I recently experienced some delays during DNS host resolution on OS X 10.8. To test it I started a simple script which tries to repeatedly resolve the same hostname 20 times:
#!/bin/sh
for i in `seq 20`; do
time -p dig www.google.com @8.8.8.8 | grep "^;; Query time:"
done
Most request take about the same time as the latency to the name server:
;; Query time: 49 msec
real 0.05
However, as soon as I enable the firewall in Mountain Lion (all incoming requests are allowed, stealth mode is not enabled), some of the dig
requests take exactly 5 seconds plus the latency to the name server:
;; Query time: 25 msec
real 5.03
Most requests are still fast, but around every 10th to 15th requests has a delay of exactly 5 seconds even through dig
still reports a short query time. It makes no difference if I use dig
or host
for testing, or if I use a local DNS server or a public one like in the example above. When the firewall is turned off the delay never happens.
Does the firewall of OS X enforce some kind of rate limiting for requests, or is there anything else I'm missing?
Best Answer
You are right. I diagnose the same rate limiting at the firewall level on MacOS X 10.7.4 (Lion).
Moreover, if you look at
You will notice that the round trip time to get a reply from
8.8.8.8
is much lower then the 40 msec displayed by the server.On a long test run I had:
and an average roundtrip time of 26 msec:
(386302 - 360564 = 26 msec)
To understand this protection mechanism (against basic DOS), look at:
The full documentation of this complex command is pfctl(8) Mountain Lion reference manual
Beware this is a powerfull but highly dangerous command. You may easily break your network access (Where is my backup?).