names.

Using google, which is having a very fast and heavily caching dns,
is not a good example for recreating this effect.

I could imagine that the seveal DNS encryption methods,
DNS-over-TLS and -over-HTTPS, that are only supported by some
adding to that delay, as they require more overhead
and also the client has to find out which method is supported and which not

Cheers,

Klaus Westkamp


On 30/12/2020 09:07, L.P.H. van Belle wrote:

> Hai Elizer
>
> Sorry, im not fully agreeing with Amos here..
>
> If you DNS is taking 7-10 sec, i would investigate why the dns is that slow.
> Something is off, that simple.
>
>
> A small example of my dns resolving to internet and my lan dnsservers.
>
> time dig a www.google.nl @8.8.8.8  @internet dns
> real    0m0.115s
>
> real    0m0.031s @lan dns, lookup 1.
> real    0m0.016s @lan dns, lookup 2. (cached one)
>
> So, in my opinion 7-10 seconds timeout is really off.
> In the last we..
>
> Is the lan dns set as an authoritive server.
> Are the pc's correctly registering in the dns with there primary DNS domain.
>
> in resolv.conf make sure the primaryDns domain is first in resolv.conf
> primary.dnsdomain.tld = output of $(hostname -d)
>
> search primary.dnsdomain.tld  (optional extra, other.dnsdomain.tld dnsdomain.tld )
> nameserver 192.168.1.1
> nameserver 192.168.1.2
> nameserver 192.168.1.3
> nameserver 192.168.1.4
> nameserver 192.168.1.5
>
> # these are the options to look into also. ( in this order )
> options edns0 # allowed 4096 byte packages.
> options rotate # if you have more then 1 dns server this can help.
> options timeout:3
> options no-check-names # dont check for invalid characters such as underscore (_), non-ASCII, or control characters.
>
>
> Check the following.
> - the DNS server tries to query first to the internet.
> fix might be, resolving (search line) in /etc/resolv.conf
>
> ipv4 / ipv6, try disableing ipv6 on the windows clients.
> Dns is Non authoritive where it might be needed to set it to Authoritive.
> Dns server is missing forwaring to the authoritive server.
> Routing and routing orders
> Are EDNS (4096bytes) big packages allowed
> And is the firewall allowing UDP and TCP packages on port 53
>
> I run 3 samba-AD dns servers with Bind9_DLZ
> My proxy runs a Bind9 caching and forwarding setup.
> The primay DNS domain is forwarded to the Samba-AD dns server.
> These are the Authoritive servers.
>
> This is on average my slowest querie 0.1-0.2 sec  ( on the samba dns )
> i checked the last year in my monitoring.
> Normal is 0.03-0.01 sec
>
> If there are problems in samba these days its 80% of all cases a resolving setup problem.
>
> I hope this gave you some ideas.
>
>
> Greetz,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: squid-users [mailto:[hidden email]] Namens
>> NgTech LTD
>> Verzonden: dinsdag 29 december 2020 21:02
>> Aan: Squid Users
>> Onderwerp: [squid-users] Anyone has experience with Windows clients DNS
>> timeout
>>
>> I have seen this issue on Windows clients over the past.
>> Windows nslookup shows that the query has timed out after 2 seconds.
>> On Linux and xBSD I have researched this issue and have seen that:
>> the DNS server is doing a recursive lookup and it takes from 7 to 10++
>> seconds sometimes.
>> When I pre-warn the DNS cache and the results are cached it takes
>> lower then 500 ms for a response to be on the client side and then
>> everything works fine.
>>
>> I understand that Windows DNS client times out..
>> When using froward proxy with squid or any other it works as expected
>> since the DNS resolution is done on the proxy server.
>> However for this issue I believe that this timeout should be increased
>> instead of moving to DNS over HTTPS.
>>
>> I would like to hear if anyone has any resolution for this issue on
>> the Windows clients side.
>>
>> Thanks,
>> Eliezer
>>
>> ----
>> Eliezer Croitoru
>> Tech Support
>> Mobile: +972-5-28704261
>> Email: [hidden email]
>> _______________________________________________
>> squid-users mailing list
>> [hidden email]
>> http://lists.squid-cache.org/listinfo/squid-users
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Anyone has experience with Windows clients DNS timeout

L.P.H. van Belle
And, yes i agree, DNS over TLS might be slower, but really, if you have to wait seconds for a DNS reply... imagine..
Lots of websites have 10-20 hosts in them, if you have to wait 10 sec for a website, well, im gone already then.

