Apple TV // opendns // dns speed issues



  • So really long weird post/question
    I have an Apple TV and want to use opendns however when I do every apple/Netflix/amazon download slow to a crawl because of where their dns is located. When I use my local Comcast dns everything is great.
    So what I want to do is used dns override I believe to say anything from  apple/Netflix/amazon to go through 75.75.75.75 and everything else to go through opendns. This issue is I don't know what addresses those companies use. I tired adding apple.com and it didn't seem to work. Anyone else using  apple/Netflix/amazon and pf?

    Thanks.



  • @Macbentosh:

    So really long weird post/question
    I have an Apple TV and want to use opendns however when I do every apple/Netflix/amazon download slow to a crawl because of where their dns is located.

    It is hard to understand the cause and effect here. DNS is only involved in downloads (if at all) to lookup the IP address of hostnames.

    @Macbentosh:

    When I use my local Comcast dns everything is great.

    Does OpenDNS return different IP addresses than Comcast for Apple/Netfix/amazon?

    Maybe OpenDNS is noticeably slower than Comcast in responding to DNS requests, but that would only affect the promptness of the start of the download.



  • this should say more http://00f.net/2012/02/22/akamai-vs-public-dns-servers/

    Long story short I want to make anything that goes to apple/netflix/amazon's CDN go to comcast dns and everything else to go to opendns



  • If you are using pfSense DNS forwarder go to Services -> DNS Forwarder, scroll down to the Domain Overrides section and add appropriate entries so Apple/Netflix/amazon DNS requess go to your ISP DNS.



  • yes tried that but what are they… lol



  • does anyone have a setup like this?



  • @Macbentosh:

    yes tried that but what are they… lol

    If you don't know what domains you want to redirect to your ISP DNS then you can't have tried my suggestion.

    And you haven't confirmed you are using pfSense DNS forwarder and your client systems are using pfSense as the DNS. If this is not the case the rest of this reply is irrelevant.

    Since you have already referenced akami.net I presume you think akami.net is provide at least some proportion of your downloads so I suggest you enter a domain override for akami.net to your ISP DNS, Then (might not be necessary) disable and enable DNS forwarder.



  • Thanks for the interesting question.

    I use OpenDNS as my public DNS and pfSense DNS forwarder as DNS for my downstream systems. I download about a dozen MP3 file a week from www.abc.net.au. abc.net.au uses akami.net. I added a domain override to redirect DNS requests for akami.net to my ISP's DNS. A quick check with dig suggested I was getting the same DNS results as before so I added an override to redirect DNS requests for abc.net.au to my ISP's DNS. Then a download of a small MP3 file from abc.net.au ran at over 400kBps whereas before they would typically run at between 30kBps and 60kBps.

    I'll do some more experimenting tonight (when I normally download from ww.abc.net.au) to see if I have consistently faster downloads from abc.net.au.

    I'm guessing your issue is that you have some sort of application downloading from one or more of apple/netflix/amazon so you are unsure of the relevant DNS name getting translated. Is that correct? If you are using a browser for downloads it should be fairly straight forward to figure out a suitable name to use for the domain override.



  • @wallabybob:

    @Macbentosh:

    yes tried that but what are they… lol

    If you don't know what domains you want to redirect to your ISP DNS then you can't have tried my suggestion.

    And you haven't confirmed you are using pfSense DNS forwarder and your client systems are using pfSense as the DNS. If this is not the case the rest of this reply is irrelevant.

    Since you have already referenced akami.net I presume you think akami.net is provide at least some proportion of your downloads so I suggest you enter a domain override for akami.net to your ISP DNS, Then (might not be necessary) disable and enable DNS forwarder.

    I have only setup apple.com and tested I will try one for akami.net

    @wallabybob:

    Thanks for the interesting question.

