Unbound problem on satellite connection.
-
I have known for some time that Unbound will not work in resolving mode on my system. Ping reports “Temporary failure in name resolution”. I have suspected all along that the reason for this situation is somehow related to the fact that I am using a satellite link to the internet. Recently I have introduced a 3G mobile service with a different ISP to a spare USB network port on my pfSense box. Now if I assign the new port to the WAN interface, simply replacing the satellite service, Unbound performs completely in resolver mode. To see if I could get a handle on what might be happening here I did a comparative packet capture on the WAN interface for both satellite and 3G services and tried to review the data using Wireshark. This was my first attempt to use Wireshark so I soon became overwhelmed with information. What I did observe though was DNS traffic on the satellite interface to and from root servers on both UDP and TCP. I would be grateful if someone could suggest what possibly might be happening here and what I could do to troubleshoot.
Running a local resolver with all that recursive traffic across the high latency satellite link is probably not the smartest model, but I am still keen to understand what is happening here.
Details:
PfSense 2.4.5-RELEASE-p1 (amd64) on apu2c4.
Settings for DNSSEC or TLS do not seem to change observation. -
@timbergetter said in Unbound problem on satellite connection.:
Running a local resolver with all that recursive traffic across the high latency satellite link is probably not the smartest model,
There you go ding ding ding - you win the cookie ;)
Its almost impossible to run a resolver on such a high latency connection.. Your going to only cause yourself grief trying to do such a thing.
-
@johnpoz
Thank you for the cookie award, but I don’t think I deserve such acclaim :) I have now found that if I have a vpn on the satellite link then Unbound Resolver has no problem. If anything I would guess that the presence of a vpn would increase the latency. So it seems that my ISP or possibly something more broadly within the satellite infrastructure is by policy or inadvertently breaking the DNS traffic. So far Unbound Resolver (no forwarding) and vpn offer the only solution for DNS leak-free resolving. -
With sat - peering is quite often a problem.. If you can find a vpn that you have good connection too, you remove the peering issues.
So even if latency to the vpn might be high, if they have better peering to get to where you need to go from them.. Then yeah that can be a solution.
When you resolve you have no idea where the authoritative NS might be - if your internet connection (whatever it is) has high latency - and bad peering, that adds to latency and drops in connections..
Normally with sat connections they provide you a NS to use - since from there they have good connections and good connection from their clients, and its also caching.
But if you can get a stable connection to somewhere, and even if that is 100ms or even 200ms - as long as from that point you have good connectivity.. Then you can be fine for resolving..
VPNs can often be a solution to bad isp peering issues. It can be a way of "routing" around a problem bottleneck connection. I have vps all over the globe I could use to route traffic through - not from a privacy standpoint. But as a way to troubleshoot where issues might be popping up do to congestion, etc.
Think of the internet as a bunch of interconnected roads.. And you just driving home from work, maybe there is a crash holding up traffic on your normal route - but hey even if it might be a mile or 2 out of your way - taking a different path might get you home quicker, etc.
