From owner-freebsd-questions@freebsd.org Sat Sep 17 19:32:11 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 62551BDEAED for ; Sat, 17 Sep 2016 19:32:11 +0000 (UTC) (envelope-from markoml@markoturk.info) Received: from vps.markoturk.info (vps.markoturk.info [95.154.208.14]) by mx1.freebsd.org (Postfix) with ESMTP id 05559DA6 for ; Sat, 17 Sep 2016 19:32:10 +0000 (UTC) (envelope-from markoml@markoturk.info) Received: from vps.markoturk.info (localhost [127.0.0.1]) by vps.markoturk.info (Postfix) with ESMTP id 5A5D42B86D for ; Sat, 17 Sep 2016 21:23:13 +0200 (CEST) Date: Sat, 17 Sep 2016 21:23:42 +0200 From: Marko Turk To: freebsd-questions@freebsd.org Subject: Re: When `drill` works but `nc` doesn't Message-ID: <20160917192342.GA2305@vps.markoturk.info> References: <20160917134155.GA77669@box-hlm-03.niklaas.eu> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="4Ckj6UjgE2iN1+kY" Content-Disposition: inline In-Reply-To: <20160917134155.GA77669@box-hlm-03.niklaas.eu> User-Agent: Mutt/1.6.1 (2016-04-27) X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 17 Sep 2016 19:32:11 -0000 --4Ckj6UjgE2iN1+kY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, On Sat, Sep 17, 2016 at 03:41:56PM +0200, Niklaas Baudet von Gersdorff wrot= e: > I encountered a strange behaviour when trying to establish > a connection to my jails. When DNS is involved, I get a 2 seconds > delay. At the same time, there is no DNS resolving issue when > testing with `drill`. >=20 > As it turn out the problem is related to a specific IP address. > However, I don't know why exactly and I don't know to further > debug this. Maybe someone has an idea. In the following you can > read what I have done. >=20 > In one of my jails I have unbound running: >=20 > $ sudo jexec unbound1 sockstat -46l | grep ':53' >=20 > unbound unbound 2474 3 udp4 *:53 *:* > unbound unbound 2474 4 tcp4 *:53 *:* > unbound unbound 2474 5 udp6 *:53 *:* > unbound unbound 2474 6 tcp6 *:53 *:* >=20 > This jail has some IP addresses assigned: >=20 > $ sudo jexec unbound1 sockstat -46l | grep ':53' >=20 > lo1: flags=3D8049 metric 0 mtu 16384 > options=3D600003 > inet 10.3.3.1 netmask 0xffff0000=20 > inet 10.77.3.1 netmask 0xffff0000=20 > inet6 fd16:dcc0:f4cc:3::3:1 prefixlen 64=20 > inet6 fd16:dcc0:f4cc:77::3:1 prefixlen 64=20 > nd6 options=3D21 >=20 > On my jails' host and in the other jails I have the following > /etc/resolv.conf: >=20 > options timeout:1 attempts:1 > nameserver 10.77.3.1 > nameserver fd16:dcc0:f4cc:77::3:1 >=20 > I realised that connecting from one jail to another one always > has a 2 seconds delay when DNS is involved >=20 > $ sudo jexec www1 time nc -z mysql2.box-hlm-03.klaas 3306 >=20 > Connection to mysql2.box-hlm-03.klaas 3306 port [tcp/mysql] succeeded! > 2.02 real 0.00 user 0.00 sys >=20 > while the same attempt without DNS is instant: >=20 > $ sudo jexec www1 time nc -z 10.3.5.3 3306 >=20 > Connection to 10.3.5.3 3306 port [tcp/mysql] succeeded! > 0.00 real 0.00 user 0.00 sys >=20 > So, I thought that this must be an DNS issue. And I checked > whether my unbound jail works fine: >=20 > $ sudo jexec www1 drill mysql2.box-hlm-03.klaas @10.77.3.1 >=20 > ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 21945 > ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4= =20 > ;; QUESTION SECTION: > ;; mysql2.box-hlm-03.klaas. IN A >=20 > ;; ANSWER SECTION: > mysql2.box-hlm-03.klaas. 3339 IN A 10.3.5.3 >=20 > ;; AUTHORITY SECTION: > klaas. 2583 IN NS nsd1.box-hlm-01.klaas. > klaas. 2583 IN NS nsd1.box-hlm-03.klaas. >=20 > ;; ADDITIONAL SECTION: > nsd1.box-hlm-01.klaas. 2583 IN A 10.1.3.2 > nsd1.box-hlm-03.klaas. 2583 IN A 10.3.3.2 > nsd1.box-hlm-01.klaas. 2583 IN AAAA fd16:dcc0:f4cc:1::3:2 > nsd1.box-hlm-03.klaas. 2583 IN AAAA fd16:dcc0:f4cc:3::3:2 >=20 > ;; Query time: 0 msec > ;; SERVER: 10.77.3.1 > ;; WHEN: Sat Sep 17 15:09:33 2016 > ;; MSG SIZE rcvd: 194 >=20 > As you can see, there is no issue with unbound and I get an > answer using the same IP (10.77.3.1) instantly. When I kept on > wondering, I thought about investigating this a bit more. I ran > the following two commands >=20 > $ sudo jexec www1 truss -D -o /tmp/truss-hostname nc -z mysql2.box-hlm-0= 3.klaas 3306 >=20 > $ sudo jexec www1 truss -D -o /tmp/truss-IP nc -z 10.3.5.3 3306 > [cut] Can you also post truss output when doing drill and tcpdump when doing netcat with hostname? -Marko --4Ckj6UjgE2iN1+kY Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJX3Zg9AAoJEHg6bF2mqM2IrYwQALgUAWviryrP4TwlMh2zAYV9 jRE356fn4sx/FbxnVm9E429kg1OJblhJEuDij8dG1lHVZCpNGCpbf2vFAql67BR/ zs1wA+92LwDlefJR8wvcxD1vyeopSxk8P4xLlUKtIsDILASuxIryR2Lb6EK532gC xDZ8LClxt2R3uiK4dbMbtXqeQp93NtaPLi4MovvaCLeq92ojc1JbfEAE4hJaFfXm S0Oh8eadvBx768eoNN0lv5F+4msSsRX8ZAKVQQ5X7UvURV+JbjLh1XuQODUnZtnZ zhGF+YhrQ1eXEHP5qQj+/lCXt0+3MtoalSWg5wqXYcXm/YPeHbRUzp5N/6FHS8Qf W1d9QYwWDH8esRF7nPDJ70CLos9dbnj7hgfkdjE2YWUvljztyy7FjXqLYk0dtljS X0e7HB15AfJ2h+N8tYFk0hGsNcDHFBjnJo3OmPSYHbNDeKgyQPymVpFHFHz2WPRW K7ojHGBwXjxgkjLRTB7zSo/laMt4wxCwWsxyRKgYLH+anq9QwQ80S8oHaP3jYaL5 Aw8XW5sCwQv7uEQzvaPX0oEsuDAmPj91Xxyn3Ja2amsgihT8q99Wokl9MuFxPd1E 2h6lDoYjpzXQhAEeWb0YmKRQIDO/8LlGiggYT/3DVbN0jFTGB/nyhhmASLFM87eR 6tBHATRKWNjcOIJ4Lk3B =S0Ep -----END PGP SIGNATURE----- --4Ckj6UjgE2iN1+kY--