I have a small home network of two Debian stable machines and two Windoze portables (boo hiss but my work and spouse's require that). I'm hitting something that's puzzling me which is that DNS lookups from the firewall machine are slow whether directly or from the Windoze machines behind while DNS lookups from the Debian server in the DMZ on my network are much faster. However, it gets to the ADSL router through the firewall machine. Firewalling is done by Shorewall 1.2 (i.e. Debian stable 'Woody' distro like everything else on the two machines) with the DMZ masqueraded whereas the Windoze machines on the local network are DNAT.
Here's are some timings e.g.: FIREWALL: time host leeds.ac.uk 213.120.62.98 leeds.ac.uk A record currently not present at inh2dns02.imsnet2.btopenworld.com real 0m27.379s user 0m0.010s sys 0m0.000s firewall:/etc/shorewall# time host leeds.ac.uk 213.120.62.98 leeds.ac.uk A record currently not present at inh2dns02.imsnet2.btopenworld.com real 0m1.040s user 0m0.000s sys 0m0.010s firewall:/etc/shorewall# time host www.leeds.ac.uk 213.120.62.98 www.leeds.ac.uk A 129.11.21.9 real 0m2.394s user 0m0.000s sys 0m0.000s DMZ machine: time host leeds.ac.uk 213.120.62.98 leeds.ac.uk A record currently not present at inh2dns02.imsnet2.btopenworld.com real 0m0.107s user 0m0.020s sys 0m0.000s www:/etc# time host www.leeds.ac.uk 213.120.62.98 www.leeds.ac.uk A 129.11.21.9 real 0m0.129s user 0m0.010s sys 0m0.020s The Windoze machines (W2k and XPProf) are slowish in line with the firewall timings with the XP machine tolerating it and the 2k machine timing out repetedly). I'm baffled: the firewall machine has two ethernet ports on the motherboard (eth1 & eth2: via-rhine) and a PCI card (eth0: RTL8139). Shorewall maps those: eth0 -- to the ADSL router eth1 -- to the local network via a Belkin 8 port 100/1k switch eth2 -- to the DMZ The firewall is the faster of the two machines (1002 MHz Centaur VIA Nehemiah stepping 03 with 491456k RAM running 2.4.19 kernel cf 273MHz AMD-K6tm w/ MME stepping 00 and 131072k RAM running 2.4.18) Something is presumably intervening in the DNS lookups from and via the firewall by the local network that isn't intervening for the lookups the server passes through the firewall by masquerading. The shorewall rules allow domain (port 53) access to the net from the firewall, the dmz and the local network and there are no iptables complaints matching the slow lookups in /var/log/messages so I don't think I've simply misconfigured my iptables rules to disallow lookups! I'm sure likely culprits are obvious to those who know more about iptables and masquerading/DNAT than I do. Hugely appreciate suggestions and advice as this is really slowing things down to a crawl. TIA, Chris -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
