When `drill` works but `nc` doesn't

Marko Turk markoml at markoturk.info
Sat Sep 17 19:32:11 UTC 2016


Hi,

On Sat, Sep 17, 2016 at 03:41:56PM +0200, Niklaas Baudet von Gersdorff wrote:
> I encountered a strange behaviour when trying to establish
> a connection to my jails. When DNS is involved, I get a 2 seconds
> delay. At the same time, there is no DNS resolving issue when
> testing with `drill`.
> 
> As it turn out the problem is related to a specific IP address.
> However, I don't know why exactly and I don't know to further
> debug this. Maybe someone has an idea. In the following you can
> read what I have done.
> 
> In one of my jails I have unbound running:
> 
>   $ sudo jexec unbound1 sockstat -46l | grep ':53'
> 
>   unbound  unbound    2474  3  udp4   *:53                  *:*
>   unbound  unbound    2474  4  tcp4   *:53                  *:*
>   unbound  unbound    2474  5  udp6   *:53                  *:*
>   unbound  unbound    2474  6  tcp6   *:53                  *:*
> 
> This jail has some IP addresses assigned:
> 
>   $ sudo jexec unbound1 sockstat -46l | grep ':53'
> 
>   lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>     options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
>     inet 10.3.3.1 netmask 0xffff0000 
>     inet 10.77.3.1 netmask 0xffff0000 
>     inet6 fd16:dcc0:f4cc:3::3:1 prefixlen 64 
>     inet6 fd16:dcc0:f4cc:77::3:1 prefixlen 64 
>     nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
> 
> On my jails' host and in the other jails I have the following
> /etc/resolv.conf:
> 
>   options timeout:1 attempts:1
>   nameserver 10.77.3.1
>   nameserver fd16:dcc0:f4cc:77::3:1
> 
> I realised that connecting from one jail to another one always
> has a 2 seconds delay when DNS is involved
> 
>   $ sudo jexec www1 time nc -z mysql2.box-hlm-03.klaas 3306
> 
>   Connection to mysql2.box-hlm-03.klaas 3306 port [tcp/mysql] succeeded!
>           2.02 real         0.00 user         0.00 sys
> 
> while the same attempt without DNS is instant:
> 
>   $ sudo jexec www1 time nc -z 10.3.5.3 3306
> 
>   Connection to 10.3.5.3 3306 port [tcp/mysql] succeeded!
>           0.00 real         0.00 user         0.00 sys
> 
> So, I thought that this must be an DNS issue. And I checked
> whether my unbound jail works fine:
> 
>   $ sudo jexec www1 drill mysql2.box-hlm-03.klaas @10.77.3.1
> 
>   ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 21945
>   ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4 
>   ;; QUESTION SECTION:
>   ;; mysql2.box-hlm-03.klaas.	IN	A
> 
>   ;; ANSWER SECTION:
>   mysql2.box-hlm-03.klaas.	3339	IN	A	10.3.5.3
> 
>   ;; AUTHORITY SECTION:
>   klaas.	2583	IN	NS	nsd1.box-hlm-01.klaas.
>   klaas.	2583	IN	NS	nsd1.box-hlm-03.klaas.
> 
>   ;; ADDITIONAL SECTION:
>   nsd1.box-hlm-01.klaas.	2583	IN	A	10.1.3.2
>   nsd1.box-hlm-03.klaas.	2583	IN	A	10.3.3.2
>   nsd1.box-hlm-01.klaas.	2583	IN	AAAA	fd16:dcc0:f4cc:1::3:2
>   nsd1.box-hlm-03.klaas.	2583	IN	AAAA	fd16:dcc0:f4cc:3::3:2
> 
>   ;; Query time: 0 msec
>   ;; SERVER: 10.77.3.1
>   ;; WHEN: Sat Sep 17 15:09:33 2016
>   ;; MSG SIZE  rcvd: 194
> 
> As you can see, there is no issue with unbound and I get an
> answer using the same IP (10.77.3.1) instantly. When I kept on
> wondering, I thought about investigating this a bit more. I ran
> the following two commands
> 
> 	$ sudo jexec www1 truss -D -o /tmp/truss-hostname nc -z mysql2.box-hlm-03.klaas 3306
> 
> 	$ sudo jexec www1 truss -D -o /tmp/truss-IP nc -z 10.3.5.3 3306
> [cut]

Can you also post truss output when doing drill and tcpdump when doing
netcat with hostname?

-Marko
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20160917/a78e2a1d/attachment.sig>


More information about the freebsd-questions mailing list