DNS Forwarder Stable and faster than DNS Resolver!

mosa

Hi All,

I had issue with unstable internet browsing since i used DNS Resolver instead of DNS Forwarder.

Two days ago I decided to use OpenDNS so I test the best dns for my location by using namebench shows that the OpenDNS is faster by 420%  :o

So I add the DNS to IP addresses 208.67.222.222 ,208.67.220.220
in System / General Setup with Unselected DNS Server Override
By running the namebench again giving me the message (OpenDNS is faster by 420%)

Then I runt the DNS test from https://www.opendns.com/setupguide/ it give this message You're not using OpenDNS   :P

Then from Diagnostics DNS Lookup  I test this Hostname = yahoo.com  I got this results:

Timings
Name server       Query time
127.0.0.1          363 msec
208.67.222.222 8 msec
208.67.220.220 8 msec

By changing the Hostname to bb.com, msn.com, cnn.com it's same results.

So I noted that the local dns server is not using the OpenDNS and is slow ;D

I did many changes in Services /DNS Resolver / General Settings  and Services / DNS Resolver /Advanced Settings with restarting the service for each single change but the results always the same.

Then I decide to disable the  DNS Resolver and using DNS Forwarder, then I run all the testing again and the results was:

Diagnostics / DNS Lookup test:
Hostname: yahoo.com
Timings
Name server       Query time
127.0.0.1                 7 msec
208.67.222.222 7 msec
208.67.220.220 11 msec

Hostname: cnn.com
Name server         Query time
127.0.0.1        8 msec
208.67.222.222 8 msec
208.67.220.220 8 msec

namebench  test results

192.168.11.1=  Fastest

OpenDNS Test results:
Success!
You've successfully configured your device to use our DNS nameservers!

So by using DNS Forwarder I have faster dns respond , I'm able to use OpenDNS ;D

I'm asking from expert people to debugging the DNS Resolver to find why is slow and why it can't forwarding the OpenDNS or any DNS  :-\

johnpoz

I would suggest you read up on what a resolver does vs forwarding..

No shit the resolver does not use opendns no matter what you put in pfsense settings..  Did you enable its forwarder mode??  Out of the box "resolves" it does not forward.  That means for your query of www.something.com it asks root servers hey who is authoritative ns for .com, ok ns for .com who is authoritative ns for something.com, hey ns for something.com what is the A record for www.something.com

Out of the box it is also doing queries and validating dnssec, etc.

If you worried that your query comes back X ms faster, then yes I suggest you use the forwarder (dnsmasq) and not the resolver feature (unbound)

mosa

@johnpoz:

I would suggest you read up on what a resolver does vs forwarding..

No shit the resolver does not use opendns no matter what you put in pfsense settings..  Did you enable its forwarder mode??  Out of the box "resolves" it does not forward.  That means for your query of www.something.com it asks root servers hey who is authoritative ns for .com, ok ns for .com who is authoritative ns for something.com, hey ns for something.com what is the A record for www.something.com

Out of the box it is also doing queries and validating dnssec, etc.

If you worried that your query comes back X ms faster, then yes I suggest you use the forwarder (dnsmasq) and not the resolver feature (unbound)

I think you don't get it.

I'm not comparing DNS Forwarder vs DNS Resolver what it does!

What am saying is the DNS Resolver doesn't forward the public dns by enabling the forwarder mode or whatever you do it's means there is a bug in the DNS Resolver.

Another bug is the DNS Resolver slowing the browsing by 420% then normal, thats why I used DNS Lookup because for my opinion it's the best internal tool to test the speed response from DNS Resolver or DNS Forwarder.

So, there is two bugs in the DNS Resolver:

1- forwarder mode doesn't works
2- The browsing processing is slow

I advise anyone who cares about the speed try to use the DNS Forwarder instead of DNS Resolver and make your own test to see the difference, even without using public dns it's much faster.

This test made on Pfsense version 2.3.2-DEVELOPMENT and version 2.3.1_5 both are same issue

kejianshi

OK - Not trying to argue here or pick a fight.  Just want to see if you are comparing apples to apples…

Or at least fruit to fruit fairly.

The first time you try to hit a site, I expect the forwarder to be faster -  Alot faster.

If you are a cyborg or robot that can feel the difference between 100 and 200 ms you might even notice it.

After the first hit on a website though, assuming you have DNS set up for caching like I do, I expect resolver to be just as fast or faster than forwarder.