    I'm guessing your issue is that you have some sort of application downloading from one or more of apple/netflix/amazon so you are unsure of the relevant DNS name getting translated. Is that correct? If you are using a browser for downloads it should be fairly straight forward to figure out a suitable name to use for the domain override.

    I am using my apple tv to rent movies and using my roku to stream from amazon/netflix



  • @Macbentosh:

    I am using my apple tv to rent movies and using my roku to stream from amazon/netflix

    Some things you could try. I suspect these are in order of increasing complexity.
    1. Configure the apple TV and roku with static IP address and static DNS = ISP DNS
    2. Configure the apple TV and roku to obtain IP address by DHCP but specify ISP DNS as the DNS (to override DNS provided by DHCP)
    3. Find MAC addresses of your appleTV and roku. On pfSense configure a DHCP pool on appropriate interface, use the MAC Address Control mechanism to select the apple TV and roku into the pool (specify first 5 or all 6 octets of the MAC address in the Allow field) and specify the ISP DNS as DNS for the pool. (I haven't used DHCP Pools so I don't know if this will work.)
    4. Google to see if you can find hostnames used by your boxes, then add appropriate host overrides to pfSense DNS forwarder.
    5.On pfSense use a packet capture with filter to look at DNS requests from one of the boxes of interest to see what host names it looks up to download a show. Add appropriate host overrides to pfSense DNS forwarder. Repeat for other box.



  • so this is what little snitch shows for iTunes traffic….

    What do you think I should put in DNS forwarder??



  • @Macbentosh:

    so this is what little snitch shows for iTunes traffic….

    I am not familiar with "little snitch". What is it supposed to do?

    @Macbentosh:

    What do you think I should put in DNS forwarder??

    You already claimed that something like what I'm inclined to suggest "didn't work". What exactly didn't work? What were you expecting it to do that it didn't do?



  • @wallabybob:

    I am not familiar with "little snitch". What is it supposed to do?

    You already claimed that something like what I'm inclined to suggest "didn't work". What exactly didn't work? What were you expecting it to do that it didn't do?

    Little snitch is a software firewall for the mac

    I added apple.com to the dns forwarder do I need to add the whole domain *.apple.com or what

    What I expect is for the movies to take 5-10 min to download like they do when I use comcast dns rather then the 4-6 hours it takes on openDNS



  • @Macbentosh:

    I added apple.com to the dns forwarder do I need to add the whole domain *.apple.com or what

    Add apple.com as domain override to DNS forwarder. It MIGHT be necessary to disable the enable DNS forwarder to get it to notice the change in configuration. It might be necessary to clear the DNS cache on your client computer and any browser cache of DNS translations to make sure you the client computer gets the new translation.

    @Macbentosh:

    What I expect is for the movies to take 5-10 min to download like they do when I use comcast dns rather then the 4-6 hours it takes on openDNS

    I can see a POSSIBLE cause and effect but there might not be a DEFINITE cause and effect. ("Wrong" DNS might not be ONLY reason your downloads are slower than you would like.)



  • @wallabybob:

    I can see a POSSIBLE cause and effect but there might not be a DEFINITE cause and effect. ("Wrong" DNS might not be ONLY reason your downloads are slower than you would like.)

    DNS is the only thing that I have changed to reproduce the issue and to resolve the issue multiple times…But I will introduce those changes to the firewall, flush everything, and try again.

    Thanks!!


  • Rebel Alliance Global Moderator

    Where are you located on the globe?  The only thing I could see that could make a difference in using different dns and grabbing from a cloud based service for downloads.  Is where you get sent for your download.

    opendns has dns servers located
    http://system.opendns.com/table/

    AMS CHI DFW FRA HKG LON LAX MIA NYC PAO SEA SIN WDC

    So depending on which one your using - you might be told to download from a location that is not really close to you globally.  While if you use your local ISP dns, you should download from somewhere closer to you based upon where the dns query came from regionally.

