Unbound DNS Performance
-
Unbound seems to be having relatively awful performance. First hit I expect to be bad but I see second and third hits sometimes take upwards of a second if not longer, sometimes in the realm of >5 seconds.
I just upgraded to 2.2.1, but I also had the issue with 2.2.
screenshots:
http://imgur.com/a/QwjVWI can definitely feel the performance hit when browsing.
Any ideas?
Thanks
-
Edit: https://forum.pfsense.org/index.php?topic=89114.0
-
My immediate thought is that you probably have something not set up well if unbound is giving you issues. Maybe you have unbound set up but also have other DNS server IPs listed elsewhere?
-
"First hit I expect to be bad but I see second and third hits sometimes take upwards of a second if not longer"
How are you testing this just that one screenshot? Lets look up something unique, and then look it up again inside the TTL of that RR..
So I have a domain I recently setup to play with dnssec, I had to setup 2 authoritative servers because my registrar, and even the registrar I used for the dnssec free dns did not support it, etc. So I have 2 NS setup on vps, one in LV, NV and the other in Luxumberg. You would be surprised at the lack of dnssec support dns services, at least free or reasonable priced ones, etc. So I setup my own. Anyway
As you see from the first query, with dnssec yes it takes a bit longer - 391 ms in this example. But you notice the 2nd hit that your talking about is 1 ms.. You can see that 7200 TTL, and then second hit was 6 seconds later, and you can see the timestamps of my query in the post. Sorry for the censorship, but no reason to promote that domain or the IPs of my vps, etc. More than happy to send you uncensored example in a PM if you want, etc.
You can validate dnssec domains are setup correctly here http://dnssec-debugger.verisignlabs.com
edit:
And sometime later, still within the TTL of all records involved, etc.
;; Query time: 1 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Wed Mar 18 06:13:25 Central Daylight Time 2015
;; MSG SIZE rcvd: 179And I have all the TTLs really low at 2 hours, if I need to move this to somewhere else for testing. I picked the .xyz domain because it was cheap first year $5 and has dnssec support.
edit2: Oh to show that doing query against unbound and not the forwarder
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;version.bind. CH TXT;; ANSWER SECTION:
version.bind. 0 CH TXT "unbound 1.5.3";; Query time: 0 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Wed Mar 18 06:21:13 Central Daylight Time 2015Also added your cnn example.. They have a short ttl on the cnn, so that portion only cached for 5 minutes.. But anyway, you notice that 2nd hit was pretty much instant. btw does not have anything setup for dnssec..