Thats why i also showed the direct tests my internal Authoritive DNS servers. ( and i can pick any host, will show the same results ).

All im saying is, before you are going to hunt for "possible" problems.
Make sure the resolving is perfectly setup.
It will fix at least a lot of problems.

I just dont like Dns over HTTPS..
https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/ 

https://www.samknows.com/blog/dns-over-https-performance

Good articles to read.

Enjoy.

Greetz,

Louis


> -----Oorspronkelijk bericht-----
> Van: squid-users [mailto:[hidden email]] Namens
> Klaus Westkamp
> Verzonden: woensdag 30 december 2020 10:57
> Aan: [hidden email]
> Onderwerp: Re: [squid-users] Anyone has experience with Windows clients
> DNS timeout
>
>
> Hi,
>
> i fully agree with Amos. I experience several seconds delay these days
> in resolving names.
>
> Using google, which is having a very fast and heavily caching dns,
> is not a good example for recreating this effect.
>
> I could imagine that the seveal DNS encryption methods,
> DNS-over-TLS and -over-HTTPS, that are only supported by some
> adding to that delay, as they require more overhead
> and also the client has to find out which method is supported and which
> not
>
> Cheers,
>
> Klaus Westkamp
>
>
> On 30/12/2020 09:07, L.P.H. van Belle wrote:
> > Hai Elizer
> >
> > Sorry, im not fully agreeing with Amos here..
> >
> > If you DNS is taking 7-10 sec, i would investigate why the dns is that
> slow.
> > Something is off, that simple.
> >
> >
> > A small example of my dns resolving to internet and my lan dnsservers.
> >
> > time dig a www.google.nl @8.8.8.8  @internet dns
> > real    0m0.115s
> >
> > real    0m0.031s @lan dns, lookup 1.
> > real    0m0.016s @lan dns, lookup 2. (cached one)
> >
> > So, in my opinion 7-10 seconds timeout is really off.
> > In the last we..
> >
> > Is the lan dns set as an authoritive server.
> > Are the pc's correctly registering in the dns with there primary DNS
> domain.
> >
> > in resolv.conf make sure the primaryDns domain is first in resolv.conf
> > primary.dnsdomain.tld = output of $(hostname -d)
> >
> > search primary.dnsdomain.tld  (optional extra, other.dnsdomain.tld
> dnsdomain.tld )
> > nameserver 192.168.1.1
> > nameserver 192.168.1.2
> > nameserver 192.168.1.3
> > nameserver 192.168.1.4
> > nameserver 192.168.1.5
> >
> > # these are the options to look into also. ( in this order )
> > options edns0 # allowed 4096 byte packages.
> > options rotate # if you have more then 1 dns server this can
> help.
> > options timeout:3
> > options no-check-names # dont check for invalid characters such as
> underscore (_), non-ASCII, or control characters.
> >
> >
> > Check the following.
> > - the DNS server tries to query first to the internet.
> > fix might be, resolving (search line) in /etc/resolv.conf
> >
> > ipv4 / ipv6, try disableing ipv6 on the windows clients.
> > Dns is Non authoritive where it might be needed to set it to
> Authoritive.
> > Dns server is missing forwaring to the authoritive server.
> > Routing and routing orders
> > Are EDNS (4096bytes) big packages allowed
> > And is the firewall allowing UDP and TCP packages on port 53
> >
> > I run 3 samba-AD dns servers with Bind9_DLZ
> > My proxy runs a Bind9 caching and forwarding setup.
> > The primay DNS domain is forwarded to the Samba-AD dns server.
> > These are the Authoritive servers.
> >
> > This is on average my slowest querie 0.1-0.2 sec  ( on the samba dns )
> > i checked the last year in my monitoring.
> > Normal is 0.03-0.01 sec
> >
> > If there are problems in samba these days its 80% of all cases a
> resolving setup problem.
> >
> > I hope this gave you some ideas.
> >
> >
> > Greetz,
> >
> > Louis
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: squid-users [mailto:[hidden email]]
> Namens
> >> NgTech LTD
> >> Verzonden: dinsdag 29 december 2020 21:02
> >> Aan: Squid Users
> >> Onderwerp: [squid-users] Anyone has experience with Windows clients DNS
> >> timeout
> >>
> >> I have seen this issue on Windows clients over the past.
> >> Windows nslookup shows that the query has timed out after 2 seconds.
> >> On Linux and xBSD I have researched this issue and have seen that:
> >> the DNS server is doing a recursive lookup and it takes from 7 to 10++
> >> seconds sometimes.
> >> When I pre-warn the DNS cache and the results are cached it takes
> >> lower then 500 ms for a response to be on the client side and then
> >> everything works fine.
> >>
> >> I understand that Windows DNS client times out..
> >> When using froward proxy with squid or any other it works as expected
> >> since the DNS resolution is done on the proxy server.
> >> However for this issue I believe that this timeout should be increased
> >> instead of moving to DNS over HTTPS.
> >>
> >> I would like to hear if anyone has any resolution for this issue on
> >> the Windows clients side.
> >>
> >> Thanks,
> >> Eliezer
> >>
> >> ----
> >> Eliezer Croitoru
> >> Tech Support
> >> Mobile: +972-5-28704261
> >> Email: [hidden email]
> >> _______________________________________________
> >> squid-users mailing list
> >> [hidden email]
> >> http://lists.squid-cache.org/listinfo/squid-users
> > _______________________________________________
> > squid-users mailing list
> > [hidden email]
> > http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Anyone has experience with Windows clients DNS timeout

