DNS Resolver with DNS forwarding x2 slower than DNS Forwarder

  • pfsense 2.4.5-RELEASE-p1 (amd64)

    So I had pfsense DNS Resolver configured with forwarding enable to upstream DNS servers but had been noticing slow page loads. So switched over to DNS Forwarder with significant improvements.

    I used namebench to test against the top 2000 sites (alexa)
    Resolver 50% of queries under 110ms
    Forwarder 50% of queries under 30ms
    Overall average fell ~130ms

    While I understand the Unbound resolver would be slower even with forwarding enable the performance gap here is more significant than I would expect. It could be something specific to my resolver config, which I've included at the bottom

    DNS Resolver with Forwarding

    DNS Forwarder

    DNS Resolver Config
    Listen Port: 53
    Enable SSL/TLS Service: False
    Network Interfaces: All
    Outgoing Network Interfaces: All
    System Domain Local Zone Type: Transparent
    DNSSEC: True
    Python Module: false
    DNS Query Forwarding: True (no SSL/TLS)
    DHCP Registration: True
    Static DHCP: True

    Advanced config
    Hide Identity: True
    Hide Version: True
    Query Name Minimization: True
    Strict Query Name Minimization: False
    Prefetch Support: True
    Prefetch DNS Key Support: True
    Harden DNSSEC Data: True
    Serve Expired: False
    Message Cache Size: 50MB
    Outgoing TCP Buffers: 10
    Incoming TCP Buffers: 10
    EDNS Buffer Size: 4096

  • Hi,

    When forwarding - using the resolver Unbound or dnsmasq (the other DNS forwarder) you could - should for timing issues ? - de activated DNSSEC.
    As DNSSEC makes no sense when forwarding.

    When you are forwarding, you might as well stop using unbound - the Resolver, and go for dnsmasq (the Forwarder).

  • Following. We are looking for solutions as well. We are having issues with DNS in https://www.yarno.dk

  • @dkyarnogarn said in DNS Resolver with DNS forwarding x2 slower than DNS Forwarder:

    We are having issues with DNS in https://www.yar....

    Like no SOA. That's bad.
    DNS forwarding, Resolving, whatever, if your DNS zone is bad things become messy.
    edit : correction :
    There it is :
    dig yar??.dk SOA +short
    logan.ns.cloudflare.com. dns.cloudflare.com. 2034779557 10000 2400 604800 3600

    No DNSSEC neither ? I thought that in the north things were done seriously these days ;)