Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Resolver Timeouts

    Scheduled Pinned Locked Moved DHCP and DNS
    49 Posts 4 Posters 5.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DaddyGoD
      DaddyGo @kevindd992002
      last edited by DaddyGo

      @kevindd992002 said in DNS Resolver Timeouts:

      How do you propose I start with my analysis?

      I don't know how far apart the endpoints are and how many ISPs are in this ...

      but I would also take short- and longer-term measurements (on tunnel network):

      short: iperf3
      https://docs.netgate.com/pfsense/en/latest/packages/iperf.html

      for long-term discipline I use this, free for 5 endpoints:
      https://emcosoftware.com/ping-monitor
      (I set it up and let it run for hours)

      although I still suspect it will be a different issue than the tunnel itself

      DNS:
      this pairing is best in your case
      https://github.com/synackray/dns-load-generator
      https://www.wireshark.org/

      Cats bury it so they can't see it!
      (You know what I mean if you have a cat)

      K 1 Reply Last reply Reply Quote 0
      • K
        kevindd992002 @DaddyGo
        last edited by

        @daddygo said in DNS Resolver Timeouts:

        @kevindd992002 said in DNS Resolver Timeouts:

        How do you propose I start with my analysis?

        I don't know how far apart the endpoints are and how many ISPs are in this ...

        but I would also take short- and longer-term measurements (on tunnel network):

        short: iperf3
        https://docs.netgate.com/pfsense/en/latest/packages/iperf.html

        for long-term discipline I use this, free for 5 endpoints:
        https://emcosoftware.com/ping-monitor
        (I set it up and let it run for hours)

        although I still suspect it will be a different issue than the tunnel itself

        DNS:
        this pairing is best in your case
        https://github.com/synackray/dns-load-generator
        https://www.wireshark.org/

        Yeah, I don't have issues with using iperf3 across the tunnel. Pfsense also has gateway monitoring for the IPsec tunnel (routed VTI) and long term ping monitoring seems stable.

        Using the DNS server across the tunnel is just my last resort. My real goal here is for each site to use their own DNS resolvers. Do you have any ideas why I'm getting a lot of timeouts when DNS resolver is enabled in site B? Can an ISP block DNS requests to external DNS servers if it's a resolver (as opposed to a forwarder)?

        DaddyGoD 1 Reply Last reply Reply Quote 0
        • DaddyGoD
          DaddyGo @kevindd992002
          last edited by

          @kevindd992002 said in DNS Resolver Timeouts:

          Do you have any ideas why I'm getting a lot of timeouts when DNS resolver is enabled in site B?

          So, honestly not, because there is little info - here Wiresark can help solve this

          @kevindd992002 "Can an ISP block DNS requests to external DNS servers if it's a resolver (as opposed to a forwarder)?"

          it would be very annoying and unfair (from ISP, but we have already seen a crow on a stick)

          a packet capture also shows this

          Cats bury it so they can't see it!
          (You know what I mean if you have a cat)

          K 1 Reply Last reply Reply Quote 0
          • K
            kevindd992002 @DaddyGo
            last edited by

            @daddygo said in DNS Resolver Timeouts:

            @kevindd992002 said in DNS Resolver Timeouts:

            Do you have any ideas why I'm getting a lot of timeouts when DNS resolver is enabled in site B?

            So, honestly not, because there is little info - here Wiresark can help solve this

            @kevindd992002 "Can an ISP block DNS requests to external DNS servers if it's a resolver (as opposed to a forwarder)?"

            it would be very annoying and unfair (from ISP, but we have already seen a crow on a stick)

            a packet capture also shows this

            What can Wireshark provide that the packet capture (from pfsense's tcpdump) I already provided don't? If you check the OP again, you'll see that I have packet captures there.

            DaddyGoD 1 Reply Last reply Reply Quote 0
            • bingo600B
              bingo600
              last edited by

              Might not be related.

              But when i had unbound "DNS issues".

