Latency on lookups with DNSBL

drewsaur · Oct 25, 2017, 1:08 AM

Is it normal for DNS resolution to double in latency on non-cached lookups after enabling pfBlockerNG with a reasonably small list of DNSBL (13,000 including about 11,800 for EasyList)? I am using a SG-2220, so I do understand life cannot be perfect :)

Thanks.

BBcan177 · Oct 25, 2017, 1:53 AM

If you have a multi-segmented network (VLANS), you might need to enable the DNSBL Permit rule option and select all of the interfaces that need to connect to the DNSBL VIP address. Or you can create your own rule to allow that traffic…

First step is to ensure that all LAN devices can:

Ping the DNSBL VIP
Browse to the DNSBL VIP and get the 1x1 pix

Otherwise you will get browser timeouts.

drewsaur · Oct 26, 2017, 4:27 PM

@BBcan177:

If you have a multi-segmented network (VLANS), you might need to enable the DNSBL Permit rule option and select all of the interfaces that need to connect to the DNSBL VIP address. Or you can create your own rule to allow that traffic…

First step is to ensure that all LAN devices can:

Ping the DNSBL VIP

Browse to the DNSBL VIP and get the 1x1 pix

Otherwise you will get browser timeouts.

Thanks - this is occurring in a single-segment network.

BBcan177 · Oct 27, 2017, 4:42 PM

Run some "drill" tests… I don't see any delay ... Maybe an Unbound configuration issue?

drill 101com.com

;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 28396
;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; 101com.com.  IN      A

;; ANSWER SECTION:
101com.com.     60      IN      A       10.10.10.1

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Fri Oct 27 12:40:22 2017
;; MSG SIZE  rcvd: 44

drewsaur · Oct 27, 2017, 11:59 PM

Most things are under 50 millisec. I did have one site like this:

;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 50783
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; fileext.com. IN A

;; ANSWER SECTION:
fileext.com. 300 IN A 104.28.21.5
fileext.com. 300 IN A 104.28.20.5

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 1020 msec
;; SERVER: 127.0.0.1
;; WHEN: Fri Oct 27 19:57:22 2017
;; MSG SIZE rcvd: 61

101com.com is:

;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 14527
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0
;; QUESTION SECTION:
;; 101com.com. IN A

;; ANSWER SECTION:
101com.com. 3600 IN A 66.77.93.51

;; AUTHORITY SECTION:
101com.com. 172800 IN NS ns3.101m3.com.
101com.com. 172800 IN NS ns4.101m3.com.
101com.com. 172800 IN NS ns1.101m3.com.
101com.com. 172800 IN NS ns2.101m3.com.

;; ADDITIONAL SECTION:

;; Query time: 129 msec
;; SERVER: 127.0.0.1
;; WHEN: Fri Oct 27 19:54:43 2017
;; MSG SIZE rcvd: 122

drewsaur · Oct 28, 2017, 12:04 AM

I did a little poking around, and my DNS Resolver was set so that Network Interfaces and Outgoing Network Interfaces were both set to "All." I changed Network Interfaces to LAN and Localhost, and Outgoing Network Interfaces to "WAN" and things are MUCH better now. Thanks!