Example:  Checking yahoo.com

1st lookup                          127.0.0.1 203 msec
2nd lookup                        127.0.0.1 0 msec

So, unless you have something set up wrong or broken you shouldn't have any noticable "lag" from using resolver instead of forwarder.
Matter of fact, the only reason I can think of for using Opendns is to do some sort of DNS based web filtering (like for porn or violence or whatever)

johnpoz

Did you disable dnssec in the resolver since opendns does not support dnssec.  What I can tell you is YES if told to forward it forwards.

So I setup opendns in general setup.  I then turned off dnssec and enabled forwarder and there you go bing bang zoom using opendns

You can see for sure its forwarding to opendns when you sniff on the wan and actually see it go and and your answer..

As to the speed kejianshi mentions - again see 3rd pic, hard to beat freaking 0 ms..  This is going to be the same for a cached entry no matter if you use dnsmasq or unbound.

Did you flush your browser did you flush your local machine cache after changing to opendns?

If you want some advice, if your worried about those couple of ms to resolve something that you don't already have cached and really don't give 2 shits about dnssec.. Use dnsmasq since it will forward to all your dns you have listed and use the fastest response..

kejianshi

I agree - OpenDNS definitely works with forwarder just fine.
I still have it configured in one place for keeping the kids off porn.
Works great as long as the kids are sort of on the slow side….

johnpoz

slow side ;) heheheeh Oh that is funny.. So guess its a special needs school? hehehehe

kejianshi

Nope - Smart kids.  Special needs X-Wife…

You know the type.

mosa

By disable DNSSEC and enable DNS Query Forwarding I've got Success OpenDNS forwarding :)

So I was wrong  :-X

And I'm happy because I really want use DNS Resolver without thinking there is a bug on it or is slow.

Thank you Johnpoz for finding my mistake.

And I don't care anymore for the first ms unless it's become 0 after caching.

Thank you guys your comment was very helpful  :)

johnpoz

if your just going to forward and not use dnssec, your not actually using the resolver..  What feature of unbound are you using if you just forward and don't use dnssec?  I would suggest you just continue to use dnsmasq that allows you query your ns in parallel and use the fastest response.

If you want to leverage dnssec, you just need to forward to ns that supports it is all. Opendns in their infinite wisdom has yet to support it.. Their idea is to use dnscrypt, which really only validates your getting the answer from them..  Doesn't mean the info you get from them is correct..

kpa

Unbound in resolver mode doesn't really come to its own until you have a sufficiently large number of clients on your network, for home/small business networks you're better off using Unbound in forwarding mode or DNSMasq.

johnpoz

While I agree if you have a large enough client base, the issue of couple extra ms of the initial query being resolved vs just forwarded and pulled from an existing cache goes away.

I would disagree that there are not advantages in resolving vs forwarding even for a small user base.  I like to know that the info I got is from the authoritative server for the domain in question vs just getting something from some cache that could be invalid.  I will live with the couple extra ms needed to do this, once your up and running and your cache gets populated you never even notice this.  And you can always turn on the prefetch option in advanced to help keep your cache current to help eliminate the few extra ms needed to resolve vs forward.

Depending on what your looking up, its quite possible that even a cache as large as opendns does not have your item cached and has to either resolve it or forward it to a resolver, etc.

To be honest unless you have a really crappy internet connection, or your isp is doing something that prevents resolving your not going to even notice the few extra ms needed to actually resolve vs forward no matter how small your user base is.  Using resolver mode is really the only way to be sure your getting dnssec support.  While there are isp ns that do support it.  There are also many that do not, etc.

mosa

I have 14 Pfsense servers with different type of hardware and Pfsense version with different ISP and different locations and the clients for each is between 100 - 300.

since I used the DNS Resolver our client complains about internet issues and slow browsing for sometimes.

when I change to DNS Forwarder and I used public DNS, these issues just gone, even the internet is more stable and everyone is happy now.

I still prefer to use DNS Resolver for security reason especially for the office but after find out why these problems appears with DNS Resolver

kejianshi

There are a ton of setting and advanced setting that can affect how well DNS resolver will work for you.

I have prefetch enabled.

harden DNSSEC

If you have frequently changing wireless clients, Register DHCP leases in the DNS Resolver might cause slowness?

johnpoz

Yeah reg of dhcp clients does cause a restart.  This maybe clearly the cache?  Would have to check that, but sure if its restarting dns would be offline during that period which sure could cause some complaints.

You would need to investigate some of the problem sites they are reporting, or if unbound is just offline.  Do you see it restarting a lot in the logs?

