Why DNS Resolver appears to be 3x slower than DNS Forwarder?

  • I was previously using DNS Forwarder with CloudFare upstream servers and namebench reported an average resolve time of ~40ms.

    In my attempt to cache DNS entries locally, I switched to DNS Resolver and surprise, now the benchmark reports an average resolve time of about ~120ms.

    Another reason why I wanted to use DNS Resolver was to to use pfBlockerNG.

    My (home) router is far under utilised, with CPU load <5% and memory <10% (8GB), so I really doubt router load has any effects.

  • Netgate Administrator

    Have you tried it in forwarding mode? Disabling DNSSec? Does that reduce resolve time?


  • The resolver will have to talk to the root servers if what you're asking for isn't already in cache and walk its way down the tree to the authoritative DNS. A forwarder will send the request to another upstream forwarder/resolver, usually a bigger one e.g. Google, and that one likely has what you're asking for already cached. The net result is that the forwarder appears faster due to how they operate.

  • @KOM I imagined this, but at the same time I observed that the benchmark result seems to remain stable, even if I run multiple times in a raw. I was expecting for the resolver performance to improve over time as its cache would be growing.

    I tried to look for some stats regarding the DNS cache but I was not able to find any hit rate in the UI.

    Is there something I can do to improve its perceived speed? Somehow I do have the impression that with ~10 clients on the network it should be possible to improve the client resolution speed by using the resolved instead of forwarder.

    I am also curious which values do other receive on the benchmarks.

  • Honestly, unless there is a problem I don't waste my time tweaking for that extra 1 ms. Netgate uses resolver by default because it just works out of the box without the need to specify upstream servers. If you're concerned with speed, use the forwarder with your ISP's local DNS.

    As for testing, DNS Bench by Steve Gibson is one such tool.

Log in to reply