OpenVPN (PIA) and DNS performance



  • So, to start things off, I'm pretty happy with the performance and latency of traffic over my PIA tunnels… except for DNS.  Right now, I'm forwarding queries using unbound to 8.8.8.8 and 8.8.4.4.  I have unbound set to forward these queries over two PIA tunnels, which are coincidentally also what I use in a gateway group for the majority of my internet traffic.  I also have these set as the system resolvers and have specified the gateways for those as one of my PIA tunnels.

    For the most part, things work just fine (with an exception I'll note later), but I struggle to get average query times (using several benchmark tools) under the 350ms range. That's enough to noticeably slow down browsing.  Obviously, things get worse when I turn off forwarding in favor of full recursion.

    One problem I think I'm running into is that in my experience, a lot of public resolvers seem to reject queries from the PIA IP addresses.  I'm currently using the Google public servers because at least they accept queries and seem reliable (and they support DNSSEC, another thing I'm loath to give up).

    Lastly (and I'm not sure just where this problem lies) I've had consistent trouble resolving at least one address recently.  That one is www.nhc.noaa.gov.  For some reason, it just fails to resolve from a browser, and I've tried multiple browsers and operating systems.  Sometimes it works, sometimes it doesn't.  For example, I just used dig to look up www.nhc.noaa.gov on my mac and the pfsense resolver timed out, so the query failed over to my secondary DNS server running bind9 with full recursion and DNSSEC validation.  The query took nearly 5 seconds.  However, when I use Diagnostics / DNS Lookup from the pfSense GUI, it resolves just fine.  Apparently Unbound is doing something funky there, perhaps not related at all to PIA/OpenVPN.  It's just odd.

    I know I could speed things up by simply letting my DNS use the WAN gateway instead of PIA tunnels. But I'm trying to avoid that if possible.

    I suppose I'm just wondering if some of you have managed to improve your DNS performance while effectively hiding your IP address with OpenVPN tunnels, and anything I could look at to speed things up.



  • Curious why you are not pointing unbound to the PIA DNS servers.

    If privacy is your concern those are the servers you should be using.

    I have nearly all my traffic going through a single PIA tunnel and have never had DNS performance issues.



  • @mhertzfeld:

    Curious why you are not pointing unbound to the PIA DNS servers.

    If privacy is your concern those are the servers you should be using.

    I have nearly all my traffic going through a single PIA tunnel and have never had DNS performance issues.

    They don't appear to support DNSSEC.  I've got a pair of bind9 servers up and running with full recursion + DNSSEC authentication now, and everything is good.  Average query times are sub 200ms now for uncached entries. They're talking to the root servers via PIA, so I'm ok with that. Never could get unbound to behave right, even leaving the tunnels out of the equation.  There were multiple addresses it would not resolve for me, forwarding or recursion didn't matter.  Not sure what's up with that.


Log in to reply