When you are troubleshooting internet performance, there are different parts of the connection should be verified:
·
DNS Performance
·
Client Side
Performance
·
Server Side
Performance
·
Application
Performance
·
Network Congestion
In this section we are going to investigate DNS Performance.
·
When you try to
connect online, any request using domain name should first pass through the DNS
resolution process to get the mapped IP address
·
To investigate DNS
performance using Wireshark, there are couple of steps needed
o You need to get a capture from testing machine by
running wireshark on it or run a SPAN to a sniffing machine to get wider
capture
o Create a profile in Wireshark e.g. DNS Profile
by navigating to Edit > Configuration Profiles > '+'
·
This profile can be
loaded whenever you want to analyze DNS because it will contain DNS related
columns
o Right click on any column and select Column
Preferences
o From Appearance > Columns start adding
DNS related columns. Mainly
·
DNS Delta Time (dns.time)
- this is the time between DNS request and response
·
Domain Name (dns.qry.name)
- this is the domain name extract from DNS requests
·
Resolved IP (dns.a)
- This is the response IP
o Now, you need to get indication if the problem is
due to slow DNS resolution. For that sort the packets by DNS Delta Time column
o A quick look will indicate that
·
We have DNS
responses which are taking more than 1 second which is extremely slow
·
All these responses
are sourced from 10.170.7.99 IP (which has to be the DNS server because it the
source of response)
·
The source and
destination are in the same LAN (10.170.0.0/16 subnet)
·
Yes
!! We have problem with DNS resolution
o Let's find how many responses are slow compared
to all responses
·
Find out all DNS
responses for internet addresses which are greater than 1 second, use the
filter dns.time > 1 and not dns.qry.name contains landomain.com
·
Export the packets
using File > Export Specified Packets.
·
Open the new file
and go Analysis > Endpoints > Sort by Packets. The number
of slow responses from 10.170.7.99 is 124
·
Repeat the same
process to get the number of responses from 10.170.7.99 (20620 packets)
o We can see that its not extremely packet (124 /
20620 ) but still we have some slowness which needs to be investigated
·
There are many
reasons for DNS responses to be slow
o If the client and server are not on LAN, check
the congestion
o Problem with the DNS server such as high load
o Problem with the internet if the DNS server is
pointed to external forwarder
o Problem with the external forwarder (you can try
another one)