Eliezer Croitoru-3
Hey Louis,
Thanks For the feedback.

Indeed I do understand if someone want to have a fast DNS resolution.
However there are things which are not under our domain and control.
For example the root DNS servers can be unreachable for a second or
more sometimes to specific areas.
I cannot change the way how optic communication cables are managed but
I can control my windows or proxy.
Since the proxy can be tuned easily compared to the root servers
themselves or any other lower level DNS services I might choose to use
a proxy.
In the ISP world the provider have two or more DNS servers which
sometimes can respond slower then expected.
It's a fact that we need two or more DNS servers but when you manage a
DNS server or start a BIND recursive server you will able to see this
issue.
On the first recursive request for a link with 20-80+ ms delay it is
possible that either a packet lost on the way or that the overall
response is higher then 10 seconds.
The only reasonable solution I can see is to set the clients or the
proxy according to the environment.

For example a local on premise DNS caching service(dnsmasq, unbound,
bind) should help a bit to some cases.
The next level is to pre-warm the cache for the root servers.
If this doesn't help fix the Clients windows timeout from 2 seconds to
more..(10-15).
If the above seems to not resolve the issues then and only then it's
the proxy time.

I think I found the basic way to define this in The Windows registry
but not sure.
These documents can describe this issue at:

https://docs.microsoft.com/en-us/previous-versions//cc977482(v=technet.10)?redirectedfrom=MSDN
https://serverfault.com/questions/431207/adjust-windows-dns-timeout-similar-to-the-linux-resolv-conf
https://thehotery.name/windows/network/dns
https://groups.google.com/g/microsoft.public.windows.inetexplorer.ie6.browser/c/TrUhaEZEtIw/m/dZOB6Z8AvN0J

The default registry key is not present but the value is:
## START of text file
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"DNSQueryTimeouts"=hex(7):31,00,00,00,32,00,00,00,32,00,00,00,34,00,00,00,38,00,00,00,00,00
## END of text file

A modified one is:
## START of text file
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"DNSQueryTimeouts"=hex(7):34,00,00,00,38,00,00,00,38,00,00,00,31,00,36,00,00,00,33,00,32,00,00,00,00,00
## END of text file


I have not tested it yet but if it does but in Windows nslookup you
can change the timeout using:
set timeout=10

and test the server for timeout issues.
This is common to see in windows that the first lookup would fail
after 2 seconds but the next one will get a result.
If the client will wait enough he will receive the packet and the
resolution fast compared to a fully recursive one every time.

