Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Issues with DNS caching

    Scheduled Pinned Locked Moved
    DHCP and DNS
    3
    5
    146
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      Prodigy
      last edited by

      I am getting massive latency spikes with the DNS Resolver. It usually occurs right after bootup or after I restart the DNS Resolver service and try to search the web. Switching to the DNS Forwarder fixes my issues. The issues only occur when I am searching the web and the latency will spike 1-3k for 10-20 seconds. If I restart the DNS Resolver service while the issue is occuring my latency will immediately go back to normal. I should also say that I am brand new to pfsense.

      S 1 Reply Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @Prodigy
        last edited by

        @Prodigy Are you forwarding using Resolver? If so ensure DNSSEC is disabled.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote đź‘Ť helpful posts!

        P 1 Reply Last reply Reply Quote 0
        • P
          Prodigy @SteveITS
          last edited by Prodigy

          @SteveITS said in Issues with DNS caching:

          @Prodigy Are you forwarding using Resolver? If so ensure DNSSEC is disabled.

          @SteveITS That was the only way I could figure out a way around the issue. If I try to use the unbound service without forwarding checked it usually results in high latency when resolving domain names. I’m assuming this is a result of writing operations on the DNS cache because after a few web searches the issues are somewhat gone.

          S johnpozJ 2 Replies Last reply Reply Quote 0
          • S
            SteveITS Rebel Alliance @Prodigy
            last edited by

            @Prodigy it really shouldn’t be noticeable. Perhaps something is blocking your/some outbound DNS lookups?

            You can run lookups from the Diagnostics menu.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote đź‘Ť helpful posts!

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @Prodigy
              last edited by johnpoz

              @Prodigy if resolving is taking long time.. I would do a dig +trace to see where the slow down is happening.. Yes a full resolve can take a few ms.. But it it should maybe be in the hundreds of ms tops..

              here is an example +trace

              [24.03-RELEASE][admin@sg4860.home.arpa]/root: dig www.netgate.com +trace

; <<>> DiG 9.18.20 <<>> www.netgate.com +trace
;; global options: +cmd
.                       67159   IN      NS      g.root-servers.net.
.                       67159   IN      NS      l.root-servers.net.
.                       67159   IN      NS      c.root-servers.net.
.                       67159   IN      NS      b.root-servers.net.
.                       67159   IN      NS      h.root-servers.net.
.                       67159   IN      NS      f.root-servers.net.
.                       67159   IN      NS      m.root-servers.net.
.                       67159   IN      NS      i.root-servers.net.
.                       67159   IN      NS      a.root-servers.net.
.                       67159   IN      NS      k.root-servers.net.
.                       67159   IN      NS      d.root-servers.net.
.                       67159   IN      NS      e.root-servers.net.
.                       67159   IN      NS      j.root-servers.net.
.                       67159   IN      RRSIG   NS 8 0 518400 20240928170000 20240915160000 20038 . e9UFtVfZ3m82jc/rSzafGSvpiNHeDa89f5LwHY5zsSvXl+3OFAgU2ycR juXiRTrYAZnoZ4BSW+ZZT9XRdbCWd8LeF5k8PGxTqpSGFZ05o1nHXEau nXXPLuGH9J9/23PnQNtTLeY7RMRMYjwFrFFlzU3iOtDWVoNpGOgnX/vM Ts6J77CDlAs3DPQU57InshJDdKyncrGCN/Ai+mBCZ03vAKydm77Qrm1w bqH0R066b6Kdq0XjliXm97NGXl4rxzKLE7ij6xKWcH72o1QCD1xjJmT9 K6xghRrbHWhbx0aMlKQ/IhajwDEQY5nNMMOuApMHfNurfJyLQhGOI6yg mZeoVQ==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

com.                    172800  IN      NS      m.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    86400   IN      DS      19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A
com.                    86400   IN      RRSIG   DS 8 1 86400 20240928170000 20240915160000 20038 . VzcC8YqsDVBbaB5yH5Nr7tbDT6Ds58tgoCf+DTyufirZiXE4LitOAaro /Jk/xB9Py6AV11gph0Hr4QeC1ctiv4mVed8zataERfObEh35kyho8abx WaRI42Dct0PUfpNYHmFV4jnBk5PdUFdD66G53g6nl5SGBOajchBqP1vW dMoMpUTHf19uzgfNXbYmC7mrv3v5yxjorYmGF8T2BJzSLoRfS2hRP33H h3DgtxQFI7AsTDqRAegMz5UMJMyOT926gBMdQxmxL71QbYhq0vsKCadb bC854E9E0832llvmLJgYEsJ1VmUWbogoopM0NxfKqXihFpvdsiMNARDM ygLS+Q==
;; Received 1206 bytes from 192.36.148.17#53(i.root-servers.net) in 122 ms

netgate.com.            172800  IN      NS      ns1.netgate.com.
netgate.com.            172800  IN      NS      ns2.netgate.com.
netgate.com.            172800  IN      NS      ns3.netgate.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q3UDG8CEKKAE7RUKPGCT1DVSSH8LL NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 13 2 86400 20240921002601 20240913231601 59354 com. pSHnE+OIiU8H0lRp5YP2Yvl/ohLSLt6wQxqr6ON6NYv0lLb17kKVsIAS OwXmVwBs5XuFC1Z7X5vt64JsO4bk4A==
2U53SUOKS8OJJV178M90A8BMNI9USDVJ.com. 86400 IN NSEC3 1 1 0 - 2U54JL908MKCE6VDBRTOBQM3A838AA3F NS DS RRSIG
2U53SUOKS8OJJV178M90A8BMNI9USDVJ.com. 86400 IN RRSIG NSEC3 13 2 86400 20240922001625 20240914230625 59354 com. /vLmkD4Ydx0ML1Ztlo9UFDSeK20+E4Uhs5U1hoDvmkZdBMNTXefT1ivc 5S2O4HVcrfMErVTJVYRznxytz0TCaw==
;; Received 587 bytes from 192.26.92.30#53(c.gtld-servers.net) in 39 ms

;; Received 72 bytes from 34.197.184.5#53(ns3.netgate.com) in 30 ms

[24.03-RELEASE][admin@sg4860.home.arpa]/root:

              So you can add that up.. what 122, plus 39 plus 30 is 191 ms from cold start full resolve..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.