cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Windows DNS client - delay with reverse lookup

loyder
Copper Contributor

‎Apr 15 2018 01:25 PM

‎Apr 15 2018 01:25 PM

Windows DNS client - delay with reverse lookup

Hello

 

I have windows 2012 server, which is in MS cluster. In TCP/IP protocol 3 dns servers are configured (this server works as dns client)

And there is problem with reverse lookup requests - there is additional delay about 4 seconds.

Some facts: 

1. DNS servers works fine. There is no delay in response (captured packets on network with Wireshark, response comes within mseconds. Exactly these DNS servers are also used on other windows machines and there is no problem with them.

2. nslookup works fine. There is no delay and  correct response is returned.

(but nslookup bypass dns client and queries DNS server directly)

3. ping -a <ip-address> gives delay for about 4 seconds.

4. I do not see any NetBIOS or WINS requests from this computer in Wireshark.

5. If I add corresponding entries into hosts file - then ping -a <ip-address> works without delay.

6. Normal dns queries via dns client (ping <hostname>) works fine, there is no any additional delay.

 

I cannot blame DNS servers - they seems to work fine without any problem. 

The problem seems to be in the local dns client, but I am out of ideas what else can I check.

 

Below captured traffic in Wireshark, and results of "nslookup -debug <ip-address>" command.

If you have any idea where problem could be - you are more than welcome :-).

 

2018-04-14_23-06-51_hided.pngdns_reverse_lookup_response.png

 

C:\Users\admin\Documents>nslookup -debug 10.198.126.28
------------
Got answer:
HEADER:
opcode = QUERY, id = 1, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0

QUESTIONS:
199.199.199.10.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 199.199.199.10.in-addr.arpa
name = lbaxxxxx.xxx.xx
ttl = 86400 (1 day)

------------
Server: lbaxxxxx.xxx.xx
Address: 10.199.199.199

------------
Got answer:
HEADER:
opcode = QUERY, id = 2, rcode = NOERROR
header flags: response, auth. answer, want recursion, recursion avail.
questions = 1, answers = 1, authority records = 0, additional = 0

QUESTIONS:
28.126.198.10.in-addr.arpa, type = PTR, class = IN
ANSWERS:
-> 28.126.198.10.in-addr.arpa
name = SVMXXXX.xxx.xx
ttl = 86400 (1 day)

------------
Name: SVMXXXX.xxx.xx
Address: 10.198.126.28

Labels:
5,322 Views
0 Likes
1 Reply
Reply
1 Reply
petevern

‎Mar 01 2019 04:35 AM

‎Mar 01 2019 04:35 AM

Re: Windows DNS client - delay with reverse lookup

Hi,

I was wondering did you receive any feedback or find the reason why reverse DNS is slow. I see the exact same behavior at a customer, did also a Wireshark trace and see the DNS reverse request, immediate answer from DNS server and seconds nothing until de reply starts of the ping.

I've seen also this behavior:
- reverse lookup in the same subnet = slow -> in this case I see ARP request just before the reply of the ping but delay between DNS reply and ARP
- reverse lookup in another subnet = fast -> in this case no ARP request because it is sent to the default gateway and that is already in his local ARP table. see immediately after the DNS response ICMP packets
- have it both on Windows 2012 R2 and Windows 2016, not on Windows 2008 R2
- don't have it on non-domain joined servers (so in workgroup) or at least cannot simulate it

For simulation I just use ping -a x.x.x.x
If you have more info let me know?

Thx,
Pete
0 Likes
Reply