I don't know when this started - very recently and I also very recently upgraded to 2.4.4-RELEASE-p1.
I noticed it while looking at web browser page load times and seeing the 'waiting' or the 'dns' portion consuming 1-2 seconds before a connection was even made to the site.
At random times there is a lag in DNS lookup - maybe 1200-2000ms. Sometimes if I run 'time dig example.com', time will report 2000ms, but the dig says the actual query was shorter. That is why I am calling it a lag. I'm don't know a whole lot about unbound so I am not sure how to troubleshoot.
Today I switched unbound from resolver to forwarder mode and the problem appears to have gone away. I forward to a server I control which runs BIND so I know that server is fine (rather than an ISP provided server). Now all my DNS is under 80ms.
I am curious/wanting to troubleshoot whaty is causing these delay in resolver mode, but I am not sure how to go about that.
In resolver mode, your firewall must be able to reach the root DNS servers and other authoritative servers all over the Internet in order to resolve names. In forwarding mode, it only needs to reach its next upstream resolver. It's possible your ISP blocks or rate limits DNS traffic such that it interferes with resolver mode, we have seen that a few times before in the past.
@jimp Any troubleshooting suggestions to determine if this is the case? I don't recall this happening before...I suppose Comcast could have started it recently, but I've been running pfsense for 2 1/2 years as a resolver without this lag. I will try some tcpdump on the router to see if I can identify whether there are networks delays in the queries to the root servers or name servers. But if it is unbound related (particularly the newer version in the recent pfsense update) I'm not sure what to look at next.
You'd have to look at what DNS requests are leaving your WAN and when/how the replies come back.
There was an issue where in some cases it would only use a single thread for queries but I haven't heard of it causing that specific behavior. See https://redmine.pfsense.org/issues/9059#note-6 for a workaround.
In the Resolver, increase the log verbosity to "2" and check the resolver.log for clues...