DNS Forwarder - Excessive (20x) latency vs external server

johnpoz

You clearly have something wrong - is that 1m I am seeing in your post?

Here is from my linux box to my pfsense box (dns forwarder)

@ubuntu:~$ while [ true ]; do time nslookup google.com | grep real; sleep 1; done

real    0m0.669s
user    0m0.036s
sys    0m0.112s

real    0m0.021s
user    0m0.004s
sys    0m0.012s

real    0m0.021s
user    0m0.012s
sys    0m0.004s

real    0m0.020s
user    0m0.004s
sys    0m0.008s

NetworkNubbin

@johnpoz:

You clearly have something wrong - is that 1m I am seeing in your post?

Here is from my linux box to my pfsense box (dns forwarder)

@ubuntu:~$ while [ true ]; do time nslookup google.com | grep real; sleep 1; done

real    0m0.669s
user    0m0.036s
sys     0m0.112s

real    0m0.021s
user    0m0.004s
sys     0m0.012s

real    0m0.021s
user    0m0.012s
sys     0m0.004s

real    0m0.020s
user    0m0.004s
sys     0m0.008s

Yeah, I definitely have something wrong. I'm trying to figure out what to debug/look at, but I'm lost. In my post, you're seeing 1.05~ seconds to complete the process vs 0.05~ seconds when I'm not using the forwarder. While 1.05 seconds isn't a 'ton', it's extremely noticeable when browsing the web.

As I said earlier, it's clearly not a caching problem, there's something causing the gigantic delay for the FW to process my request.

What should I be looking at?

NetworkNubbin

Just so we're clear, the caching mechanism is working:

dig pfsense.org | grep Query
;; Query time: 39 msec
dig pfsense.org | grep Query
;; Query time: 0 msec
dig eff.org | grep Query
;; Query time: 37 msec
dig eff.org | grep Query
;; Query time: 0 msec

NOYB

How many domains in the search list?

Use Wireshark to see what is really going on with the DNS queries.

NetworkNubbin

@NOYB:

How many domains in the search list?

Use Wireshark to see what is really going on with the DNS queries.

I was only using localhost + 2 domains (8.8.4.4 and 4.2.2.2). When I was watching via tcpdump, it looked like the box queried both DNS servers simultaneously. Is that normal? I was under the assumption it would only use server #3 if no response was heard from server #2 within 'x' time.

Another strange thing, the ridiculous latency is now gone, but I haven't changed anything yet…  Has anyone experienced something like this before?

Unrelated questions:

1. Is there any way I can view what's in the cache?
2. What's the default number of entries for the cache? It doesn't seem to maintain a very large amount... What's the 'supported' way of increasing the size?

Thanks again,

NOYB

Yes, pfSense queries all DNS servers simultaneously and uses the first response.  That is normal for pfSense.  That is my understanding anyway.

Look in the query response in tcp dump.  In there will be the TTL.  That’s how long it should remain available in cache, assuming it’s not purged for some other reason.  Don’t know what size limitation pfSense may have but it’s probably more than you’ll run into.

P.S. Modified my pfSense forwarder to query the DNS servers sequentially.  My primary DNS server responds quickest nearly every time anyway.  So the additional queries don't really add any benefit, except when primary DNS server is down query responses will be slower.  But that is rare.

cmb

@NOYB:

P.S. Modified my pfSense forwarder to query the DNS servers sequentially.  My primary DNS server responds quickest nearly every time anyway.  So the additional queries don't really add any benefit, except when primary DNS server is down query responses will be slower.  But that is rare.

I wouldn't do that in most circumstances, you'll have much more consistent performance with the defaults, and it's not like doubling, tripling or quadrupling your DNS requests has any notable impact on bandwidth or anything else.

cmb

@NetworkNubbin:

Unrelated questions:

1. Is there any way I can view what's in the cache?
2. What's the default number of entries for the cache? It doesn't seem to maintain a very large amount… What's the 'supported' way of increasing the size?

http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
and related searches for dnsmasq will find your answers.

NetworkNubbin

@cmb:

@NetworkNubbin:

Unrelated questions:

1. Is there any way I can view what's in the cache?
2. What's the default number of entries for the cache? It doesn't seem to maintain a very large amount… What's the 'supported' way of increasing the size?

http://www.thekelleys.org.uk/dnsmasq/docs/dnsmasq-man.html
and related searches for dnsmasq will find your answers.

Thanks. I've found the answer to #2, however I haven't been able to find a way to view the entries in the cache without either:
a) using debug mode
or
b) killing the process

Is there a way to do it while it is running normally without killing it?

NOYB

@cmb:

@NOYB:

P.S. Modified my pfSense forwarder to query the DNS servers sequentially.  My primary DNS server responds quickest nearly every time anyway.  So the additional queries don't really add any benefit, except when primary DNS server is down query responses will be slower.  But that is rare.

I wouldn't do that in most circumstances, you'll have much more consistent performance with the defaults, and it's not like doubling, tripling or quadrupling your DNS requests has any notable impact on bandwidth or anything else.

Not suggesting that you or anyone else should do this.  Just pointing out that it can be done because the OP asked about pfSense simultaneous DNS queries behavior.

As mentioned previously, since my primary DNS server is the first to respond nearly 100 percent of the time the main benefit of the others is if/when the primary goes down, which is rare.  I’ll stick with sequential queries.  Don’t consider mine to be "most circumstances".

But let’s not hijack this thread.  I’ve posted details for doing this in another thread where it can be discussed on topic.