Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 17 Sep 2016 21:23:42 +0200
From:      Marko Turk <markoml@markoturk.info>
To:        freebsd-questions@freebsd.org
Subject:   Re: When `drill` works but `nc` doesn't
Message-ID:  <20160917192342.GA2305@vps.markoturk.info>
In-Reply-To: <20160917134155.GA77669@box-hlm-03.niklaas.eu>
References:  <20160917134155.GA77669@box-hlm-03.niklaas.eu>
next in thread | previous in thread | raw e-mail | index | archive | help 

--4Ckj6UjgE2iN1+kY
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi,

On Sat, Sep 17, 2016 at 03:41:56PM +0200, Niklaas Baudet von Gersdorff wrot=
e:
> I encountered a strange behaviour when trying to establish
> a connection to my jails. When DNS is involved, I get a 2 seconds
> delay. At the same time, there is no DNS resolving issue when
> testing with `drill`.
>=20
> As it turn out the problem is related to a specific IP address.
> However, I don't know why exactly and I don't know to further
> debug this. Maybe someone has an idea. In the following you can
> read what I have done.
>=20
> In one of my jails I have unbound running:
>=20
>   $ sudo jexec unbound1 sockstat -46l | grep ':53'
>=20
>   unbound  unbound    2474  3  udp4   *:53                  *:*
>   unbound  unbound    2474  4  tcp4   *:53                  *:*
>   unbound  unbound    2474  5  udp6   *:53                  *:*
>   unbound  unbound    2474  6  tcp6   *:53                  *:*
>=20
> This jail has some IP addresses assigned:
>=20
>   $ sudo jexec unbound1 sockstat -46l | grep ':53'
>=20
>   lo1: flags=3D8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
>     options=3D600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
>     inet 10.3.3.1 netmask 0xffff0000=20
>     inet 10.77.3.1 netmask 0xffff0000=20
>     inet6 fd16:dcc0:f4cc:3::3:1 prefixlen 64=20
>     inet6 fd16:dcc0:f4cc:77::3:1 prefixlen 64=20
>     nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
>=20
> On my jails' host and in the other jails I have the following
> /etc/resolv.conf:
>=20
>   options timeout:1 attempts:1
>   nameserver 10.77.3.1
>   nameserver fd16:dcc0:f4cc:77::3:1
>=20
> I realised that connecting from one jail to another one always
> has a 2 seconds delay when DNS is involved
>=20
>   $ sudo jexec www1 time nc -z mysql2.box-hlm-03.klaas 3306
>=20
>   Connection to mysql2.box-hlm-03.klaas 3306 port [tcp/mysql] succeeded!
>           2.02 real         0.00 user         0.00 sys
>=20
> while the same attempt without DNS is instant:
>=20
>   $ sudo jexec www1 time nc -z 10.3.5.3 3306
>=20
>   Connection to 10.3.5.3 3306 port [tcp/mysql] succeeded!
>           0.00 real         0.00 user         0.00 sys
>=20
> So, I thought that this must be an DNS issue. And I checked
> whether my unbound jail works fine:
>=20
>   $ sudo jexec www1 drill mysql2.box-hlm-03.klaas @10.77.3.1
>=20
>   ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 21945
>   ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4=
=20
>   ;; QUESTION SECTION:
>   ;; mysql2.box-hlm-03.klaas.	IN	A
>=20
>   ;; ANSWER SECTION:
>   mysql2.box-hlm-03.klaas.	3339	IN	A	10.3.5.3
>=20
>   ;; AUTHORITY SECTION:
>   klaas.	2583	IN	NS	nsd1.box-hlm-01.klaas.
>   klaas.	2583	IN	NS	nsd1.box-hlm-03.klaas.
>=20
>   ;; ADDITIONAL SECTION:
>   nsd1.box-hlm-01.klaas.	2583	IN	A	10.1.3.2
>   nsd1.box-hlm-03.klaas.	2583	IN	A	10.3.3.2
>   nsd1.box-hlm-01.klaas.	2583	IN	AAAA	fd16:dcc0:f4cc:1::3:2
>   nsd1.box-hlm-03.klaas.	2583	IN	AAAA	fd16:dcc0:f4cc:3::3:2
>=20
>   ;; Query time: 0 msec
>   ;; SERVER: 10.77.3.1
>   ;; WHEN: Sat Sep 17 15:09:33 2016
>   ;; MSG SIZE  rcvd: 194
>=20
> As you can see, there is no issue with unbound and I get an
> answer using the same IP (10.77.3.1) instantly. When I kept on
> wondering, I thought about investigating this a bit more. I ran
> the following two commands
>=20
> 	$ sudo jexec www1 truss -D -o /tmp/truss-hostname nc -z mysql2.box-hlm-0=
3.klaas 3306
>=20
> 	$ sudo jexec www1 truss -D -o /tmp/truss-IP nc -z 10.3.5.3 3306
> [cut]

Can you also post truss output when doing drill and tcpdump when doing
netcat with hostname?

-Marko

--4Ckj6UjgE2iN1+kY
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJX3Zg9AAoJEHg6bF2mqM2IrYwQALgUAWviryrP4TwlMh2zAYV9
jRE356fn4sx/FbxnVm9E429kg1OJblhJEuDij8dG1lHVZCpNGCpbf2vFAql67BR/
zs1wA+92LwDlefJR8wvcxD1vyeopSxk8P4xLlUKtIsDILASuxIryR2Lb6EK532gC
xDZ8LClxt2R3uiK4dbMbtXqeQp93NtaPLi4MovvaCLeq92ojc1JbfEAE4hJaFfXm
S0Oh8eadvBx768eoNN0lv5F+4msSsRX8ZAKVQQ5X7UvURV+JbjLh1XuQODUnZtnZ
zhGF+YhrQ1eXEHP5qQj+/lCXt0+3MtoalSWg5wqXYcXm/YPeHbRUzp5N/6FHS8Qf
W1d9QYwWDH8esRF7nPDJ70CLos9dbnj7hgfkdjE2YWUvljztyy7FjXqLYk0dtljS
X0e7HB15AfJ2h+N8tYFk0hGsNcDHFBjnJo3OmPSYHbNDeKgyQPymVpFHFHz2WPRW
K7ojHGBwXjxgkjLRTB7zSo/laMt4wxCwWsxyRKgYLH+anq9QwQ80S8oHaP3jYaL5
Aw8XW5sCwQv7uEQzvaPX0oEsuDAmPj91Xxyn3Ja2amsgihT8q99Wokl9MuFxPd1E
2h6lDoYjpzXQhAEeWb0YmKRQIDO/8LlGiggYT/3DVbN0jFTGB/nyhhmASLFM87eR
6tBHATRKWNjcOIJ4Lk3B
=S0Ep
-----END PGP SIGNATURE-----

--4Ckj6UjgE2iN1+kY--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160917192342.GA2305>