IPv6 and DNS Lead to Some Slow Websites
-
Temporarily, I have resolved the issue by changing from DNS Resolver to to DNS Forwarder. However, I rather have the local DNS server myself that using external DNS servers. So I'm still looking into this.
Below are the stats for my WAN connection. NOTE: Even though the MTU says 9000, the largest ping I can get from Windows to the Default Gateway of my WAN is 1472. I can ping with jumbo frames to the LAN interface and any object within my LAN
WAN Interface (wan, igb0)
-
Status
up -
DHCP
up Relinquish Lease -
MAC Address
00:1b:21:3c:42:40 - Intel Corporate -
IPv4 Address
<omitted> -
Subnet mask IPv4
255.255.240.0 -
Gateway IPv4
174.67.0.1 -
IPv6 Link Local
fe80::21b:21ff:fe3c:4240%igb0 -
IPv6 Address
<omitted> -
Subnet mask IPv6
128 -
Gateway IPv6
fe80::238:dfff:fe9a:5019 -
DNS servers
127.0.0.1
1.0.0.1
2606:4700:4700::1001
1.1.1.1
2606:4700:4700::1111 -
MTU
9000 -
Media
1000baseT <full-duplex> -
In/out packets
1638176/805107 (1.89 GiB/94.49 MiB) -
In/out packets (pass)
1638176/805107 (1.89 GiB/94.49 MiB) -
In/out packets (block)
6670/0 (782 KiB/0 B) -
In/out errors
0/0 -
Collisions
0
-
-
Try refreshing the connection without manually setting anything for the WAN MTU, and and please report what the MTU gets set to as reported in status/interfaces.
-
It reports my MTU as 1500
-
Try testing your IPv6 connectivity and DNS lookup with the MTU set to default on the WAN. Do you still have the same problems?
-
No Go. I just switched back to DNS Resolver and still some websites are slow. As soon as I switch back to DNS Forwarder, they work fine.
-
What are your settings in DNS Resolver?
-
Any easy way to get that other than a screen shot?
-
ICMP blocked somewhere?
Maybe Prefer IPv4 over IPv6 helps? -
You should leave the WAN MTU at the default. Being able to send a max ping of 1472 shows that 1500 is your actual MTU on the connection. The missing 8 bytes are the ICMP header for the ping packets. Please report what you have set for "IP Do-Not-Fragment compatibility", in system/advanced/firewall&nat?
-
@pippin Under system i did specify for it to use IPv4 over IPv6 but sadly didn't change anything
-
A screenshot of the first settings page would be perfect.
-
@bfeitell I have the IP Don-Not-Fragment compatibility flag not set. Should I enable that feature?
-
I would try it, and see if it has an effect on the function of DNS Resolver. I think that playing with your MTU on the WAN might be the cause, but I'd still like to see your settings for DNS Resolver. If you are using dns over tls with the Quad9 resolvers, that might explain things. I have found the Quad9 resolvers to be very slow in comparison to the cloudflare resolvers.
-
Below are the basic settings I have for DNS Resolver:
-
Check the log file for DNSBL in pfblocker. Depending upon what lists you are using, you might be blocking access to certain name servers you need for DNS Resolver to work correctly. If you temporarily disable pfb_dnsbl, you will need to reload on the update page to clear any blocks. Then test the DNS Resolver again.
-
Pfblockerng isn't much of the issue. I factory reset my router and did a minimal setup using DNS Resolver and no pfblockerng. Still had the same issue. After seeing no change, I restored my original config bringing pfblockerng back
-
@wre136 I bet on https://redmine.pfsense.org/issues/8934 have own DNS on FreeBSD and get many problems with IPv6 DNS and Fragments. Disabling scrubbing helps. But then IPv4 DNS has same problems :-(
Oct 9 17:25:41 host1 kernel: ipfw: 65300 Deny TCP [2001:500:e::1] [2axx:xxxx:xxxx:xxxx::53] in via bge0 (frag 1217fb81:188@9856) Oct 9 17:25:57 host1 kernel: ipfw: 65300 Deny TCP [2001:500:f::1] [2axx:xxxx:xxxx:xxxx::53] in via bge0 (frag 4d6091d8:188@9856) Oct 9 17:26:45 host1 kernel: ipfw: 65300 Deny TCP [2001:500:e::1] [2axx:xxxx:xxxx:xxxx::53] in via bge0 (frag 350be3db:188@9856) Oct 9 17:31:29 host1 kernel: ipfw: 65300 Deny UDP [2001:500:40::1] [2axx:xxxx:xxxx:xxxx::53] in via bge0 (frag b576286c:361@9856) Oct 9 17:51:24 host1 kernel: ipfw: 65300 Deny UDP [2001:470:1a::1] [2axx:xxxx:xxxx:xxxx::53] in via bge0 (frag 8533c2a5:642@9856) Oct 9 17:51:26 host1 kernel: ipfw: 65300 Deny UDP [2001:5a0:10::1] [2axx:xxxx:xxxx:xxxx::53] in via bge0 (frag e06893c2:650@9856) Oct 9 17:53:07 host1 kernel: ipfw: 65300 Deny UDP [2001:67c:18c4:2000::11:53] [2axx:xxxx:xxxx:xxxx::53] in via bge0 (frag 55df3089:362@9856) Oct 9 18:11:05 host1 kernel: ipfw: 65300 Deny UDP [2001:500:48::1] [2axx:xxxx:xxxx:xxxx::53] in via bge0 (frag 8424932b:361@9856) Oct 9 18:11:25 host1 kernel: ipfw: 65300 Deny UDP [2001:500:b::1] [2axx:xxxx:xxxx:xxxx::53] in via bge0 (frag 9da68734:361@9856) Oct 9 18:14:41 host1 kernel: ipfw: 65300 Deny UDP [2001:500:c::1] [2axx:xxxx:xxxx:xxxx::53] in via bge0 (frag 69a41126:361@9856) Oct 9 18:18:05 host1 kernel: ipfw: 65300 Deny UDP [2001:500:40::1] [2axx:xxxx:xxxx:xxxx::53] in via bge0 (frag a639e4fd:361@9856)