I think that this timeout deserve a wiki page.

Thanks,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]
On Wed, Dec 30, 2020 at 12:57 PM L.P.H. van Belle <[hidden email]> wrote:

>
> And, yes i agree, DNS over TLS might be slower, but really, if you have to wait seconds for a DNS reply... imagine..
> Lots of websites have 10-20 hosts in them, if you have to wait 10 sec for a website, well, im gone already then.
>
> Thats why i also showed the direct tests my internal Authoritive DNS servers. ( and i can pick any host, will show the same results ).
>
> All im saying is, before you are going to hunt for "possible" problems.
> Make sure the resolving is perfectly setup.
> It will fix at least a lot of problems.
>
> I just dont like Dns over HTTPS..
> https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/
>
> https://www.samknows.com/blog/dns-over-https-performance
>
> Good articles to read.
>
> Enjoy.
>
> Greetz,
>
> Louis
>
>
> > -----Oorspronkelijk bericht-----
> > Van: squid-users [mailto:[hidden email]] Namens
> > Klaus Westkamp
> > Verzonden: woensdag 30 december 2020 10:57
> > Aan: [hidden email]
> > Onderwerp: Re: [squid-users] Anyone has experience with Windows clients
> > DNS timeout
> >
> >
> > Hi,
> >
> > i fully agree with Amos. I experience several seconds delay these days
> > in resolving names.
> >
> > Using google, which is having a very fast and heavily caching dns,
> > is not a good example for recreating this effect.
> >
> > I could imagine that the seveal DNS encryption methods,
> > DNS-over-TLS and -over-HTTPS, that are only supported by some
> > adding to that delay, as they require more overhead
> > and also the client has to find out which method is supported and which
> > not
> >
> > Cheers,
> >
> > Klaus Westkamp
> >
> >
> > On 30/12/2020 09:07, L.P.H. van Belle wrote:
> > > Hai Elizer
> > >
> > > Sorry, im not fully agreeing with Amos here..
> > >
> > > If you DNS is taking 7-10 sec, i would investigate why the dns is that
> > slow.
> > > Something is off, that simple.
> > >
> > >
> > > A small example of my dns resolving to internet and my lan dnsservers.
> > >
> > > time dig a www.google.nl @8.8.8.8  @internet dns
> > > real    0m0.115s
> > >
> > > real    0m0.031s    @lan dns, lookup 1.
> > > real    0m0.016s    @lan dns, lookup 2. (cached one)
> > >
> > > So, in my opinion 7-10 seconds timeout is really off.
> > > In the last we..
> > >
> > > Is the lan dns set as an authoritive server.
> > > Are the pc's correctly registering in the dns with there primary DNS
> > domain.
> > >
> > > in resolv.conf make sure the primaryDns domain is first in resolv.conf
> > > primary.dnsdomain.tld = output of $(hostname -d)
> > >
> > > search primary.dnsdomain.tld  (optional extra, other.dnsdomain.tld
> > dnsdomain.tld )
> > > nameserver 192.168.1.1
> > > nameserver 192.168.1.2
> > > nameserver 192.168.1.3
> > > nameserver 192.168.1.4
> > > nameserver 192.168.1.5
> > >
> > > # these are the options to look into also. ( in this order )
> > > options edns0               # allowed 4096 byte packages.
> > > options rotate              # if you have more then 1 dns server this can
> > help.
> > > options timeout:3
> > > options no-check-names      # dont check for invalid characters such as
> > underscore (_), non-ASCII, or control characters.
> > >
> > >
> > > Check the following.
> > > - the DNS server tries to query first to the internet.
> > > fix might be, resolving (search line) in /etc/resolv.conf
> > >
> > > ipv4 / ipv6, try disableing ipv6 on the windows clients.
> > > Dns is Non authoritive where it might be needed to set it to
> > Authoritive.
> > > Dns server is missing forwaring to the authoritive server.
> > > Routing and routing orders
> > > Are EDNS (4096bytes) big packages allowed
> > > And is the firewall allowing UDP and TCP packages on port 53
> > >
> > > I run 3 samba-AD dns servers with Bind9_DLZ
> > > My proxy runs a Bind9 caching and forwarding setup.
> > > The primay DNS domain is forwarded to the Samba-AD dns server.
> > > These are the Authoritive servers.
> > >
> > > This is on average my slowest querie 0.1-0.2 sec  ( on the samba dns )
> > > i checked the last year in my monitoring.
> > > Normal is 0.03-0.01 sec
> > >
> > > If there are problems in samba these days its 80% of all cases a
> > resolving setup problem.
> > >
> > > I hope this gave you some ideas.
> > >
> > >
> > > Greetz,
> > >
> > > Louis
> > >
> > >> -----Oorspronkelijk bericht-----
> > >> Van: squid-users [mailto:[hidden email]]
> > Namens
> > >> NgTech LTD
> > >> Verzonden: dinsdag 29 december 2020 21:02
> > >> Aan: Squid Users
> > >> Onderwerp: [squid-users] Anyone has experience with Windows clients DNS
> > >> timeout
> > >>
> > >> I have seen this issue on Windows clients over the past.
> > >> Windows nslookup shows that the query has timed out after 2 seconds.
> > >> On Linux and xBSD I have researched this issue and have seen that:
> > >> the DNS server is doing a recursive lookup and it takes from 7 to 10++
> > >> seconds sometimes.
> > >> When I pre-warn the DNS cache and the results are cached it takes
> > >> lower then 500 ms for a response to be on the client side and then
> > >> everything works fine.
> > >>
> > >> I understand that Windows DNS client times out..
> > >> When using froward proxy with squid or any other it works as expected
> > >> since the DNS resolution is done on the proxy server.
> > >> However for this issue I believe that this timeout should be increased
> > >> instead of moving to DNS over HTTPS.
> > >>
> > >> I would like to hear if anyone has any resolution for this issue on
> > >> the Windows clients side.
> > >>
> > >> Thanks,
> > >> Eliezer
> > >>
> > >> ----
> > >> Eliezer Croitoru
> > >> Tech Support
> > >> Mobile: +972-5-28704261
> > >> Email: [hidden email]
> > >> _______________________________________________
> > >> squid-users mailing list
> > >> [hidden email]
> > >> http://lists.squid-cache.org/listinfo/squid-users
> > > _______________________________________________
> > > squid-users mailing list
> > > [hidden email]
> > > http://lists.squid-cache.org/listinfo/squid-users
> >
> > _______________________________________________
> > squid-users mailing list
> > [hidden email]
> > http://lists.squid-cache.org/listinfo/squid-users
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Anyone has experience with Windows clients DNS timeout

