Re: Some servvices on my edge box slow to reply
From: clvrmnky (clvrmnky-uunet_at_coldmail.com.invalid)
Date: 09/23/04
- Next message: George Pontis: "Honeyd on firewall machine ?"
- Previous message: Dave: "Re: Beta testers needed - C to Java byte-code compiler/IDE"
- In reply to: clvrmnky: "Some servvices on my edge box slow to reply"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 23 Sep 2004 11:53:19 -0400
On 21/09/2004 1:16 PM, clvrmnky wrote:
> OpenBSD 3.1, i386
>
> Somehow between last night and this morning, nodes on the inside of my
> firewall/router (referred to as "martini" from now on) are very slow
> accessing some services.
>
> I noticed the problem when I tried to ssh to martini this morning, and
> the login took a very long time (on the order of 30secs.) I use
> RSA-based authentication. I recalled that there was a FAQ item about
> this very problem, and determined that the "UseDNS no" solved /this/
> particular problem. I have an entry in my /etc/hosts for the single
> external node I often connect with ssh from (again, with RSA auth) just
> to shut SSH up. I've never had a problem with ssh from internal nodes
> in this manner.
>
Posting a reply to myself for USENET posterity.
The problem turned out to be a misconfigured resolver on my part.
Specifically, my local named was not set up to be the primary DNS on my
LAN, and reverse lookups were non-existent. There was a problem between
keyboard and chair.
It looks like some services needed to do a forward or reverse lookup on
itself, which started to fail (and had never failed before!) Hence, the
breakage.
While it is not clear exactly why it would suddenly break, the solution
was to simply setup named as a primary NS for my domain for both forward
and reverse lookups, forwarding out (and caching results) only when
absolutely necessary. Perhaps my ISP got tired of all the negative hits
it was getting for things like "localserver.mydomain.org" or
"10.0.0.254". Serves me right.
Furthermore, it is advisable that I upgrade to BIND9 (i.e., from ports)
and a dhcpd that supports DDNS (i.e., ISC DHCP) so my DHCP supplied
addresses on my LAN also resolve properly. While this is the correct
thing to do, I've found it is not immediately necessary now that the
range of address that DHCP gives out fail properly, locally and in a
timely manner. The problem was really all about some services not being
able to do reverse lookups on the local host.
Once I upgrade the new router hardware to OBSD 3.5, I'll build up a
BIND9/DHCP/DDNS system from scratch. Unless things break again, I'm
going to minimize further changes to the old system.
- Next message: George Pontis: "Honeyd on firewall machine ?"
- Previous message: Dave: "Re: Beta testers needed - C to Java byte-code compiler/IDE"
- In reply to: clvrmnky: "Some servvices on my edge box slow to reply"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
