Slow DNS lookup on windows dns behind pfsense



  • Hello,

    I am trying to implement a pfsense firewall into our office environment. There is a strange issue I am facing after putting the firewall in place. Here are some details about the setup.

    GENERAL SETUP:

    WAN
      |
    Pfsense
      |
    Lan

    The pfsense firewall is only doing firewall functionality. I have allowed all tcp and udp traffic outbound from the LAN and the DNS forwarder on PFsense is disabled. DHCP and DNS are being handled by a Microsoft server 2008r2 machines (ip 192.168.0.8). The dns forwarders used on this windows server are 4.4.2.1 and 8.8.8.8 . DHCP is set to use 192.168.0.8 as the dns server.

    When setting the dns servers statically on my laptop to 4.4.2.1 so that I take the internal Windows DNS server out of the equation, dns lookups return quickly and without problems. If I use 192.168.0.8 as the dns server then it takes between 2500ms and 4400ms to do dns lookups.

    Also, the previous setup was the same except that I was using a Sonicwall router instead of a pfsense and I didn't have the dns lookup slowness that I am having now with the pfsense.  I have since plugged the Sonicwall back in and we are working good again.

    I'm fairly new to using windows dns servers wasn't sure if I was missing something here. If anyone had any suggestions, I would most appreciate it.



  • What dns sever is your pfsense looking at?

    Should be your internal 2008 r2 I reckon?


  • Rebel Alliance Global Moderator

    Sounds like an issue with your 2k8r2 box to me..  If you say you query 4.4.2.1 from your laptop and it works fine.  But your 2k8 box pointing to 4.4.2.1 is slow - does that have anything to do with pfsense.  Pfsense could care if the packets come from your laptop or the server - they are just packets to some IP outside its network on a port be it tcp or udp that is allowed.

    You got a problem with your 2k8 box, or a network connectivity issue between your 2k8 box and pfsense would be my take.



  • Sorry it took so long to respond. Then next round in trying to get this implemented I tried it from my laptop again. This time the dns queries from there were also slow. To fix this issue, I took a backup of the config, did a factory reset on the pfsense machine and then imported back in only the aliases, firewall rules and nat rules. This time, everything went as planned an expected. Realistically, I still don't know what the issue was, but it is obvious that some place there was a configuration issue…

    Still though, thank you very much for your help. :) I have it in place and it took the companies internet speed up from the 65Mb/s up/down up the the 98Mb/s up/down that they should have been getting. Beyond that, it has been stable as I expected it to be.