Apple TV // opendns // dns speed issues
-
so this is what little snitch shows for iTunes traffic….
What do you think I should put in DNS forwarder??
-
so this is what little snitch shows for iTunes traffic….
I am not familiar with "little snitch". What is it supposed to do?
What do you think I should put in DNS forwarder??
You already claimed that something like what I'm inclined to suggest "didn't work". What exactly didn't work? What were you expecting it to do that it didn't do?
-
I am not familiar with "little snitch". What is it supposed to do?
You already claimed that something like what I'm inclined to suggest "didn't work". What exactly didn't work? What were you expecting it to do that it didn't do?
Little snitch is a software firewall for the mac
I added apple.com to the dns forwarder do I need to add the whole domain *.apple.com or what
What I expect is for the movies to take 5-10 min to download like they do when I use comcast dns rather then the 4-6 hours it takes on openDNS
-
I added apple.com to the dns forwarder do I need to add the whole domain *.apple.com or what
Add apple.com as domain override to DNS forwarder. It MIGHT be necessary to disable the enable DNS forwarder to get it to notice the change in configuration. It might be necessary to clear the DNS cache on your client computer and any browser cache of DNS translations to make sure you the client computer gets the new translation.
What I expect is for the movies to take 5-10 min to download like they do when I use comcast dns rather then the 4-6 hours it takes on openDNS
I can see a POSSIBLE cause and effect but there might not be a DEFINITE cause and effect. ("Wrong" DNS might not be ONLY reason your downloads are slower than you would like.)
-
I can see a POSSIBLE cause and effect but there might not be a DEFINITE cause and effect. ("Wrong" DNS might not be ONLY reason your downloads are slower than you would like.)
DNS is the only thing that I have changed to reproduce the issue and to resolve the issue multiple times…But I will introduce those changes to the firewall, flush everything, and try again.
Thanks!!
-
Where are you located on the globe? The only thing I could see that could make a difference in using different dns and grabbing from a cloud based service for downloads. Is where you get sent for your download.
opendns has dns servers located
http://system.opendns.com/table/AMS CHI DFW FRA HKG LON LAX MIA NYC PAO SEA SIN WDC
So depending on which one your using - you might be told to download from a location that is not really close to you globally. While if you use your local ISP dns, you should download from somewhere closer to you based upon where the dns query came from regionally.
From your sniff you would want to put those parent domains in your override if you want them to use your local dns.
apple.com, akamai.net and edgesuite.net
if you look those other 2 are just cnames for the first one
;; QUESTION SECTION:
;a1431.v.phobos.apple.com. IN A;; ANSWER SECTION:
a1431.v.phobos.apple.com. 86400 IN CNAME a1431.v.phobos.apple.com.edgesuite.net.
a1431.v.phobos.apple.com.edgesuite.net. 21600 IN CNAME a1431.w11.akamai.net.
a1431.w11.akamai.net. 20 IN A 184.84.236.88
a1431.w11.akamai.net. 20 IN A 184.84.236.129 -
I have been getting considerably higher download speeds from www.abc.net.au since I changed the DNS forwarder to use my ISP's DNS for domain abc.net.au rather than OpenDNS.
I have discovered youtube.com sometimes translates to different IP addresses when using my ISP's DNS rather than OpenDNS so I may add an override for youtube.com as well.
-
So here is my point about opendns – where are you located in the world? Which one of their many servers would you be using?
As you can see from the attached from the www.abc.net.au example they return many different IPs, depending on where your at in the world
You can check the cache they have yourself for any fqdn here http://www.opendns.com/support/cache/
So yes if your say in chicago, and forwhatever reason your pulling files from the akamai network in HK -- its going to be slower ;)
Was a VPN mentioned? Where is the endpoint of this VPN located? If you the opendns located in that region, etc.??
-
So here is my point about opendns – where are you located in the world?
Australia
Which one of their many servers would you be using?
208.67.220.220 and 208.67.222.222
As you can see from the attached from the www.abc.net.au example they return many different IPs, depending on where your at in the world
Interesting. My ISP's DNS returns 120.0.9.200 and 120.0.29.201 for www.abc.net.au and that is not the same as any of the results from the OpenDNS servers.
Was a VPN mentioned? Where is the endpoint of this VPN located? If you the opendns located in that region, etc.??
There is no active VPN involved.
-
To clarify this:
@johnpoz:From your sniff you would want to put those parent domains in your override if you want them to use your local dns.
apple.com, akamai.net and edgesuite.net
if you look those other 2 are just cnames for the first one
;; QUESTION SECTION:
;a1431.v.phobos.apple.com. IN A;; ANSWER SECTION:
a1431.v.phobos.apple.com. 86400 IN CNAME a1431.v.phobos.apple.com.edgesuite.net.
a1431.v.phobos.apple.com.edgesuite.net. 21600 IN CNAME a1431.w11.akamai.net.
a1431.w11.akamai.net. 20 IN A 184.84.236.88
a1431.w11.akamai.net. 20 IN A 184.84.236.129Is the following statement correct?