              I had "ticked" register DHCP Leases in unbound

              6ef4113e-8b28-469e-94fb-7d377f955ebc-image.png

              That made unbound restart every time a DHCP event happened, and made my system unusable.

              Untick that DHCP Registration if set

              /Bingo

              If you find my answer useful - Please give the post a šŸ‘ - "thumbs up"

              pfSense+ 23.05.1 (ZFS)

              QOTOM-Q355G4 Quad Lan.
              CPUĀ  : Core i5 5250U, Ram : 8GB Kingston DDR3LV 1600
              LANĀ  : 4 x Intel 211, DiskĀ  : 240G SAMSUNG MZ7L3240HCHQ SSD

              K 1 Reply Last reply Reply Quote 0
              • K
                kevindd992002 @bingo600
                last edited by

                @bingo600 Yeah, tried that already, didn't make a difference. In Site A where unbound is perfectly working, I have that checked and the DHCP service restart is very fast that it is barely noticeable. These are both for home sites and it's not like the lease of my few DHCP clients are always expiring.

                1 Reply Last reply Reply Quote 0
                • DaddyGoD
                  DaddyGo @kevindd992002
                  last edited by DaddyGo

                  @kevindd992002 said in DNS Resolver Timeouts:

                  What can Wireshark provide that the packet capture

                  you can see an online and / or real-time scan on the Wireshark screen - when you launch an action

                  do you pass this on site B?
                  (for this installation, for example, the DNS goes through a tunnel)

                  translate this, of course, into your example (GW A site)

                  8550cea3-9edc-45b5-a1ab-886d06259d6f-image.png

                  Cats bury it so they can't see it!
                  (You know what I mean if you have a cat)

                  K 1 Reply Last reply Reply Quote 0
                  • K
                    kevindd992002 @DaddyGo
                    last edited by

                    @daddygo said in DNS Resolver Timeouts:

                    @kevindd992002 said in DNS Resolver Timeouts:

                    What can Wireshark provide that the packet capture

                    you can see an online and / or real-time scan on the Wireshark screen - when you launch an action

                    do you pass this on page B?
                    (for this installation, for example, the DNS goes through a tunnel)

                    translate this, of course, into your example (GW A site)

                    8550cea3-9edc-45b5-a1ab-886d06259d6f-image.png

                    Sorry, what? What do you mean by "page B"?

                    Let's forget about the tunnel for now. Like I said, that is my last resort/workaround. Let's treat site B as an independent site without an S2S VPN. My goal here is to simply use unbound on site B as a resolver (not forwarder) without any issues.

                    1 Reply Last reply Reply Quote 0
                    • DaddyGoD
                      DaddyGo
                      last edited by

                      @kevindd992002 said in DNS Resolver Timeouts:

                      Let's treat site B as an independent site without an S2S VPN

                      Okay then we misunderstand each other...

                      can you draw a quick diagram of what you want to achieve?

                      A site pfSense A
                      B site pfSense B

                      or exactly what

                      Cats bury it so they can't see it!
                      (You know what I mean if you have a cat)

                      K 1 Reply Last reply Reply Quote 0
                      • K
                        kevindd992002 @DaddyGo
                        last edited by

                        @daddygo said in DNS Resolver Timeouts:

                        @kevindd992002 said in DNS Resolver Timeouts:

                        Let's treat site B as an independent site without an S2S VPN

                        Okay then we misunderstand each other...

                        can you draw a quick diagram of what you want to achieve?

                        A site pfSense A
                        B site pfSense B

                        or exactly what

                        It looks like it, yes.

                        So I have two sites that are connected through IPsec VPN, yes, but I just gave that information here because it was one of the tests I had (using the DNS resolver on the far end of the tunnel).

