When `drill` works but `nc` doesn't
Marko Turk
markoml at markoturk.info
Sat Sep 17 19:32:11 UTC 2016
Hi,
On Sat, Sep 17, 2016 at 03:41:56PM +0200, Niklaas Baudet von Gersdorff wrote:
> I encountered a strange behaviour when trying to establish
> a connection to my jails. When DNS is involved, I get a 2 seconds
> delay. At the same time, there is no DNS resolving issue when
> testing with `drill`.
>
> As it turn out the problem is related to a specific IP address.
> However, I don't know why exactly and I don't know to further
> debug this. Maybe someone has an idea. In the following you can
> read what I have done.
>
> In one of my jails I have unbound running:
>
> $ sudo jexec unbound1 sockstat -46l | grep ':53'
>
> unbound unbound 2474 3 udp4 *:53 *:*
> unbound unbound 2474 4 tcp4 *:53 *:*
> unbound unbound 2474 5 udp6 *:53 *:*
> unbound unbound 2474 6 tcp6 *:53 *:*
>
> This jail has some IP addresses assigned:
>
> $ sudo jexec unbound1 sockstat -46l | grep ':53'
>
> lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
> options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
> inet 10.3.3.1 netmask 0xffff0000
> inet 10.77.3.1 netmask 0xffff0000
> inet6 fd16:dcc0:f4cc:3::3:1 prefixlen 64
> inet6 fd16:dcc0:f4cc:77::3:1 prefixlen 64
> nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
>
> On my jails' host and in the other jails I have the following
> /etc/resolv.conf:
>
> options timeout:1 attempts:1
> nameserver 10.77.3.1
> nameserver fd16:dcc0:f4cc:77::3:1
>
> I realised that connecting from one jail to another one always
> has a 2 seconds delay when DNS is involved
>
> $ sudo jexec www1 time nc -z mysql2.box-hlm-03.klaas 3306
>
> Connection to mysql2.box-hlm-03.klaas 3306 port [tcp/mysql] succeeded!
> 2.02 real 0.00 user 0.00 sys
>
> while the same attempt without DNS is instant:
>
> $ sudo jexec www1 time nc -z 10.3.5.3 3306
>
> Connection to 10.3.5.3 3306 port [tcp/mysql] succeeded!
> 0.00 real 0.00 user 0.00 sys
>
> So, I thought that this must be an DNS issue. And I checked
> whether my unbound jail works fine:
>
> $ sudo jexec www1 drill mysql2.box-hlm-03.klaas @10.77.3.1
>
> ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 21945
> ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4
> ;; QUESTION SECTION:
> ;; mysql2.box-hlm-03.klaas. IN A
>
> ;; ANSWER SECTION:
> mysql2.box-hlm-03.klaas. 3339 IN A 10.3.5.3
>
> ;; AUTHORITY SECTION:
> klaas. 2583 IN NS nsd1.box-hlm-01.klaas.
> klaas. 2583 IN NS nsd1.box-hlm-03.klaas.
>
> ;; ADDITIONAL SECTION:
> nsd1.box-hlm-01.klaas. 2583 IN A 10.1.3.2
> nsd1.box-hlm-03.klaas. 2583 IN A 10.3.3.2
> nsd1.box-hlm-01.klaas. 2583 IN AAAA fd16:dcc0:f4cc:1::3:2
> nsd1.box-hlm-03.klaas. 2583 IN AAAA fd16:dcc0:f4cc:3::3:2
>
> ;; Query time: 0 msec
> ;; SERVER: 10.77.3.1
> ;; WHEN: Sat Sep 17 15:09:33 2016
> ;; MSG SIZE rcvd: 194
>
> As you can see, there is no issue with unbound and I get an
> answer using the same IP (10.77.3.1) instantly. When I kept on
> wondering, I thought about investigating this a bit more. I ran
> the following two commands
>
> $ sudo jexec www1 truss -D -o /tmp/truss-hostname nc -z mysql2.box-hlm-03.klaas 3306
>
> $ sudo jexec www1 truss -D -o /tmp/truss-IP nc -z 10.3.5.3 3306
> [cut]
Can you also post truss output when doing drill and tcpdump when doing
netcat with hostname?
-Marko
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20160917/a78e2a1d/attachment.sig>
More information about the freebsd-questions
mailing list