L.P.H. van Belle
Hai Elizer,

> -----Oorspronkelijk bericht-----
> Van: NgTech LTD [mailto:[hidden email]]
> Verzonden: woensdag 30 december 2020 13:37
> Aan: L.P.H. van Belle
> CC: [hidden email]
> Onderwerp: Re: [squid-users] Anyone has experience with Windows clients
> DNS timeout
>
> Hey Louis,
> Thanks For the feedback.
>
> Indeed I do understand if someone want to have a fast DNS resolution.
> However there are things which are not under our domain and control.

> For example the root DNS servers can be unreachable for a second or
> more sometimes to specific areas.
Now this im having here also, took me 6 months but my internet provider
is now finaly going to fix it. Often its out of bandwith..
in my case this was a change they did in the background.
In the netherlands i know lots of fiber providers dont monitor there bandwith, i builded some monitoring servers for one of them, thats how i know. They dont care because the just say, ah.. fiber sufficient bandwith..
:-/

> I cannot change the way how optic communication cables are managed but
> I can control my windows or proxy.
> Since the proxy can be tuned easily compared to the root servers
> themselves or any other lower level DNS services I might choose to use
> a proxy.
Test agains other dns servers and track the route there are using..
in my above problem i tracked this from 5 different providers to find the problem point.