                        Site A (main site)

                        • WAN interface has a public static IP
                        • no problems with being a DNS resolver (without forwarding)

                        Site B (remote site)

                        • WAN interface is assigned a private IP since it is behind a CGNAT
                        • when DNS resolver (without forwarding) is set, tons of timeouts are seen in Status -> DNS Resolver and the whole network is affected, browsing is very intermittent
                        • when DNS resolver (with forwarding to 1.1.1.1, or 8.8.8.8, or even to the ISP's own DNS servers) is set, same behavior, lots of timeouts. I must say though, that this was my workaround before like a few months ago and it worked. For some reason, it is also timing out these past few days I tested.
                        • when DNS Forwarder (dnsmasq) is enabled instead, everything is working properly. It's been almost two days without any issues.
                        • as soon as I go back to using DNS resolver (unbound), then the problem is immediately back
                        DaddyGoD 1 Reply Last reply Reply Quote 0
                        • DaddyGoD
                          DaddyGo @kevindd992002
                          last edited by

                          @kevindd992002 said in DNS Resolver Timeouts:

                          It looks like it, yes.

                          so I understand, so in terms of your question, it has nothing to do with A - B.

                          in summary:

                          • The pfSense installation which is used in point B, works with a timeout.... DNS, if UNBOUND is used
                          • in addition, it is behind CGNAT

                          Can you do a test with this for both conditions? (Unbound / Forwarder):
                          https://www.grc.com/dns/benchmark.htm

                          Finaly, you can show UNBOUND settings such as:

                          e463f661-e79d-422a-93d3-5f825f5a9798-image.png

                          c4514f17-b90a-43bb-83f2-149d00b60732-image.png

                          64df245a-9b98-4fb0-8e2d-dd8a6340697e-image.png

                          1bfdb252-93ca-4152-b06e-fd6233e07247-image.png

                          Cats bury it so they can't see it!
                          (You know what I mean if you have a cat)

                          K 1 Reply Last reply Reply Quote 0
                          • K
                            kevindd992002 @DaddyGo
                            last edited by

                            @daddygo

                            You got it.

                            I have to get back to you after Christmas for that benchmark test (which I'm familiar with as I used it before). I'm physically at site A right now and while troubleshooting another issue with IPsec, I accidentally lost access to site B's pfsense and no one is physically there to undo what I did.

                            As for the settings, they are exactly the same with the unbound settings I have site A and here they are:

                            90298bc5-de02-4b35-bb66-e12a45fd31a4-image.png

                            bcbc334c-4ae5-4cdc-b845-e97c5fe83e2f-image.png

                            132beae4-258d-4bc4-b2a5-952718b91719-image.png

                            abeb0b4c-6990-42d0-aa15-1d9a942f566b-image.png

                            02649be3-cd0b-4c10-af44-fd7152bb25c4-image.png

                            6fa84a41-8656-4118-97a2-e79a7c73ebc0-image.png

                            12db32c1-8f3e-4b6f-8be2-0f03637e93e3-image.png

                            abe6b58c-87d4-4d39-b828-281b09deee52-image.png

                            I don't have a DNS server in the DNS settings under General because I don't need one. I'm using unbound as a "resolver" so it queries the root hints directly. In the settings that you've shown, it looks like you're using unbound as a forwarder too, why?

                            DaddyGoD 1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              How is this not the same exact problem you had before.. If you have a shit isp, then you have a shit isp..

                              Your previous thread showed loss on your isp.. If either of these sites its on that isp, or whatever isp they have is loosing packets.. Then yes you can have issue, be it dns or anything else.

                              Doesn't matter if you forward or tunnel or whatever.. If your isp sucks it sucks.. Nothing pfsense can do about that.

                              Previous you had sniffs showing traffic leaving your wan, with no answer.. There is nothing pfsense can do to fix that..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              K 1 Reply Last reply Reply Quote 0
                              • DaddyGoD
                                DaddyGo @kevindd992002
                                last edited by DaddyGo

                                @kevindd992002 said in DNS Resolver Timeouts:

                                it looks like you're using unbound as a forwarder too, why?

                                Forwarding Mode to 1.1.1.1 = general tab

                                as I try to achieve more privacy and greater security šŸ˜‰

                                CloudFlare / 853 DoT

                                Cats bury it so they can't see it!
                                (You know what I mean if you have a cat)

                                johnpozJ 1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator @DaddyGo
                                  last edited by

                                  @daddygo said in DNS Resolver Timeouts:

                                  as I try to achieve more privacy and greater security

                                  Well that sure isn't doing anything about that..

