2

In our environment (lots of CentOS 7 VMs), we routinely encounter the oft-discussed issue where name service lookups result in a 5 second delay as a request times out, even on "successful" requests. As others have tried, we've disabled IPv6 (not used in our internal environment), and it didn't completely resolve the issue. Searching through the forums, we found the suggestion to add "options single-request" to /etc/resolv.conf; this does seem to fix the problem, but manual edits to resolv.conf are routinely overwritten by NetworkManager.

I've searched around, but I can't seem to find a place in nmtui or nmcli to specify this so that NetworkManager knows to include the option when it rewrites the file.

Am I missing something obvious? Is there a way to set this somewhere else? Is there another, preferable fix for the issue?

Thomas J. Girsch
  • 51
  • 1
  • 7
  • The solution is to find and fix the broken firewall which is causing the problem. – Michael Hampton Apr 06 '18 at 15:56
  • Got a link / example? – Thomas J. Girsch Apr 07 '18 at 14:26
  • That depends on the specific broken firewall, and you didn't mention what is in your environment. If you have a really old Juniper firewall, you might [read this](https://serverfault.com/a/411178/126632). It might have been sort of acceptable to use temporary workarounds for issues like this in 2012, but in 2018 it's inexcusable for firewalls to still be doing this. – Michael Hampton Apr 07 '18 at 15:51
  • I'm sympathetic to (and agree with) the notion that the right thing to do is to fix the problem at its source. However, I only have access to and control of the Linux VMs with which I'm working. The switches, firewalls, gateways and domain controllers are outside my control, and I don't even know the particulars. All I can do is nag the network infrastructure group. Hence the need to find workarounds that ARE within my control. – Thomas J. Girsch Apr 09 '18 at 12:02

5 Answers5

1

I know the real solution is to fix the AD server that handles DNS requests (my network admin is begging for an answer as to how), but in the meantime, I've found a workaround.

In /etc/sysconfig/network, add the following line:

RES_OPTIONS="single-request"

Thomas J. Girsch
  • 51
  • 1
  • 7
0

The following answer works on Manjaro and also works for containers that are running on the host (unlike my previous answer). It is an adapted version of the answer from @carestad (Thank you!):

Place the following file in /etc/NetworkManager/dispatcher.d/999-resolv-options and set the file permissions to 700 via chmod;

#!/bin/bash

IFACE="$1"
ACTION="$2"

declare -A expectedActions=( 
 [dhcp4-change]=1  [dhcp6-change]=1 [up]=1
)

# Don't bother doing anything if action isn't "dhcp4-change" or "dhcp6-change"
if [[ -z "${expectedActions[$ACTION]}" ]]; then
  exit
fi

case "$IFACE" in
  eth*|wlan*|en*|wlp2s*)
    grep -q "options single-request" /etc/resolv.conf &> /dev/null || echo "options single-request" >> /etc/resolv.conf
    ;;
esac

Previous answer:

It is possible to set the environment variable RES_OPTIONS=single-request globally in /etc/environment.

Note: The environment variable will be only effective on the host. Processes in containers are required to set this environment variable, too. The better solution is still to set the options in /etc/resolv.conf as the container runtime will usually inherit the /etc/resolv.conf from the host: https://docs.docker.com/config/containers/container-networking/#dns-services

PSanetra
  • 101
  • 2
0

You should be able to add

dns  none
rc-manager  unmanaged

to the [main] section of your /etc/networkManager/NetworkManager.conf file. This should stop it from over-writing your resolver configuration. You can check out the options in the NetworkManager.conf man page on your system.

Thomas N
  • 435
  • 2
  • 9
0

You could add a script to your /etc/NetworkManager/dispatch.d/ folder though.

I have /etc/NetworkManager/dispatch.d/999-resolv-options (make sure it's owned by root, no setuid and chmod'ed to 700 though, according to documentation):

#!/bin/bash

IFACE="$1"
ACTION="$2"

# Don't bother doing anything if action isn't "up"
if [ "$ACTION" != "up" ]; then
  exit
fi

case "$IFACE" in
  eth*|wlan*|en*)
    grep -q "options timeout 1" /run/NetworkManager/resolv.conf &> /dev/null || echo "options timeout 1" >> /run/NetworkManager/resolv.conf
    grep -q "options single-request" /run/NetworkManager/resolv.conf &> /dev/null || echo "options single-request" >> /run/NetworkManager/resolv.conf
    ;;
esac

If your network interface names starts with something else than eth*, en* or wlan* then the case needs to be modified

This will check if options timeout 1 and options single-request exist, and if not, append them.

Note: the script appends to /run/NetworkManager/resolv.conf and not /etc/resolv.conf. On my Ubuntu 18.10 setup /etc/resolv.conf was symlinked to that file.

More info about the dispatch.d abilities in the Network Manager docs.

carestad
  • 101
  • 2
0

If you prefer NetworkManager service, then using nmtui/nmcli is better. (the following cmds tested on centos7)

change setting (for those who suffering from 5s DNS delay problem)

nmcli con modify YourConnName ipv4.dns-options "single-request-reopen timeout:2"

you can find YourConnName by executing : nmcli con show

apply setting

nmcli con down YourConnName ; nmcli con up YourConnName

P.S. change the setting to default, which is empty

nmcli c m YourConnName ipv4.dns-options ''

Hosi Golden
  • 111
  • 4