> In the ISP world the provider have two or more DNS servers which
> sometimes can respond slower then expected.
> It's a fact that we need two or more DNS servers but when you manage a
> DNS server or start a BIND recursive server you will able to see this
> issue.
> On the first recursive request for a link with 20-80+ ms delay it is
> possible that either a packet lost on the way or that the overall
> response is higher then 10 seconds.
Also here, if you can monitor your devices, check if you see UDP loss/reject.

> The only reasonable solution I can see is to set the clients or the
> proxy according to the environment.
both will and should work..

>
> For example a local on premise DNS caching service(dnsmasq, unbound,
> bind) should help a bit to some cases.
> The next level is to pre-warm the cache for the root servers.
> If this doesn't help fix the Clients windows timeout from 2 seconds to
> more..(10-15).

Thats still in my opinion the first one you need to track and find where
The delay is happening.

> If the above seems to not resolve the issues then and only then it's
> the proxy time.
>
> I think I found the basic way to define this in The Windows registry
> but not sure.
> These documents can describe this issue at:
>
> https://docs.microsoft.com/en-us/previous-
> versions//cc977482(v=technet.10)?redirectedfrom=MSDN
> https://serverfault.com/questions/431207/adjust-windows-dns-timeout-
> similar-to-the-linux-resolv-conf
> https://thehotery.name/windows/network/dns
> https://groups.google.com/g/microsoft.public.windows.inetexplorer.ie6.brow
> ser/c/TrUhaEZEtIw/m/dZOB6Z8AvN0J
>
> The default registry key is not present but the value is:
> ## START of text file
> Windows Registry Editor Version 5.00
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
> "DNSQueryTimeouts"=hex(7):31,00,00,00,32,00,00,00,32,00,00,00,34,00,00,00,
> 38,00,00,00,00,00
> ## END of text file
>
> A modified one is:
> ## START of text file
> Windows Registry Editor Version 5.00
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
> "DNSQueryTimeouts"=hex(7):34,00,00,00,38,00,00,00,38,00,00,00,31,00,36,00,
> 00,00,33,00,32,00,00,00,00,00
> ## END of text file
>

Beware, you can change that, but i know some parts in windows use some windowsDNS, and if you disable/change that, you MS Store might also stop working. fingered that out the hard way. :-(

