Proposed patch for DNS and name resolution related problems in appliance branch

Tim Potter tpot at
Sun Jun 30 19:03:02 GMT 2002

I've put together some patches to solve some issues related to DNS and
name resolution issues within Samba.  They will probably go in to the
appliance branch, but I am keen for them to also be applied to HEAD.

The problem is that Samba is reliant on a working DNS server and
misconfigurations of DNS servers can affect the stability and usability
of Samba services.  smbd and winbindd both try and contact a DNS server
to resolve names, especially if the name is not in WINS and the default
name resolve order is used.  Broken DNS servers can cause the client
resolver to run through the full set of timeout/retries which can take up
to two minutes to return failure.  Samba then compounds this problem by
not remembering that the last lookup failed and keeps on trying.

I have coded up two solutions to this problem.  They are based on the
idea that a Samba server should be relatively independent of services it
cannot control.  If there is a DNS server problem, Samba should behave
gracefully and return an error to any Samba clients within a reasonable
period of time.

I know Jeremy initially wasn't keen on the resolve/retry stuff going in
to HEAD but maybe in the context of optimising name resolution he will
change his mind.  (-:


1. Shorten the timeout and retry values used by the DNS resolver library

Many client resolver libraries contain a global struct in which live
retry and timeout fields that can be changed by application programs.
In Linux this structure can be stored in resolv.h  I propose two new
parameters (sorry) :

	dns resolve retrans	The retransmission time interval
	dns resolve retry	Number of retries

The retransmission time interval is given in seconds and is doubled
between each retry.  The default values for these under Linux are five
seconds between retries and four retries.  If these default values are
changed to three retries, 40 seconds is taken off the time taken to
return a name lookup failure.

2. Cache negative DNS lookup responses

For failed DNS queries we store this failed result in a tdb with a
timestamp.  All subsequent lookups for that name within a certain time
period return false until the negative lookup entry times out.

Windows has an local internal name cache for positive lookups which can
be queried or modified using the nbtstat command.  Since we now have a
negative caching system in place we can also do positive caching.  This
has more of an effect on systems where winbindd and multiple smbds are
running at once.  The default cache timeout under win2k is 10 minutes
but this can be changed using the registry.

More information about the samba-technical mailing list