If the downstream DNS client does a recursive lookup for IP address of www.apple.com it is sufficient for the pfSense DNS forwarder to have an override for domain apple.com but if the downstream DNS client issues non-recursive lookups for IP address of www.apple.com then the pfSense DNS forwarder should have overrides for all the "intermediate" domain names, in this particular case edgesuite.net and akami.net. -
"Interesting. My ISP's DNS returns 120.0.9.200 and 120.0.29.201 for www.abc.net.au and that is not the same as any of the results from the OpenDNS servers."
Last time I checked AU was quite LARGE ;) And I don't see any opendns in AU anywhere. Closest prob Singapore… So yeah your going to point somewhere else -- I am quite sure that akamai has servers in AU that your ISP prob resolves because its in the AU. But when opendns looks to see where it should go, akamai has their dns setup using geoip to say oh your from Singapore -- you should use these servers.
This is one of the flaws in opendns - they don't have full coverage of the planet, so not ever user is going to be using a dns server in their region. So anything that uses geoip to determine where it should send you is going to be in error.
Websense uses the same sort of thing for which proxy you should use in their cloud service, based upon source of where your dns query came from you get sent to different clusters. For example if I ask my ISP dns I get
;; QUESTION SECTION:
;webdefence.global.blackspider.com. IN TXT;; ANSWER SECTION:
webdefence.global.blackspider.com. 60 IN TXT "Hello 68.87.72.137 (2C), - you go to cluster-n"--
;; ANSWER SECTION:
137.72.87.68.in-addr.arpa. 1294 IN PTR chic-dnssec02.area4.il.chicago.comcast.net.See that query came from my ISP dns 68.87.72.137, if I do a query from my own IP using my own BIND server I get same thing - because I am also in the Chicago area
;; ANSWER SECTION:
webdefence.global.blackspider.com. 60 IN TXT "Hello 24.13.xx.xx (2C), - you go to cluster-n"If I use my VPS out in CA I get told to use a different cluster
;; ANSWER SECTION:
webdefence.global.blackspider.com. 120 IN TXT "Hello 173.245.xx.xx (2W), - you go to cluster-g"You might want to look for different service other than opendns that has dns located in AU, or your going to have all kinds of issues with any sort of cloud service that uses geoip to send you to the closest server for where your request came from.
It would be a never ending battle trying to over ride all the domains that use geoip based results.
edit: question for you, what is the response time when using opendns. I am here in chicago, which they are suppose to have one in the area. And I get 30ms response
ubuntu:~$ ping 208.67.222.220
PING 208.67.222.220 (208.67.222.220) 56(84) bytes of data.
64 bytes from 208.67.222.220: icmp_req=1 ttl=52 time=36.6 ms
64 bytes from 208.67.222.220: icmp_req=2 ttl=52 time=32.2 ms
64 bytes from 208.67.222.220: icmp_req=3 ttl=52 time=33.3 msI am curious what your response time is - if in fact the closest one to you is in Singapore.
Look even here in chicago its like 40ms to get a response from them
; <<>> DiG 9.8.1-P1 <<>> @208.67.222.222 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60922
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;www.google.com. IN A;; ANSWER SECTION:
www.google.com. 189 IN A 74.125.225.176
www.google.com. 189 IN A 74.125.225.179
www.google.com. 189 IN A 74.125.225.180
www.google.com. 189 IN A 74.125.225.178
www.google.com. 189 IN A 74.125.225.177;; Query time: 39 msec
;; SERVER: 208.67.222.222#53(208.67.222.222)
;; WHEN: Fri Jan 4 10:03:47 2013
;; MSG SIZE rcvd: 112If I query my isp (comcast) its much lower
; <<>> DiG 9.8.1-P1 <<>> @75.75.75.75 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49553
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0;; QUESTION SECTION:
;www.google.com. IN A;; ANSWER SECTION:
www.google.com. 39 IN A 74.125.225.211
www.google.com. 39 IN A 74.125.225.210
www.google.com. 39 IN A 74.125.225.212
www.google.com. 39 IN A 74.125.225.208
www.google.com. 39 IN A 74.125.225.209;; Query time: 18 msec
;; SERVER: 75.75.75.75#53(75.75.75.75)
;; WHEN: Fri Jan 4 10:05:32 2013
;; MSG SIZE rcvd: 112Like to see the same sort of tests for you.. I did a quick search and did not come up with any alternatives for opendns that have locations in the AU/NZ region of the world. If what your wanting to do is filter via dns for your specific machines in your network. Maybe you want to setup your own filtering so that its local.
