DNS Resolver Unbound with DNS Query Forwarding enabled vs disabled mode. SLOW

  • Guys. So i've read a lot of posts here of resolver vs dns forwarder. Help me understand one thing with my testings. I'm a newbie so if i'm asking something obvious to you please school me.

    Why is dns resolver SO slow 1 sec but in real time it takes 10 seconds to display NEW full page that heasn't been visted before but when i enable DNS Query Forwarding pfsense is fastest then.

    DISABLED(UNCHECKED) DNS Query Forwarding pffire is 1000 ms  10 seconds to display full page with rest of the content

    VS DNS Query Forwarding enabled (CHECKED) which is now displays my pfsense being fastest. Why is unchecked forwarding SO slow. Isn't that preffered way of dns resolution. It simply does not work for

    me in any configuration i tried. I'm newbie so help me understand what i'm not understanting here, why unless checked it's so freaking slow??? There will be plenty of newly visited sites.

    I don't wanna wait 10 seconds for each. It's a turtle. Also notice queries improve by half from 60ms to 30ms not that it's much difference but 1000ms or 3500ms vs 35m-60ms is huge difference

    especially with other html content that needs to be pulled down as well. Also look at the max 200ms vs 3500ms …that's huge. Version of pfsense is 2.4.2-RELEASE-p1 (amd64)

    Is this something to do with the way pfsense settings are setup or is this caused by ISP Comcast/Xfinity in my case?

    With dns query forwarding those dns A records are still being cached on in pfsense dns resolver server correct?

    And check this out. The fastest server now slows down, not that it matters as my pfsense is fastest now but it says it shares cache with pfsense box, good but why is it slow?

  • After few more test, few more reads here at forum and few more settings changes i have figured it out myself. Much better now. I will backup the config, just in case i decide to play with settings later and screw this up lol. This is using DNS Resolver.

    Now that DNS and dhcp are working correctly and my asus router is now access point only mode,  i will move onto firewall and packages. I spent 2 days getting DNS working correctly. I will eventually be moving onto OpenVPN encryption and have AES-NI chip. If i'm still not understanding something here please comment.

    I'm still unsure why there is so much hijacking and incorrect notes. It could be false positive but i simply am wondering. Anyone cares to comment?

  • Simple advice : dump the program and your problem is solved.

    One simple line in it's output says it all :
    When it asks to "" : "what is the A for google.com" it comes back with
    google.com appears incorrect
    And a go for www.google.com comes back with the hijacked message.

    But wait … it won't take you very long (using Google !) to find out that "" IS a valid IP for google.com ...

    So, what now ? You call Google, the ones who run to tell them that their master DNS has been tampered with ? (please, record the call and drop in on youtube, I guarantee high scores).

    Somehow, this program isn't able to obtain all DNS A records ... (the author didin't read and programmed all this : https://www.google.fr/search?q=How+to+find+all+IP+og+Google&ie=utf-8&oe=utf-8&client=firefox-b&gfe_rd=cr&dcr=0&ei=D6ifWoTmGO-stgfu45igCg)

  • Rebel Alliance Global Moderator

    "Why is dns resolver SO slow 1 sec but in real time it takes 10 seconds to display NEW full page"

    I am with Gertjan on this - and yes I would love to see this recorded call to google about how their dns has been hijacked… Could do that with double feature on twitter as well ;)

    Vs using some nonsense tool about how fast X NS is over another... Why don't you actually troubleshoot why you might be having a problem with lookups..  Unless your on a really bad internet connection, or trying to look up something where their NS are on the other side of the planet walking the tree from roots should be really quick... Your talking ms to do a full lookup..

    Keep in mind only walk down from roots when nothing has been cached already.  unbound prob already knows NS for .com, so doesn't need to ask for that, just go straight to those to ask for your domain.com authoritative ns, and then direct to one of those..

    A simple dig www.domain.tld +trace should give you all the NS in line from roots to the authoritative servers for the domain.  So lets see that to where your having a problem and can figure out where you might be having a problem that is dns related - if anything.