>
> I have not tested it yet but if it does but in Windows nslookup you
> can change the timeout using:
> set timeout=10
>
> and test the server for timeout issues.
> This is common to see in windows that the first lookup would fail
> after 2 seconds but the next one will get a result.
> If the client will wait enough he will receive the packet and the
> resolution fast compared to a fully recursive one every time.
>
> I think that this timeout deserve a wiki page.
>
> Thanks,
> Eliezer
>
> ----
> Eliezer Croitoru
> Tech Support
> Mobile: +972-5-28704261
> Email: [hidden email]
> On Wed, Dec 30, 2020 at 12:57 PM L.P.H. van Belle <[hidden email]> wrote:
> >
> > And, yes i agree, DNS over TLS might be slower, but really, if you have
> to wait seconds for a DNS reply... imagine..
> > Lots of websites have 10-20 hosts in them, if you have to wait 10 sec
> for a website, well, im gone already then.
> >
> > Thats why i also showed the direct tests my internal Authoritive DNS
> servers. ( and i can pick any host, will show the same results ).
> >
> > All im saying is, before you are going to hunt for "possible" problems.
> > Make sure the resolving is perfectly setup.
> > It will fix at least a lot of problems.
> >
> > I just dont like Dns over HTTPS..
> > https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-
> it-solves-experts-say/
> >
> > https://www.samknows.com/blog/dns-over-https-performance
> >
> > Good articles to read.
> >
> > Enjoy.
> >
> > Greetz,
> >
> > Louis
> >
> >
> > > -----Oorspronkelijk bericht-----
> > > Van: squid-users [mailto:[hidden email]]
> Namens
> > > Klaus Westkamp
> > > Verzonden: woensdag 30 december 2020 10:57
> > > Aan: [hidden email]
> > > Onderwerp: Re: [squid-users] Anyone has experience with Windows
> clients
> > > DNS timeout
> > >
> > >
> > > Hi,
> > >
> > > i fully agree with Amos. I experience several seconds delay these days
> > > in resolving names.
> > >
> > > Using google, which is having a very fast and heavily caching dns,
> > > is not a good example for recreating this effect.
> > >
> > > I could imagine that the seveal DNS encryption methods,
> > > DNS-over-TLS and -over-HTTPS, that are only supported by some
> > > adding to that delay, as they require more overhead
> > > and also the client has to find out which method is supported and
> which
> > > not
> > >
> > > Cheers,
> > >
> > > Klaus Westkamp
> > >
> > >
> > > On 30/12/2020 09:07, L.P.H. van Belle wrote:
> > > > Hai Elizer
> > > >
> > > > Sorry, im not fully agreeing with Amos here..
> > > >
> > > > If you DNS is taking 7-10 sec, i would investigate why the dns is
> that
> > > slow.
> > > > Something is off, that simple.
> > > >
> > > >
> > > > A small example of my dns resolving to internet and my lan
> dnsservers.
> > > >
> > > > time dig a www.google.nl @8.8.8.8  @internet dns
> > > > real    0m0.115s
> > > >
> > > > real    0m0.031s    @lan dns, lookup 1.
> > > > real    0m0.016s    @lan dns, lookup 2. (cached one)
> > > >
> > > > So, in my opinion 7-10 seconds timeout is really off.
> > > > In the last we..
> > > >
> > > > Is the lan dns set as an authoritive server.
> > > > Are the pc's correctly registering in the dns with there primary DNS
> > > domain.
> > > >
> > > > in resolv.conf make sure the primaryDns domain is first in
> resolv.conf
> > > > primary.dnsdomain.tld = output of $(hostname -d)
> > > >
> > > > search primary.dnsdomain.tld  (optional extra, other.dnsdomain.tld
> > > dnsdomain.tld )
> > > > nameserver 192.168.1.1
> > > > nameserver 192.168.1.2
> > > > nameserver 192.168.1.3
> > > > nameserver 192.168.1.4
> > > > nameserver 192.168.1.5
> > > >
> > > > # these are the options to look into also. ( in this order )
> > > > options edns0               # allowed 4096 byte packages.
> > > > options rotate              # if you have more then 1 dns server
> this can
> > > help.
> > > > options timeout:3
> > > > options no-check-names      # dont check for invalid characters such
> as
> > > underscore (_), non-ASCII, or control characters.
> > > >
> > > >
> > > > Check the following.
> > > > - the DNS server tries to query first to the internet.
> > > > fix might be, resolving (search line) in /etc/resolv.conf
> > > >
> > > > ipv4 / ipv6, try disableing ipv6 on the windows clients.
> > > > Dns is Non authoritive where it might be needed to set it to
> > > Authoritive.
> > > > Dns server is missing forwaring to the authoritive server.
> > > > Routing and routing orders
> > > > Are EDNS (4096bytes) big packages allowed
> > > > And is the firewall allowing UDP and TCP packages on port 53
> > > >
> > > > I run 3 samba-AD dns servers with Bind9_DLZ
> > > > My proxy runs a Bind9 caching and forwarding setup.
> > > > The primay DNS domain is forwarded to the Samba-AD dns server.
> > > > These are the Authoritive servers.
> > > >
> > > > This is on average my slowest querie 0.1-0.2 sec  ( on the samba dns
> )
> > > > i checked the last year in my monitoring.
> > > > Normal is 0.03-0.01 sec
> > > >
> > > > If there are problems in samba these days its 80% of all cases a
> > > resolving setup problem.
> > > >
> > > > I hope this gave you some ideas.
> > > >
> > > >
> > > > Greetz,
> > > >
> > > > Louis
> > > >
> > > >> -----Oorspronkelijk bericht-----
> > > >> Van: squid-users [mailto:[hidden email]]
> > > Namens
> > > >> NgTech LTD
> > > >> Verzonden: dinsdag 29 december 2020 21:02
> > > >> Aan: Squid Users
> > > >> Onderwerp: [squid-users] Anyone has experience with Windows clients
> DNS
> > > >> timeout
> > > >>
> > > >> I have seen this issue on Windows clients over the past.
> > > >> Windows nslookup shows that the query has timed out after 2
> seconds.
> > > >> On Linux and xBSD I have researched this issue and have seen that:
> > > >> the DNS server is doing a recursive lookup and it takes from 7 to
> 10++
> > > >> seconds sometimes.
> > > >> When I pre-warn the DNS cache and the results are cached it takes
> > > >> lower then 500 ms for a response to be on the client side and then
> > > >> everything works fine.
> > > >>
> > > >> I understand that Windows DNS client times out..
> > > >> When using froward proxy with squid or any other it works as
> expected
> > > >> since the DNS resolution is done on the proxy server.
> > > >> However for this issue I believe that this timeout should be
> increased
> > > >> instead of moving to DNS over HTTPS.
> > > >>
> > > >> I would like to hear if anyone has any resolution for this issue on
> > > >> the Windows clients side.
> > > >>
> > > >> Thanks,
> > > >> Eliezer
> > > >>
> > > >> ----
> > > >> Eliezer Croitoru
> > > >> Tech Support
> > > >> Mobile: +972-5-28704261
> > > >> Email: [hidden email]
> > > >> _______________________________________________
> > > >> squid-users mailing list
> > > >> [hidden email]
> > > >> http://lists.squid-cache.org/listinfo/squid-users
> > > > _______________________________________________
> > > > squid-users mailing list
> > > > [hidden email]
> > > > http://lists.squid-cache.org/listinfo/squid-users
> > >
> > > _______________________________________________
> > > squid-users mailing list
> > > [hidden email]
> > > http://lists.squid-cache.org/listinfo/squid-users
> >
> > _______________________________________________
> > squid-users mailing list
> > [hidden email]
> > http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Anyone has experience with Windows clients DNS timeout

