An extreme web performance bug with my new gallery2 setup is new evidence that bind9 views are a good idea.

What happened was that the public web server was partially misconfigured to send out URLs for CSS and such tidbits, containing a host name that only made sense on our home (internal) network. Being a true-blooded creature, of course this name resolves to an RFC1918 internal address. Being a lazy sysadmin, this name is resolvable on our external DNS server.

See the problem? We mistakenly ask faraway web browsers to refer to a name that resolves, but only to an internal address – one that will definitely not reach my machine from the outside. How badly this blows up depends on the client network. Where no 192.168.* network is nearby, this results in quick little errors, and barren web pages. Where there is such a network nearby, and it’s firewalled strangely, those CSS fetch attempts may take a whole TCP connection timeout to get rejected. Repeat once per web page, and you get … minutes or more of wait time.

The cure? Twofold: fix the web application’s outgoing URLs; separate the internal & external DNS tables, so that even if an internal host name gets out, it will get detected as an error right away.