Latency on lookups with DNSBL



  • Is it normal for DNS resolution to double in latency on non-cached lookups after enabling pfBlockerNG with a reasonably small list of DNSBL (13,000 including about 11,800 for EasyList)? I am using a SG-2220, so I do understand life cannot be perfect :)

    Thanks.


  • Moderator

    If you have a multi-segmented network (VLANS), you might need to enable the DNSBL Permit rule option and select all of the interfaces that need to connect to the DNSBL VIP address. Or you can create your own rule to allow that traffic…

    First step is to ensure that all LAN devices can:

    1. Ping the DNSBL VIP
    2. Browse to the DNSBL VIP and get the 1x1 pix

    Otherwise you will get browser timeouts.



  • @BBcan177:

    If you have a multi-segmented network (VLANS), you might need to enable the DNSBL Permit rule option and select all of the interfaces that need to connect to the DNSBL VIP address. Or you can create your own rule to allow that traffic…

    First step is to ensure that all LAN devices can:

    1. Ping the DNSBL VIP
    2. Browse to the DNSBL VIP and get the 1x1 pix

    Otherwise you will get browser timeouts.

    Thanks - this is occurring in a single-segment network.


  • Moderator

    Run some "drill" tests… I don't see any delay ... Maybe an Unbound configuration issue?

    drill 101com.com
    
    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 28396
    ;; flags: qr aa rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; 101com.com.  IN      A
    
    ;; ANSWER SECTION:
    101com.com.     60      IN      A       10.10.10.1
    
    ;; AUTHORITY SECTION:
    
    ;; ADDITIONAL SECTION:
    
    ;; Query time: 0 msec
    ;; SERVER: 127.0.0.1
    ;; WHEN: Fri Oct 27 12:40:22 2017
    ;; MSG SIZE  rcvd: 44
    


  • Most things are under 50 millisec. I did have one site like this:

    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 50783
    ;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; fileext.com. IN A

    ;; ANSWER SECTION:
    fileext.com. 300 IN A 104.28.21.5
    fileext.com. 300 IN A 104.28.20.5

    ;; AUTHORITY SECTION:

    ;; ADDITIONAL SECTION:

    ;; Query time: 1020 msec
    ;; SERVER: 127.0.0.1
    ;; WHEN: Fri Oct 27 19:57:22 2017
    ;; MSG SIZE  rcvd: 61

    101com.com is:

    ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 14527
    ;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 0
    ;; QUESTION SECTION:
    ;; 101com.com. IN A

    ;; ANSWER SECTION:
    101com.com. 3600 IN A 66.77.93.51

    ;; AUTHORITY SECTION:
    101com.com. 172800 IN NS ns3.101m3.com.
    101com.com. 172800 IN NS ns4.101m3.com.
    101com.com. 172800 IN NS ns1.101m3.com.
    101com.com. 172800 IN NS ns2.101m3.com.

    ;; ADDITIONAL SECTION:

    ;; Query time: 129 msec
    ;; SERVER: 127.0.0.1
    ;; WHEN: Fri Oct 27 19:54:43 2017
    ;; MSG SIZE  rcvd: 122



  • I did a little poking around, and my DNS Resolver was set so that Network Interfaces and Outgoing Network Interfaces were both set to "All." I changed Network Interfaces to LAN and Localhost, and Outgoing Network Interfaces to "WAN" and things are MUCH better now. Thanks!


Log in to reply