DNS Resolver Unbound with DNS Query Forwarding enabled vs disabled mode. SLOW
Rango last edited by
Guys. So i've read a lot of posts here of resolver vs dns forwarder. Help me understand one thing with my testings. I'm a newbie so if i'm asking something obvious to you please school me.
Why is dns resolver SO slow 1 sec but in real time it takes 10 seconds to display NEW full page that heasn't been visted before but when i enable DNS Query Forwarding pfsense is fastest then.
DISABLED(UNCHECKED) DNS Query Forwarding pffire 192.168.1.1 is 1000 ms 10 seconds to display full page with rest of the content
VS DNS Query Forwarding enabled (CHECKED) which is now displays my pfsense being fastest. Why is unchecked forwarding SO slow. Isn't that preffered way of dns resolution. It simply does not work for
me in any configuration i tried. I'm newbie so help me understand what i'm not understanting here, why unless checked it's so freaking slow??? There will be plenty of newly visited sites.
I don't wanna wait 10 seconds for each. It's a turtle. Also notice queries improve by half from 60ms to 30ms not that it's much difference but 1000ms or 3500ms vs 35m-60ms is huge difference
especially with other html content that needs to be pulled down as well. Also look at the max 200ms vs 3500ms …that's huge. Version of pfsense is 2.4.2-RELEASE-p1 (amd64)
Is this something to do with the way pfsense settings are setup or is this caused by ISP Comcast/Xfinity in my case?
With dns query forwarding those dns A records are still being cached on in pfsense dns resolver server 192.168.1.1 correct?
And check this out. The fastest server now slows down, not that it matters as my pfsense is fastest now but it says it shares cache with pfsense box, good but why is it slow?
Rango last edited by
After few more test, few more reads here at forum and few more settings changes i have figured it out myself. Much better now. I will backup the config, just in case i decide to play with settings later and screw this up lol. This is using DNS Resolver.
Now that DNS and dhcp are working correctly and my asus router is now access point only mode, i will move onto firewall and packages. I spent 2 days getting DNS working correctly. I will eventually be moving onto OpenVPN encryption and have AES-NI chip. If i'm still not understanding something here please comment.
I'm still unsure why there is so much hijacking and incorrect notes. It could be false positive but i simply am wondering. Anyone cares to comment?
Gertjan last edited by
Simple advice : dump the program and your problem is solved.
One simple line in it's output says it all :
When it asks to "18.104.22.168" : "what is the A for google.com" it comes back with
google.com appears incorrect 22.214.171.124
And a go for www.google.com comes back with the hijacked message.
But wait … it won't take you very long (using Google !) to find out that "126.96.36.199" IS a valid IP for google.com ...
So, what now ? You call Google, the ones who run 188.8.131.52 to tell them that their master DNS has been tampered with ? (please, record the call and drop in on youtube, I guarantee high scores).
Somehow, this program isn't able to obtain all DNS A records ... (the author didin't read and programmed all this : https://www.google.fr/search?q=How+to+find+all+IP+og+Google&ie=utf-8&oe=utf-8&client=firefox-b&gfe_rd=cr&dcr=0&ei=D6ifWoTmGO-stgfu45igCg)
"Why is dns resolver SO slow 1 sec but in real time it takes 10 seconds to display NEW full page"
I am with Gertjan on this - and yes I would love to see this recorded call to google about how their dns has been hijacked… Could do that with double feature on twitter as well ;)
Vs using some nonsense tool about how fast X NS is over another... Why don't you actually troubleshoot why you might be having a problem with lookups.. Unless your on a really bad internet connection, or trying to look up something where their NS are on the other side of the planet walking the tree from roots should be really quick... Your talking ms to do a full lookup..
Keep in mind only walk down from roots when nothing has been cached already. unbound prob already knows NS for .com, so doesn't need to ask for that, just go straight to those to ask for your domain.com authoritative ns, and then direct to one of those..
