Jason Haar wrote:
Theo Van Dinter wrote:
On Wed, Dec 13, 2006 at 03:35:30PM -0600, Mike French wrote:
Do these normally timeout or do they need to be removed from a rule? I'm
thinking they are timed out because nothing was found?
The problem is likely related to your name servers. There should always
be a response, even if it's "not found".
Well - unless it's a timeout :-) I certainly see (i.e. tcpdump) DNS
responses routinely taking those sorts of amounts of time. Don't forget
- UDP is lossy, so there's opportunity for retransmit delays, etc.
Here in NZ we are about as far away from other countries DNS as you can
get - I had to ramp up all DNS-related SA timeouts to get an acceptable
level of SA hitrates. Of course it does mean SA takes >10sec to process
a good fraction of our email :-(
I've just checked: 9% of our NZ-based SA calls take > 10 sec - and it
will be all DNS related. Conversely 0.3% of our US-based SA calls take
10secs...
It's just the way it is. New Zealand is working on a tectonic-plate
strategy to drag the country closer to California to improve home
broadband performance :-)
Make sure you are running a local caching name server. Even with a real
name server on the same subnet, I have heard of massive delays in DNS
lookups as a result. This in turn causes a massive slowdown in the
processing of mail.
