Post 2.3.2 Upgrade - Slow Browsing / DNS Issue - Workaround Found
-
After upgrading to v2.3.2 last night, I noticed very slow browsing performance. Chrome would display "Resolving Host" for several seconds before loading every page. After googling "Resolving Host", I was being led down the road of a Chrome issue, but everything checked out and that didn't make sense anyway, so I started digging further.
Post v2.3.2 upgrade, PFsense and the DNS forwarder are longer resolving DNS queries even though PFsense does respond on port 53 via telnet. My primary DNS is AD, which has PFsense as the forwarder and my secondary DNS is 8.8.8.8 (google). So, every DNS query was timing out and then failing over to google for resolution.
I tried switching to the Resolver as opposed to the Forwarder, but that didn't work either, so I re-enabled the forwarder and started digging thru the DNS Forwarder options thinking maybe an option got flipped during the upgrade, but everything looked normal. On a hunch, I started playing with the interfaces section of the DNS forwarder. The interfaces section of the DNS forwarder has "All" selected which is the default behavior, but as a shot in the dark, I changed the interface to "LAN"….and... BAM! DNS resolution works and browsing is back to normal. Switched back to "All" and again no DNS resolution.... then back to "LAN" and we have DNS again.
I will apologize if I missed a release note which explains certain changes and notes that this behavior is expected, but if not, the 2.3.2 upgrade appears to have broken something with regards to the DNS Forwarder and most likely the Resolver too since that didn't work when I switched to it.
To all having similar browsing slowness and/or DNS issues, here is the workaround that got things back to normal for me:
-
Navigate to Services -> DNS Forwarder
-
In the Interfaces section, highlight your LAN interfaces and deselect "All"
-
Click Save
-
Click Apply Changes
After that, test your DNS resolution, you should be good to go.
Hopefully, a dev will chime in and confirm what's happing here.
-
-
I am not an advanced pfsense user, but as far as I know, DNS Resolver is now implicit and not Forwarder.
Maybe try switching to Resolver so future updates don't mess up your setup. -
What version did you upgrade from?
You can generally run into trouble if you use something like AD and google as "Primary" and "Secondary" DNS servers (there really is no such thing as it is completely up to the client which DNS server is used first. Some query them all simultaneously and take the first answer, some query one, time out, then try the next, etc.)
All of the DNS servers used in a particular context should return the same answers to every query from the same source. Your AD will have AD information, google will not.
Problems such as these are best investigated using DNS tools such as dig/drill. Without seeing the actual queries and answers it's tough to tell what you were seeing. I can't see deselecting All interfaces to listen on having any effect. The forarder was either listening on the interface in question or it wasn't. All binds to all.