Why is it so slow to give an answer from the dns resolver itself ?

bingo600

@bob-dig
Yupp ... Better safe than .....

Cool_Corona

@bingo600 First search gives me long answer times, but subsequent tries to same domain gives me 1 ms since they are getting cached in the DNS resolver.

bingo600

@cool_corona
That would w 99% certainty be the same here.
Bind9 is caching the ansver.

And my guess is that the wife keeps google.com "cached"

I use DDGG , but SWMBO wants google.

What i meant w. the above was just , that it can be feasible to use forwarders.
If one has a reason for.

Ie. on the job where pfsense is the main resolver. I was asked (by CORP) to use (forward) to Cisco Umbrella DNS'es. As a security precaution.

/Bingo

Cool_Corona

@bingo600 said in Why is it so slow to give an answer from the dns resolver itself ?:

@cool_corona
That would w 99% certainty be the same here.
Bind9 is caching the ansver.

And my guess is that the wife keeps google.com "cached"

I use DDGG , but SWMBO wants google.

What i meant w. the above was just , that it can be feasible to use forwarders.
If one has a reason for.

Ie. on the job where pfsense is the main resolver. I was asked (by CORP) to use (forward) to Cisco Umbrella DNS'es. As a security precaution.

/Bingo

HAHAHAHAHAHAH thats kind a funny....

p_bear

@bingo600

From the pfsense itself:

set domain=aliexpress.com
dig @9.9.9.9 $domain | grep time
;; Query time: 357 msec
dig @1.1.1.1 $domain | grep time
;; Query time: 50 msec
dig @127.0.0.1 $domain | grep time
;; Query time: 657 msec

set domain=twitter.com
dig @9.9.9.9 $domain | grep time
;; Query time: 47 msec
dig @1.1.1.1 $domain | grep time
;; Query time: 34 msec
dig @127.0.0.1 $domain | grep time
;; Query time: 244 msec

If I disable forwarding mode:

set domain=twitter.com
dig @9.9.9.9 $domain | grep time
;; Query time: 41 msec
dig @1.1.1.1 $domain | grep time
;; Query time: 43 msec
dig @127.0.0.1 $domain | grep time
;; Query time: 302 msec

set domain=aliexpress.com
dig @9.9.9.9 $domain | grep time
;; Query time: 52 msec
dig @1.1.1.1 $domain | grep time
;; Query time: 34 msec
dig @127.0.0.1 $domain | grep time
;; Query time: 112 msec

Btw I was using forwarding mode to avoid my ISP from spying me at dns level (with DOT).

johnpoz

@p_bear said in Why is it so slow to give an answer from the dns resolver itself ?:

Btw I was using forwarding mode to avoid my ISP from spying me at dns level (with DOT).

You understand with using dot.. The only query from what you gave that would be using DOT would be when you query 127.0.0.1

Directed queries or queries showing 1.1.1.1 via the dns gui looking wouldn't be using DOT.. So yeah a DOT query and response is going to be much slower than not using DOT quite often. No matter how much the DOT providers want you to think otherwise ;)

You could validate that yourself with simple sniff on wan when you do the queries.. But sure queries via that gui showing some other NS, isn't using DOT.. Let me setup the forwarding again and test that to be sure... But I doubt what the gui shows is via a DOT query when it shows anything other than localhost..

I will have to spend a few minutes setting up DOT.. but can tell you for sure pfsense itself does not use dot when talking to nameservers listed in general.. The only way to use dot is via unbound doing the query.. So those queries shown in the gui I find highly highly unlikely that anything other than to localhost could of been done via dot..

p_bear

@johnpoz said in Why is it so slow to give an answer from the dns resolver itself ?:

You understand with using dot.. The only query from what you gave that would be using DOT would be when you query 127.0.0.1

The dns query tool in the Diagnostic menu of course it does not use DOT. It's same when I manually use dig.
I'm using DOT for the pfsense DNS resolver.

johnpoz

Again - that would explain the difference in the query.

I ask 1.1.1.1 without dot, its going to be faster than if I ask via dot.. Which is what would be happening via your 127.0.0.1 query

Plus you prob have dnssec still selected don't you? Which is pointless if forwarding.. And just going to cause extra traffic. Which will slow down responses

p_bear

@johnpoz

I've unchecked Use SSL/TLS for outgoing DNS Queries to Forwarding Servers.
I still get a difference. :(
Capture d’écran 2021-05-10 à 18.16.23.png

johnpoz

Well I can not duplicate that.. So I again turned on just normal forwarding, no dot. No dnssec

You can see when I first query there is response time, then if query again response is zero -- because its cached.

Asking unbound shouldn't have any signification additional latency.. Sure there could be few ms, and there is going to be deviation for any specific 1 off query, etc. But maybe when unbound asked whoever there was a delay in that response.

I suggest you sniff, and up your logging level.. And do more than just query of 1 fqdn.. Your going to have to do more testing to show that unbound is adding latency to that extent.. I think your seeing outlayers, or do not have a full picture of what is happening during the query.