[lug] ipchains -L hangs
D. Stimits
stimits at idcomm.com
Wed Dec 13 02:51:02 MST 2000
Deva Samartha wrote:
>
> >My ppp0 input chain listed 86 rules in about 6 seconds. They displayed
> >in chunks, with pauses between chunks. I believe it is possible the
> >pauses were caused by attempting name lookup of a numeric ip that took a
> >brief moment. Possibly it is slowed when doing that?
>
> I checked it and - see there - every line in ipchains -L does a bunch of
> DNS requests to the USwest DNS server which does not make much sense at
> all! I am not very familiar with the tcpdump format below but it looks as
> if it tries to do a reverse address lookup for the 192.168.9.0?
>
> 20:31:46.510946 me.mydom.com.1049 > ns2.dnvr.uswest.net.domain: 36691+ PTR?
> 0.9.168.192.in-addr.arpa. (42)
> 20:31:46.532356 ns2.dnvr.uswest.net.domain > me.mydom.com.1049: 36691
> NXDomain* 0/1/0 (124)
>
> Same happens when going from the firewall (where the chain resides ) with
> browser to httpd in DMZ with local IP - it hangs too with varying times
> doing DNS lookups on local IP's.
>
> I tried putting names and network addresses in /etc/networks and rebooted
> - no change of behavior.
>
> /etc/nsswitch has:
>
> networks: files dns
>
> Any suggestions of what to do in order to talk the programs into dropping
> their DNS weirdness?
>
As long as it is looking up names, it will slow down. If a name lookup
requires extra time for a timeout, then it'll take a LOT longer. The
option "-n" tells it to use only numeric output. If you use that, all
ip's will be dotted-decimal format, and it'll run fast (no name lookups
required).
D. Stimits, stimits at idcomm.com
More information about the LUG
mailing list