[Blink] DNS error
dan at ag-projects.com
Tue Dec 11 17:06:24 CET 2012
On 11 Dec 2012, at 0:09, Bryan Miller wrote:
> It seems that there may be a bug in the OS X app firewall. This is occurring on a mac mini's, and their default config is to have the Firewall enabled and signed apps allow connections.
> You can reproduce this error by using dig or nslookup and running repeatedly in quick succession, at least it can be done on multiple machines.
> It will randomly timeout on a query. Looking at a tcpdump, you can see a response packet that isn't received by nslookup or dig. After the timeout, dig or nslookup sends another query and gets a response.
> So, the problem is that when you first start up blink, it sends out multiple DNS queries to attempt auto configuration of the sip account:
This is not a problem, but the modus operandi in SIP. It also happens every time you attempt a call, not only at startup. Whenever Blink has to start a SIP dialog, it will do the NAPTR/SRV/A record lookup to determine where to send the request, unless you override this by manually providing an outbound proxy in the settings for the accounts.
> There is a 50/50 chance of one of these queries running into the timeout related bug.
I honestly cannot see how Blink can work at all in an environment where you have such a high chance of DNS timeouts.
> For the machines that do experience the timeout, Blink then decides to start using 126.96.36.199 and 188.8.131.52 as the dns servers.
Actually this only happens when you start Blink, as the DNS probing and deciding what nameservers to use only happens when Blink starts or when the IP address of the machine changes or when the machine resumes from sleep.
This seems to indicate that you can a DNS timeout with the first DNS queries that happen while Blink is starting up. I'd like to see a full notifications log from when Blink starts until it goes into the problem (chooses to use the Google nameservers), to get a better idea what's happening there.
> This problem does not exist when I turn off the OS X Firewall in system preferences.
Maybe you should report this to Apple, as there is no setting in the firewall indicating that an application can only make a limited number of connections or DNS requests. An application is either allowed or not.
> A temporary fix is adding the NAPTR and SRV entries to our DNS. This reduces the DNS queries down to three lookups.
This is not a temporary fix, but how things should be. For SIP to work optimally, you need to have NAPTR and SRV records in your domain. While Blink works without them, this is because we try to work even for domains that are not well setup, but a proper setup includes those records.
> The other fix would be to configure all clients to use a primary proxy with the ip address. However, going to each machine and putting this in manually is rather tedious for the amount of workstations we have, so the DNS entries is easier.
1. Disable the firewall if it is not a requirement to have it on.
2. Add NAPTR/SRV records to DNS to minimize the number of lookups.
3. Configure an outbound proxy to avoid DNS lookups altogether.
in addition report this to Apple, because it seems to be a problem with their firewall. At least they should indicate how many queries per second is an application allowed if they have such a limit.
More information about the Blink