Eliezer Croitoru-3
In reply to this post by Amos Jeffries
Hey Amos,

For an INTERCEPT setup we still need to resolve before squid is touching the packets.
There are registry keys for this purpose however we first need to identify this issue.
The basic way to verify this is using the "set debug" on nslookup and use a fully "cold" DNS recurser.

I was thinking about writing some PowerShell script that will do that but for now it's not really important.
More important then that is a good sysadmin.

Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]
Zoom: Coming soon




-----Original Message-----
From: squid-users <[hidden email]> On Behalf Of Amos Jeffries
Sent: Wednesday, December 30, 2020 6:15 AM
To: [hidden email]
Subject: Re: [squid-users] Anyone has experience with Windows clients DNS timeout

On 30/12/20 9:02 am, NgTech LTD wrote:

> I have seen this issue on Windows clients over the past.
> Windows nslookup shows that the query has timed out after 2 seconds.
> On Linux and xBSD I have researched this issue and have seen that:
> the DNS server is doing a recursive lookup and it takes from 7 to 10++
> seconds sometimes.
> When I pre-warn the DNS cache and the results are cached it takes
> lower then 500 ms for a response to be on the client side and then
> everything works fine.
>
> I understand that Windows DNS client times out..
> When using froward proxy with squid or any other it works as expected
> since the DNS resolution is done on the proxy server.
> However for this issue I believe that this timeout should be increased
> instead of moving to DNS over HTTPS.


The DNS timeout in Squid is 30sec for exactly this type of reason. 2
seconds is far too short to *guarantee* a recursive resolver is able to
perform all the work and many round-trip lookups that are needed.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users