    From your sniff you would want to put those parent domains in your override if you want them to use your local dns.

    apple.com, akamai.net and edgesuite.net

    if you look those other 2 are just cnames for the first one

    ;; QUESTION SECTION:
    ;a1431.v.phobos.apple.com.      IN      A

    ;; ANSWER SECTION:
    a1431.v.phobos.apple.com. 86400 IN      CNAME  a1431.v.phobos.apple.com.edgesuite.net.
    a1431.v.phobos.apple.com.edgesuite.net. 21600 IN CNAME a1431.w11.akamai.net.
    a1431.w11.akamai.net.  20      IN      A      184.84.236.88
    a1431.w11.akamai.net.  20      IN      A      184.84.236.129



  • I have been getting considerably higher download speeds from www.abc.net.au since I changed the DNS forwarder to use my ISP's DNS for domain abc.net.au rather than OpenDNS.

    I have discovered youtube.com sometimes translates to different IP addresses when using my ISP's DNS rather than OpenDNS so I may add an override for youtube.com as well.


  • Rebel Alliance Global Moderator

    So here is my point about opendns – where are you located in the world?  Which one of their many servers would you be using?

    As you can see from the attached from the www.abc.net.au example they return many different IPs, depending on where your at in the world

    You can check the cache they have yourself for any fqdn here http://www.opendns.com/support/cache/

    So yes if your say in chicago, and forwhatever reason your pulling files from the akamai network in HK -- its going to be slower ;)

    Was a VPN mentioned?  Where is the endpoint of this VPN located?  If you the opendns located in that region, etc.??




  • @johnpoz:

    So here is my point about opendns – where are you located in the world?

    Australia

    @johnpoz:

    Which one of their many servers would you be using?

    208.67.220.220 and 208.67.222.222

    @johnpoz:

    As you can see from the attached from the www.abc.net.au example they return many different IPs, depending on where your at in the world

    Interesting. My ISP's DNS returns 120.0.9.200 and 120.0.29.201 for www.abc.net.au and that is not the same as any of the results from the OpenDNS servers.

    @johnpoz:

    Was a VPN mentioned?  Where is the endpoint of this VPN located?  If you the opendns located in that region, etc.??

    There is no active VPN involved.



  • To clarify this:
    @johnpoz:

    From your sniff you would want to put those parent domains in your override if you want them to use your local dns.

    apple.com, akamai.net and edgesuite.net

    if you look those other 2 are just cnames for the first one

    ;; QUESTION SECTION:
    ;a1431.v.phobos.apple.com.      IN      A

    ;; ANSWER SECTION:
    a1431.v.phobos.apple.com. 86400 IN      CNAME  a1431.v.phobos.apple.com.edgesuite.net.
    a1431.v.phobos.apple.com.edgesuite.net. 21600 IN CNAME a1431.w11.akamai.net.
    a1431.w11.akamai.net.  20      IN      A      184.84.236.88
    a1431.w11.akamai.net.  20      IN      A      184.84.236.129

    Is the following statement correct?
    If the downstream DNS client does a recursive lookup for IP address of www.apple.com it is sufficient for the pfSense DNS forwarder to have an override for domain apple.com but if the downstream DNS client issues non-recursive lookups for IP address of www.apple.com then the pfSense DNS forwarder should have overrides for all the "intermediate" domain names, in this particular case edgesuite.net and akami.net.


  • Rebel Alliance Global Moderator

    "Interesting. My ISP's DNS returns 120.0.9.200 and 120.0.29.201 for www.abc.net.au and that is not the same as any of the results from the OpenDNS servers."

    Last time I checked AU was quite LARGE ;)  And I don't see any opendns in AU anywhere.  Closest prob Singapore…  So yeah your going to point somewhere else -- I am quite sure that akamai has servers in AU that your ISP prob resolves because its in the AU.  But when opendns looks to see where it should go, akamai has their dns setup using geoip to say oh your from Singapore -- you should use these servers.

