Now i think i remember this from an earlier V8 thread. As far as i know, this is because the DNS (named) is started at boot time with a working default configuration, before the interface comes up. Only after the interface has brought up, the named is reconfigured to ask the ISPs nameserver. As a result, there's a short period before you are connected to the internet, during which the machine tries to connect to all the root servers.
While i see that this is a little bit annoying in the reporting charts, i don't think that we'll change this behavior, as this could have severe consequences to anything trying to resolve names on the LAN side of your network.
Anyone of you guys interested in testing my idea of configuring google DNS instead? [;)]
Now i think i remember this from an earlier V8 thread. As far as i know, this is because the DNS (named) is started at boot time with a working default configuration, before the interface comes up. Only after the interface has brought up, the named is reconfigured to ask the ISPs nameserver. As a result, there's a short period before you are connected to the internet, during which the machine tries to connect to all the root servers.
While i see that this is a little bit annoying in the reporting charts, i don't think that we'll change this behavior, as this could have severe consequences to anything trying to resolve names on the LAN side of your network.
Anyone of you guys interested in testing my idea of configuring google DNS instead? [;)]
Now that I am fully awake, I remembered what is going on. The way bind (DNS) is setup for astaro, the forwarders are queried first for all requests. If the forwarders don't answer, the root servers are queried. This is also the default behavior of bind. If however you want to change this you can add forward only in forwarders section of named.conf-default and it will only query your forwarder and not the root servers.
[]
forward only;
};
I would leave it as default since its a failover feature but if you know what you are doing, you can change to forward only and you will get unknown host messages much quicker making your dns faster for unknown hosts etc.
Hi kai, I initially added the google DNS until I was able to run the grc test from home.
The fastest, was local ISP and not far behind was one of the DNS provided by my current ISP.
I have added the fastest DNS as first choice by name and the my ISP's fastest DNS as second choice. I still have use the ISP's forwarders disabled.
The differences are extremely small. 1 or 2 msec for the fastest response and about 3 msec for the average.
I have restarted the ASG and there doesn't appear to be any increase in the dropped DNS (53) packets since this morning's restart. I will re-do the restart test because I forgot to enable the PF rule blocking internal access to external DNS.
By the look of the log files, the packet filter took considerable time to update the display.
I enabled the PF rule that blocks internal going to external DNS and I restarted the ASG another load of dropped packets to root DNS in t he packet filter log.
