Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Slow to Resolve One Address

    Scheduled Pinned Locked Moved DHCP and DNS
    2 Posts 2 Posters 242 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Spyderturbo007
      last edited by Spyderturbo007

      I'm completely confused on this one. This is happening with every computer behind the Netgate. I was told it started a few days ago, but they just thought the site was down.

      I flushed DNS on the client and performed a nslookup for 10 - 12 sites that I knew they would have never visited and all resolved without issue. But, when I try and do that with gis.dauphincounty.org it fails with:

      Server: pfsense.home.arpa
      Address: 172.18.0.1

      DNS request timed out.
      timeout was 2 seconds
      *** pfsense.home.arpa can't find gis.dauphincounty.org: Server failed

      DNS Lookup from inside of the Netgate resolves to the correct IP address, but seems to take forever compared to a regular DNS lookup like Google

      Result Record type
      198.185.140.22 A
      Timings
      Name server Query time
      127.0.0.1 10276 msec
      71.242.0.12 28 msec

      Restarting the DNS Resolver service didn't help. Rebooting the firewall didn't help either.

      Current DNS servers are Verizon, so I switched them to 8.8.8.8 and 9.9.9.9. That resulted in these timings:

      Name server Query time
      127.0.0.1 No response
      8.8.8.8 41 msec

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @Spyderturbo007
        last edited by johnpoz

        @Spyderturbo007 said in Slow to Resolve One Address:

        Name server Query time
        127.0.0.1 10276 msec
        71.242.0.12 28 msec

        So pfsense could get an answer from that 71.242.0.12 but clients asking unbound on pfsense that would never be used, out of the box unbound is a resolver - meaning directly talks to the roots and then works down to the actual authoritative ns for a domain.

        You can do a dig + trace on pfsense to see where its getting hung up, maybe your network is having a hard time talking the authoritative ns for that domain.

        I am not having any issues with it.. here is dig +trace from my pfsense.

        [23.05.1-RELEASE][admin@sg4860.local.lan]/: dig -4 gis.dauphincounty.org +trace +nodnssec

; <<>> DiG 9.18.13 <<>> -4 gis.dauphincounty.org +trace +nodnssec
;; global options: +cmd
.                       71187   IN      NS      g.root-servers.net.
.                       71187   IN      NS      h.root-servers.net.
.                       71187   IN      NS      i.root-servers.net.
.                       71187   IN      NS      j.root-servers.net.
.                       71187   IN      NS      k.root-servers.net.
.                       71187   IN      NS      l.root-servers.net.
.                       71187   IN      NS      m.root-servers.net.
.                       71187   IN      NS      a.root-servers.net.
.                       71187   IN      NS      b.root-servers.net.
.                       71187   IN      NS      c.root-servers.net.
.                       71187   IN      NS      d.root-servers.net.
.                       71187   IN      NS      e.root-servers.net.
.                       71187   IN      NS      f.root-servers.net.
;; Received 239 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

org.                    172800  IN      NS      b0.org.afilias-nst.org.
org.                    172800  IN      NS      c0.org.afilias-nst.info.
org.                    172800  IN      NS      a0.org.afilias-nst.info.
org.                    172800  IN      NS      d0.org.afilias-nst.org.
org.                    172800  IN      NS      a2.org.afilias-nst.info.
org.                    172800  IN      NS      b2.org.afilias-nst.org.
;; Received 486 bytes from 192.33.4.12#53(c.root-servers.net) in 11 ms

dauphincounty.org.      3600    IN      NS      pudding.dauphinc.org.
dauphincounty.org.      3600    IN      NS      flan.dauphinc.org.
dauphincounty.org.      3600    IN      NS      custard.dauphinc.org.
couldn't get address for 'flan.dauphinc.org': not found
;; Received 170 bytes from 199.19.53.1#53(c0.org.afilias-nst.info) in 213 ms

gis.dauphincounty.org.  3600    IN      A       198.185.140.22
dauphincounty.org.      3600    IN      NS      custard.dauphinc.org.
;; Received 113 bytes from 198.185.140.20#53(custard.dauphinc.org) in 44 ms

[23.05.1-RELEASE][admin@sg4860.local.lan]/:

        you could see there was a bit of problem with one of their name servers
        couldn't get address for 'flan.dauphinc.org': not found

        See how I did a -4 on mine, this forces only IPv4 if you don't put in that it might try IPv6.. so you could see if with IPv6 is where your having more an issue.. you can see the time required on each step.. of the full trace, once something has been looked up before the NS for the domain are cached and doesn't have to do a full resolve..

        if you are having issues with a specific domain, one method of a work around, is setup a domain override in unbound to say vs trying to resolve dauphinc.org. just forward that to say 8.8.8.8 or 1.1.1.1 or quad9 servers, etc.

        You can see from here - their dns isn't very robust let us say..

        https://dnsviz.net/d/dauphinc.org/dnssec/

        I see a bunch of errors that should be corrected with their setup.

        Another dns testing site also shows a bunch of issues with it.

        https://mxtoolbox.com/SuperTool.aspx?action=dns%3adauphinc.org&run=toolpage

        problems.jpg

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.