    This is one of the flaws in opendns - they don't have full coverage of the planet, so not ever user is going to be using a dns server in their region.  So anything that uses geoip to determine where it should send you is going to be in error.

    Websense uses the same sort of thing for which proxy you should use in their cloud service, based upon source of where your dns query came from you get sent to different clusters.  For example if I ask my ISP dns I get

    ;; QUESTION SECTION:
    ;webdefence.global.blackspider.com. IN  TXT

    ;; ANSWER SECTION:
    webdefence.global.blackspider.com. 60 IN TXT    "Hello 68.87.72.137 (2C),  - you go to cluster-n"

    --
    ;; ANSWER SECTION:
    137.72.87.68.in-addr.arpa. 1294 IN      PTR     chic-dnssec02.area4.il.chicago.comcast.net.

    See that query came from my ISP dns 68.87.72.137, if I do a query from my own IP using my own BIND server I get same thing - because I am also in the Chicago area

    ;; ANSWER SECTION:
    webdefence.global.blackspider.com. 60 IN TXT    "Hello 24.13.xx.xx (2C),  - you go to cluster-n"

    If I use my VPS out in CA I get told to use a different cluster

    ;; ANSWER SECTION:
    webdefence.global.blackspider.com. 120 IN TXT   "Hello 173.245.xx.xx (2W),  - you go to cluster-g"

    You might want to look for different service other than opendns that has dns located in AU, or your going to have all kinds of issues with any sort of cloud service that uses geoip to send you to the closest server for where your request came from.

    It would be a never ending battle trying to over ride all the domains that use geoip based results.

    edit:  question for you, what is the response time when using opendns.  I am here in chicago, which they are suppose to have one in the area.  And I get 30ms response

    ubuntu:~$ ping 208.67.222.220
    PING 208.67.222.220 (208.67.222.220) 56(84) bytes of data.
    64 bytes from 208.67.222.220: icmp_req=1 ttl=52 time=36.6 ms
    64 bytes from 208.67.222.220: icmp_req=2 ttl=52 time=32.2 ms
    64 bytes from 208.67.222.220: icmp_req=3 ttl=52 time=33.3 ms

    I am curious what your response time is - if in fact the closest one to you is in Singapore.

    Look even here in chicago its like 40ms to get a response from them

    ; <<>> DiG 9.8.1-P1 <<>> @208.67.222.222 www.google.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60922
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;www.google.com.                        IN      A

    ;; ANSWER SECTION:
    www.google.com.        189    IN      A      74.125.225.176
    www.google.com.        189    IN      A      74.125.225.179
    www.google.com.        189    IN      A      74.125.225.180
    www.google.com.        189    IN      A      74.125.225.178
    www.google.com.        189    IN      A      74.125.225.177

    ;; Query time: 39 msec
    ;; SERVER: 208.67.222.222#53(208.67.222.222)
    ;; WHEN: Fri Jan  4 10:03:47 2013
    ;; MSG SIZE  rcvd: 112

    If I query my isp (comcast) its much lower

    ; <<>> DiG 9.8.1-P1 <<>> @75.75.75.75 www.google.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49553
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;www.google.com.                        IN      A

    ;; ANSWER SECTION:
    www.google.com.        39      IN      A      74.125.225.211
    www.google.com.        39      IN      A      74.125.225.210
    www.google.com.        39      IN      A      74.125.225.212
    www.google.com.        39      IN      A      74.125.225.208
    www.google.com.        39      IN      A      74.125.225.209

    ;; Query time: 18 msec
    ;; SERVER: 75.75.75.75#53(75.75.75.75)
    ;; WHEN: Fri Jan  4 10:05:32 2013
    ;; MSG SIZE  rcvd: 112

    Like to see the same sort of tests for you..  I did a quick search and did not come up with any alternatives for opendns that have locations in the AU/NZ region of the world.  If what your wanting to do is filter via dns for your specific machines in your network.  Maybe you want to setup your own filtering so that its local.


Locked