A simple dig www.domain.tld +trace should give you all the NS in line from roots to the authoritative servers for the domain. So lets see that to where your having a problem and can figure out where you might be having a problem that is dns related - if anything.
example... here is dig to www.google.com
> dig www.google.com +trace ; <<>> DiG 9.11.2-P1 <<>> www.google.com +trace ;; global options: +cmd . 443955 IN NS a.root-servers.net. . 443955 IN NS b.root-servers.net. . 443955 IN NS c.root-servers.net. . 443955 IN NS d.root-servers.net. . 443955 IN NS e.root-servers.net. . 443955 IN NS f.root-servers.net. . 443955 IN NS g.root-servers.net. . 443955 IN NS h.root-servers.net. . 443955 IN NS i.root-servers.net. . 443955 IN NS j.root-servers.net. . 443955 IN NS k.root-servers.net. . 443955 IN NS l.root-servers.net. . 443955 IN NS m.root-servers.net. . 443955 IN RRSIG NS 8 0 518400 20180319050000 20180306040000 41824 . HuoM9EWTlBFbaz2GuhxaRgQRx1NZRWKhM89mNNX Se37uI8sQBLzrZE0N zd3SnwEackULR1f59ssTvtzywZ2T7hhe5YEzL+kfvNkjQ6EbncP4q0GR dU0EZVLQ7ezrRTcrKAeFoXcr6G7uYwnaYahyX2k/Ot9DsnppISBAlUG/ rwHA7JB oth99fqo/oL8DgrBeUuLZfkpUWtA7C90poe2EFMzs6YpI18rT lqK6VQNXllvR7IKN0K3wxqIAsGlQARNa30UF2HcGvwsWWVnJxUCENERA Ct8DpKxi9QdFClTElLrbckdg2u62EQ9w xl4A8rqFGpIsIHr/vyiEJOKc joYQAw== ;; Received 525 bytes from 192.168.9.253#53(192.168.9.253) in 1 ms com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com. 86400 IN RRSIG DS 8 1 86400 20180320050000 20180307040000 41824 . BC9sBSajZiG1QS6EkJSZC1MPLa6U9BZ3z1MR9s9B KZTYG9nQXqI02zhv qT7eWeGBAsCeItUCPAryRH+pQdY5EF36+S5gxQ/1HAdabUvWdQqQ+NMb qP8BTR2jwW4u5i7WGKuj12ZxFqqflhyCuPOcnwhWXC8hJYd+ldvTocAO FL3rAm1K g7CJEPX9eHZKSMRr6Q2jle8UA0ts1lHvAqHf9vanqgbEWQdP BbSaWSD3A29uf3PdUhYDTn8pr1LMx71Yn04r6f2oWp1z5PDLkHUBPION N0NcCopbGUZzHe1fg6NG/fcrGvY2K+Uui L5x3exVc36VXY0WArGxUqie CDLlGQ== ;; Received 1174 bytes from 184.108.40.206#53(l.root-servers.net) in 157 ms google.com. 172800 IN NS ns2.google.com. google.com. 172800 IN NS ns1.google.com. google.com. 172800 IN NS ns3.google.com. google.com. 172800 IN NS ns4.google.com. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20180313044649 20180306043649 46967 com. b3d5klRFU7USTNky2OFJH+1NPIVVl +//DDW5OXMCTDpd615PkeUF3OQB KSB7rjbogsVC2lJWEORhZ6ydlafrLqxJNB0RnT+Zo+MmJ3w2TP9W3kq3 jWkbwdKZJdLFuKrdVCxK5fGyM271Rww7LoIK9mvBIcXe4zKTRhUuSy eK 1Nc= S848U70KJDCTE8UH1N07QH2EK7LNOUC6.com. 86400 IN NSEC3 1 1 0 - S84CEFMDU6ABFSN4V0L2VLLOASCD5IV2 NS DS RRSIG S848U70KJDCTE8UH1N07QH2EK7LNOUC6.com. 86400 IN RRSIG NSEC3 8 2 86400 20180311054852 20180304043852 46967 com. h2bSqFsoUSjE2X1NlyEHyGvC66vL0 pvI0WSB09V3xxNtswpcQ/N6rnsH CUxxdLgGBuuMM+L8v79v8CSUxqVxhJRHX0feR0mPdeWE3FU0rOSRhr1D Bfb5rFiG2TQ2P3mIybzn6kFblRHlM/1tSkl09KD42584/j0HkRlZPd fF QEU= ;; Received 776 bytes from 220.127.116.11#53(i.gtld-servers.net) in 108 ms www.google.com. 300 IN A 18.104.22.168 ;; Received 48 bytes from 22.214.171.124#53(ns2.google.com) in 24 ms
Gertjan last edited by
.. added to that : the whole boatload is DNSSEC certified, if the domain adopted DNSSEC.