[SOLVED] - IPv6, DNS and Conntrack (Slow Queries)

[cpwp]

Hi All,

Not really sure where this belongs but thought I'd document some findings with regard to how the DNS resolver behaves (apparently since glibc-2.9).
This isn't a problem with the resolver per se, but a workaround for the behaviour of conntrack in certain routers.

Symptoms
I found that connecting to an IPv6 SSH server took 4-5 seconds from my Gentoo machine. All the forward and reverse (v6 and v4) DNS records for both client and server were correct but the DNS queries were still taking way too long before the SSH session was established.
Other services using IPv6 (HTTP/SMTP/etc) were also hanging at the point of initial DNS resolution.

The problem only occurred when using DNS resolvers outside of my own network. Using a BIND server on my network, the problem disappeared.

Explanation
When making a forward DNS lookup, the Linux resolver will send two queries, one requesting an A record (IPv4) and one requesting an AAAA record (IPv6). Both of these requests are sent using the same UDP source port. It turns out that this can confuse the conntrack mechanism in certain routers. (Mine is a Mikrotik RB1200 running RouterOS 5.17) This causes only one of the relevant replies to arrive back, thus the resolver will retry its second query after a few seconds, causing the delay.

Workaround
AFAIK, this isn't documented in Gentoo's man page for resolv.conf, but adding the following line to /etc/resolv.conf will cause the resolver to close and reopen the UDP socket in between sending the two DNS queries - therefore using two different source ports.

[truc]

Wow, thank you for the work around, this was certainly challenging to find it!

This is good to know!
_________________
The End of the Internet!

[texas1emt]

This is still a problem in Mikrotik devices even with firmware 6.28.

Thanks for this post, though! I helped me narrow down the source of my problem.
_________________
M. Hayden - San Antonio, TX