Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Automatically fill Unbound DNS cache with top hits list?

    Scheduled Pinned Locked Moved DHCP and DNS
    23 Posts 6 Posters 6.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      NOYB
      last edited by

      @johnpoz:

      So it takes you 300ms to query for forum.pfsense.org from their NS??

      Where are you in the world?  What is your internet connection?  If your latency is that bad, that is going to effect all downloads not just dns queries.. So I again do not see how trimming .3 of second is going to make a freaking difference in your performance..

      Lets see your httpwatch traces, etc.

      Not sure who that question is directed at.  Probably the OPer.  But just shy of 300 ms is what it takes to get the IP address using DNS resolver.  This can be seen in that httpWatch screen capture.  It's not simply just a query to the authoritative NS.  Has to walk the chain.  So it adds up.  3 tenths of a second is humanly perceptible.  Though not by much.

      For me going to the pfSense home page the total DNS time was about 400 ms for about 4 lookups.  Two of which were to Google services.  But by then most of the page is probably already rendered.

      The OPer hasn't really given much details about the situation other that it's slow.  But snappier if DNS pre cached.  But nothing about the service, it's latency, bandwidth etc.  Some httpWatch traces could potentially reveal some relevant info.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        "It's not simply just a query to the authoritative NS.  Has to walk the chain."

        It only has to walk the whole chain if none of the chain is cached.. But part of the chain should already be cached.. Many NS have much longer TTLs than just the records, etc. Once you ask the roots for the NS of the tlds.. those have a ttl of

        ;; QUESTION SECTION:
        ;org.                          IN      NS

        ;; ANSWER SECTION:
        org.                    86400  IN      NS      a0.org.afilias-nst.info.
        org.                    86400  IN      NS      b2.org.afilias-nst.org.
        org.                    86400  IN      NS      b0.org.afilias-nst.org.
        org.                    86400  IN      NS      c0.org.afilias-nst.info.
        org.                    86400  IN      NS      a2.org.afilias-nst.info.
        org.                    86400  IN      NS      d0.org.afilias-nst.org.

        So you sure do not have to walk the chain to get those unless the ttl has expired.

        Now a problem that you might have with pfsense.org is they have their NS with a very low 300 second TTL which doesn't make a lot of sense unless they were about to change their NS..

        Looks like someone forgot to update the ttl on those records.. since I show the actual ns1 and ns2 having ttl of 3600

        ;; AUTHORITY SECTION:
        netgate.com.            3600    IN      NS      ns1.netgate.com.
        netgate.com.            3600    IN      NS      ns2.netgate.com.

        So normally when there is a low ttl on a record, you would only have to query the authoritative NS directly when it expires, not walk the whole chain again.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • N
          NOYB
          last edited by

          Suggest you Wireshark DNS of an actually http://pfSense.org/ browsing session after the TTL has expired.

          The attached Wireshark screen capture is of browsing to http://pfSense.org/ (in a new browser session with the sites cache and cookies cleared; not that that should matter) after having been there several times already within the past hour and the DNS TTL had expired.

          Up the chain it goes to:

          Name:    a0.org.afilias-nst.info
          Address:  199.19.56.1

          ![pfSense.org DNS.jpg](/public/imported_attachments/1/pfSense.org DNS.jpg)
          ![pfSense.org DNS.jpg_thumb](/public/imported_attachments/1/pfSense.org DNS.jpg_thumb)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.