Also where are these sites, since you need to talk to the authoritative servers.  if the dns for the site blows or is on the other side of the planet from you and has a really short ttl that could be an issue.

mosa

I don't use Register DHCP leases in the DNS Resolver!

It's not right to choose the best settings for a single client then use it in large clients because it's not the same, especially the issues does not appears immediately, usually I find out the issues in the next day after complaining.

For the clients I use Captive Portal with Local User Manager and Per-user bandwidth restriction enabled.

for the offices without Captive Portal and the problem is the same for both.

As I mentioned before this issue start since i used the DNS Resolver but with Forwarder these issues not exist anymore.

there is something in the resolver settings or belong make it unstable.

mosa

I will enable the DNS Resolver in one of the servers and clear all the logs to start fresh investigate and monitor resolver to see what is going on.

Any advice for advanced monitoring?

I really appreciate the help and the time you've expended with me  :)

johnpoz

Other than register dns, you sure your not using it?  Its quite possible that setting is on out of the box.  Did you purposely uncheck it?

The resolver is very stable.. If your having problems with it then you need to investigate the cause.  Maybe the sites these users trying to go to have broken dnssec?  Maybe the domain(s) nameservers are on the other side of the planet or just really suck and have a short ttl, etc.

Once an entry is cached it is no different than the forwarder.  So if your having problem with dns lookups you need to investigate why..

mosa

The Register DHCP leases already unchecked is the same now!

I've noted something eals before disable the resolver and enable the forwarder this options DNSSEC  , DNS Query Forwarding was unchecked.

Now the DNSSEC is checked and everything is fine until now and I still using OpenDNS but behind the resolver so the DNS Query Forwarding not checked and DNS Server Override not checked.
Also i test the namebench it sayes Primary Server 192.168.11.1 is Fastest.

By now I'm getting the same results of DNS Forwarder without forwarding

johnpoz

"By now I'm getting the same results of DNS Forwarder without forwarding"

As we have gone over dude once something is cached your not going to notice any difference, anything you lookup from cache be it dnsmasq (forwarder) or unbound (resolver) should all be lan speeds, ie sub 1 ms..

If you wanted to truely benchmark overall performance of the forwarder vs resolver you would have log at the client level speed of resolving everything they query for, and you would have to let it run for a while to let your cache populate.

Once your cache is populated, uses should not notice any sort of different between using forwarder or resolver.  Unless they tend to go to lots of sites that have shitty dns on the other side of the planet that takes you awhile to resolve.  And then the ttl is like 5 minutes or something, so you constantly have to resolve it vs serving it up from cache.

If you have a significant user base, that builds up a decent cache of common sites your never going to see any difference.  Maybe the 1 guy that hits site after the ttl expired might see a few ms extra delay in getting his answer…  But who really gives shit if a site takes less than a second to resolve.  Now if having a hard time in resolving that stuff is timing out then ok..  But normally your only talking a few ms between pulling it from some caching server that is 30+ ms away anyway vs actually just resolving it.  Unless of course that domain your looking for ns is in china and your in texas ;)..

I really wouldn't expect to get much actual useful info out of namebench - its more designed to see who has better cache and who is closer when your pointing directly to say opendns or googledns or your ispdns, etc.

edit:  Opendns does not support dnssec.. I can double check but everything I have read they do not support it.  Much of the info I have found is dated..  Its simple enough to validate.. Let me check and will report back.  So if stuff is working your prob just pulling from cache.. or not forwarding.

edit2: sure doesn't look like they support dnssec to me.. So as you see if I just use my local resolver it comes back with the dnssec info that I asked for and has the ad flag set..  When I send that query to opendns, no info back and notice no ad flag..

So notice the time from doing a full resolve with full dnssec 182 ms, vs asking opendns 119 ms - your really worried about 63 ms difference??  That is 0.063 of a second..  Come on...  And the next person that asks that would get 0 ms.. Same as if it had come from opendns..  And keep in mind that even after that ttl expires.. if any of the NS are now cached in tree to get there, don't have to resolve those again, etc.

You should prob just stick to forwarding to your opendns..  Don't take it the wrong way, but someone using opendns and namebench prob doesn't have enough experience with dns to understand why those extra few ms don't matter in the big picture.. If I recall namebench was a google project - most likely real goal was to point out how googledns is "faster" than your isp dns so use it ;)

So user browser is going to cache, the os is going to cache - which are just asking another cache your local ns.. Which your just forwarding to yet another cache ;)