Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound has slow response time

    Scheduled Pinned Locked Moved DHCP and DNS
    2 Posts 2 Posters 502 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      cjbujold
      last edited by

      I have configured Outbound to use the forwarding mode and assigned 6 forwarding DNS servers .

      When users try to connect to a web page, the users have to do a refresh of their submitted web page before the browser connects.

      It looks like if Pfsense finds the address, but requires a second request before it can provide it.

      When I do a DNS lookup in Pfsense, I constantly see that the 127.0.0.1 is always the slowest of the DNS to respond. At times it can be over 1 second over the slowest DNS server.

      The DCHP server is configured to point clients to the PFsense server (192.168.144.1)

      Any suggestion on how I can fix this issue would be appreciated.

      5e278ee7-f17a-4697-9b36-500daaf5c084-image.png

      JeGrJ 1 Reply Last reply Reply Quote 0
      • JeGrJ
        JeGr LAYER 8 Moderator @cjbujold
        last edited by

        @cjbujold That isn't much information to deal with.

        • are you running the forwarder or resolver?
        • if it's the resolver, do you actually resolve or have the option for forwarding active? are you forwarding to a secure service (DoT)?
        • why do you have that much DNS servers configured?
        • what is the setting in System/General about DNS servers and fallback strategy?
        • how is the forwarder/resolver configured?
        • are multiple WANs in play?
        • how about host/domain overrides and what is your configured domain in System/General?
        • does your DHCP server advertise a domain and domain search list?

        DNS resolution may be slow for some domains or all, that depends on a lot of things. If the resolver is in use and it is slow for some domains but not for others - that's the internet. The DNS resolver is completely resolving the way to the upstream DNS server of that domain e.g. blah.example.com would mean it needs to head over to the ROOTs for .com, then to a .com nameserver for example.com and then ask the nameserver for example.com whoTF is blah.example.com. That's the complete tree and how resolving is done. That can result in the first query as slow but the subsequent calls are cached and therefore very fast. The other point is if a DNS forwarder is down or (geo)blocking or censuring, you completely ignore that as unbound will resolve the domain via the ROOTs, the domain etc. and ask the authoritative nameserver of the domain itself after the IP. Not a big forwarder that can be altered.

        If you do forwarding all calls are forwarded to those name servers you've listed in the screenshot. That may be a bit faster but you send all DNS traffic that way. If they are down - you are down (have no resolution). Multiple servers may help but often DNS calls aren't working in parallel (or not very good) so if the first or both first and second forwarders are down or VERY slow, you'll often be stranded.

        The localhost entry may also be slow if MultiWAN is in play and you have problems switching between the uplinks or is flapping etc. etc.

        So as said, there can be many thing afoot that can play into slow resolution. Even windows itself can play a stupid part in it. If you have multiple domains in your Windows search path, Windows tries those first adding it to every DNS call. So you ask "blah.example.com" and have a search path of "my.local.home" and Windows stupidly asks your DNS for "blah.example.com.my.local.home"! - getting nothing but creating a question for the upstream DNS, then even asks for "blah.example.com.local.home" (parent domain) before asking about the correct. All that useless questions add up and make DNS resolution slow. So one can add a few lines to unbounds configuration and add/change it from transparent mode to static so it won't relay those useless questions to upstream DNS servers but immediatly reply with "nope!" and not waste much time.

        So perhaps that can already shed some light into internals until you can add a few more info tidbits :)

        Cheers

        Don't forget to upvote 👍 those who kindly offered their time and brainpower to help you!

        If you're interested, I'm available to discuss details of German-speaking paid support (for companies) if needed.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.