    example... here is dig to www.google.com

    > dig www.google.com +trace
    ; <<>> DiG 9.11.2-P1 <<>> www.google.com +trace
    ;; global options: +cmd
    .                       443955  IN      NS      a.root-servers.net.
    .                       443955  IN      NS      b.root-servers.net.
    .                       443955  IN      NS      c.root-servers.net.
    .                       443955  IN      NS      d.root-servers.net.
    .                       443955  IN      NS      e.root-servers.net.
    .                       443955  IN      NS      f.root-servers.net.
    .                       443955  IN      NS      g.root-servers.net.
    .                       443955  IN      NS      h.root-servers.net.
    .                       443955  IN      NS      i.root-servers.net.
    .                       443955  IN      NS      j.root-servers.net.
    .                       443955  IN      NS      k.root-servers.net.
    .                       443955  IN      NS      l.root-servers.net.
    .                       443955  IN      NS      m.root-servers.net.
    .                       443955  IN      RRSIG   NS 8 0 518400 20180319050000 20180306040000 41824 . HuoM9EWTlBFbaz2GuhxaRgQRx1NZRWKhM89mNNX
    Se37uI8sQBLzrZE0N zd3SnwEackULR1f59ssTvtzywZ2T7hhe5YEzL+kfvNkjQ6EbncP4q0GR dU0EZVLQ7ezrRTcrKAeFoXcr6G7uYwnaYahyX2k/Ot9DsnppISBAlUG/ rwHA7JB
    oth99fqo/oL8DgrBeUuLZfkpUWtA7C90poe2EFMzs6YpI18rT lqK6VQNXllvR7IKN0K3wxqIAsGlQARNa30UF2HcGvwsWWVnJxUCENERA Ct8DpKxi9QdFClTElLrbckdg2u62EQ9w
    xl4A8rqFGpIsIHr/vyiEJOKc joYQAw==
    ;; Received 525 bytes from in 1 ms
    com.                    172800  IN      NS      a.gtld-servers.net.
    com.                    172800  IN      NS      b.gtld-servers.net.
    com.                    172800  IN      NS      c.gtld-servers.net.
    com.                    172800  IN      NS      d.gtld-servers.net.
    com.                    172800  IN      NS      e.gtld-servers.net.
    com.                    172800  IN      NS      f.gtld-servers.net.
    com.                    172800  IN      NS      g.gtld-servers.net.
    com.                    172800  IN      NS      h.gtld-servers.net.
    com.                    172800  IN      NS      i.gtld-servers.net.
    com.                    172800  IN      NS      j.gtld-servers.net.
    com.                    172800  IN      NS      k.gtld-servers.net.
    com.                    172800  IN      NS      l.gtld-servers.net.
    com.                    172800  IN      NS      m.gtld-servers.net.
    com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
    com.                    86400   IN      RRSIG   DS 8 1 86400 20180320050000 20180307040000 41824 . BC9sBSajZiG1QS6EkJSZC1MPLa6U9BZ3z1MR9s9B
    KZTYG9nQXqI02zhv qT7eWeGBAsCeItUCPAryRH+pQdY5EF36+S5gxQ/1HAdabUvWdQqQ+NMb qP8BTR2jwW4u5i7WGKuj12ZxFqqflhyCuPOcnwhWXC8hJYd+ldvTocAO FL3rAm1K
    g7CJEPX9eHZKSMRr6Q2jle8UA0ts1lHvAqHf9vanqgbEWQdP BbSaWSD3A29uf3PdUhYDTn8pr1LMx71Yn04r6f2oWp1z5PDLkHUBPION N0NcCopbGUZzHe1fg6NG/fcrGvY2K+Uui
    L5x3exVc36VXY0WArGxUqie CDLlGQ==
    ;; Received 1174 bytes from in 157 ms
    google.com.             172800  IN      NS      ns2.google.com.
    google.com.             172800  IN      NS      ns1.google.com.
    google.com.             172800  IN      NS      ns3.google.com.
    google.com.             172800  IN      NS      ns4.google.com.
    CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20180313044649 20180306043649 46967 com. b3d5klRFU7USTNky2OFJH+1NPIVVl
    +//DDW5OXMCTDpd615PkeUF3OQB KSB7rjbogsVC2lJWEORhZ6ydlafrLqxJNB0RnT+Zo+MmJ3w2TP9W3kq3 jWkbwdKZJdLFuKrdVCxK5fGyM271Rww7LoIK9mvBIcXe4zKTRhUuSy
    eK 1Nc=
    S848U70KJDCTE8UH1N07QH2EK7LNOUC6.com. 86400 IN RRSIG NSEC3 8 2 86400 20180311054852 20180304043852 46967 com. h2bSqFsoUSjE2X1NlyEHyGvC66vL0
    pvI0WSB09V3xxNtswpcQ/N6rnsH CUxxdLgGBuuMM+L8v79v8CSUxqVxhJRHX0feR0mPdeWE3FU0rOSRhr1D Bfb5rFiG2TQ2P3mIybzn6kFblRHlM/1tSkl09KD42584/j0HkRlZPd
    fF QEU=
    ;; Received 776 bytes from in 108 ms
    www.google.com.         300     IN      A
    ;; Received 48 bytes from in 24 ms

  • .. added to that : the whole boatload is DNSSEC certified, if the domain adopted DNSSEC.