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  DaddyGoD 1 Reply Last reply Reply Quote 0
                                  • DaddyGoD
                                    DaddyGo @johnpoz
                                    last edited by

                                    @johnpoz said in DNS Resolver Timeouts:

                                    Well that sure isn't doing anything about that..

                                    I say I'm trying šŸ˜‰

                                    at least I don't interrogate root servers through my own ISP, hihihihi

                                    Cats bury it so they can't see it!
                                    (You know what I mean if you have a cat)

                                    johnpozJ 1 Reply Last reply Reply Quote 0
                                    • K
                                      kevindd992002 @johnpoz
                                      last edited by

                                      @johnpoz said in DNS Resolver Timeouts:

                                      How is this not the same exact problem you had before.. If you have a shit isp, then you have a shit isp..

                                      Your previous thread showed loss on your isp.. If either of these sites its on that isp, or whatever isp they have is loosing packets.. Then yes you can have issue, be it dns or anything else.

                                      Doesn't matter if you forward or tunnel or whatever.. If your isp sucks it sucks.. Nothing pfsense can do about that.

                                      Previous you had sniffs showing traffic leaving your wan, with no answer.. There is nothing pfsense can do to fix that..

                                      Right, I just actually continued that old thread to this thread to make it "cleaner". The only new information I have now is that I tried with dnsmasq and it seems to have no timeouts. As to why, I don't know. But I was still having problems with unbound set as forwarder.

                                      If you see my packet captures in the OP of this thread, it still does show traffic leaving the WAN and not getting any replies back. You're still right, I'm still pushing hard for my ISP to fix this shit, but what I don't understand is why dnsmasq seems to be working just fine?

                                      DaddyGoD 1 Reply Last reply Reply Quote 0
                                      • DaddyGoD
                                        DaddyGo @kevindd992002
                                        last edited by

                                        @kevindd992002 said in DNS Resolver Timeouts:

                                        I'm still pushing hard for my ISP to fix this shit

                                        Indeed, if you have a shitty ISP, there’s nothing you can do, but my tests suggested above they are caught quickly

                                        Cats bury it so they can't see it!
                                        (You know what I mean if you have a cat)

                                        1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator @DaddyGo
                                          last edited by

                                          @daddygo said in DNS Resolver Timeouts:

                                          I say I'm trying

                                          But all you have accomplished is handing your info off to someone else on silver platter. With explicit trust of what they hand you back.. Your sure not hiding anything from your ISP that.. Since they still know every IP you go to, and simple if they wanted to to just sniff your sni for any https traffic to know what specific domain your going to.. Just like they could with your dns.

                                          So what your trying to hide from the root servers?

                                          Oh - the other thing you did accomplish is slowing down dns.. Guess you got that going for you ;)

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          K DaddyGoD 2 Replies Last reply Reply Quote 0
                                          • K
                                            kevindd992002 @johnpoz
                                            last edited by

                                            @johnpoz said in DNS Resolver Timeouts:

                                            @daddygo said in DNS Resolver Timeouts:

                                            I say I'm trying

                                            But all you have accomplished is handing your info off to someone else on silver platter. With explicit trust of what they hand you back.. Your sure not hiding anything from your ISP that.. Since they still know every IP you go to, and simple if they wanted to to just sniff your sni for any https traffic to know what specific domain your going to.. Just like they could with your dns.

                                            So what your trying to hide from the root servers?

                                            Oh - the other thing you did accomplish is slowing down dns.. Guess you got that going for you ;)

                                            @DaddyGo sorry but I'm on @johnpoz on this one. He is completely right. If you're using unbound, then its primary purpose should be a "resolver" like what I've been telling you with my earlier posts. I guess you misunderstood again.

                                            johnpozJ DaddyGoD 2 Replies Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.