Skip to main content

That's When I Reach For My Resolver

So, the primary nameserver is down but luckily /etc/resolv.conf has been equipped with a secodary nameserver entry - great! And nslookup works like a charm too, heh! But all the other useful tools are waiting for ages until they'll get a response from the backup server - why is that?

$ time ping eve
eve is alive

real    0m30.045s
user    0m0.007s
sys     0m0.018s
Other than e.g. nslookup, the normal applications have to use the the resolver(4) to get their name requests answered. Now, we could cheat and put our backup server before the faulty one, but let's see if we can tackle this from a different angle. resolv.conf(4) was most helpful, of course:
options
   Allows certain internal resolver variables to be modified.

timeout:n / retrans:n
   Sets the amount of time the resolver will wait for a response from a remote 
   name server before retrying the query by means of a different name server.
   Measured in seconds, the default is RES_TIMEOUT. See 

attempts:n / retry:n

   Sets the number of times the resolver will send a query to its name 
   servers before giving up and returning an error to the calling application.
   The default is RES_DFLRETRY. See .
In our resolv.h (Solaris 10) we have :
$ egrep 'RES_TIMEOUT|RES_MAXRETRANS|RES_DFLRETRY' /usr/include/resolv.h
#define RES_TIMEOUT         5      /* min. seconds between retries */
#define RES_MAXRETRANS     30      /* only for resolv.conf/RES_OPTIONS */
#define RES_DFLRETRY        2      /* Default #/tries. */

So, let's tweak those options:
$ grep options /etc/resolv.conf 
options timeout:1 retry:1

$ time ping eve
eve is alive

real    0m7.794s
user    0m0.007s
sys     0m0.018s
Whooha, not bad.
Note: in Linux the retry: parameter is called attempts:

Let's tweak the retry: parameter a bit more:
$ grep options /etc/resolv.conf 
options timeout:1 retry:0

$ time ping eve
eve is alive

real    0m2.100s
user    0m0.007s
sys     0m0.018s
Even better. Of course, one has to realize that with zero retries the resolver will jump to the next nameserver on the first failure - so, if our backup server is a bit sleepy we won't get a reply at all. If you enable nscd, subsequent requests to the same name will be answered instantly:
$ sudo svcadm enable svc:/system/name-service-cache
$ time ping eve
eve is alive

real    0m3.218s
user    0m0.007s
sys     0m0.018s

$ time ping eve
eve is alive

real    0m0.198s
user    0m0.007s
sys     0m0.017s