High Unbound (DNS) Latencies



  • I am having weird slowdowns on my network for a long time now. Strange thing is that only Safari had visible slowdowns, other browsers like Chrome and Firefox didn't. I today discovered that Safari has a technique called DNS Prefetching. Unbound has this setting turned off by default which caused the slowdowns in Safari.

    After turning it on I still wasn't convinced about the snappiness. So I started benchmarking with namebench (https://code.google.com/p/namebench/) and came to some shocking discoveries. First discovery was that the alternative "dns.watch" DNS servers I was using were extremely slow. So I ditched them for Google's DNS servers. After changing the settings and applying I restarted unbound and flushed the DNS on my Mac.

    Then I started a benchmark with the following servers: 10.0.0.1 (pfSense with Google DNS), 8.8.8.8 (Google DNS), 208.67.222.123 (OpenDNS). For the benchmark I selected "The Top 2000 Websites (Alexa)" as source. In that benchmark pfSense came out with an average ping of 290.79ms and a max ping of 6435.9ms.
    Here is the full benchmark report: http://dvrs.eu/benchmark.html

    pfSense show no Errors or Collisions and everything in the DNS Resolver settings is default except for the two Prefetching checkboxes which I have turned on.
    The system is running on an Intel(R) Core(TM) i3-2120T CPU @ 2.60GHz with 8GB of RAM.

    I am expecting the DNS Resolver (Unbound) to have somewhat similar performance as Google's own DNS servers. Maybe be a few milliseconds higher but not as big a difference as this… Anyone knows what's going on?



  • Ive noticed that too and had been meaning to find time to do some debugging to understand what what going on in Safari exactly. Subscribed :)



  • @irj972:

    Ive noticed that too and had been meaning to find time to do some debugging to understand what what going on in Safari exactly. Subscribed :)

    Good to hear someone else has noticed the same. Please note that the benchmarks I ran in "namebench" are not ran from within Safari. I am not sure if it uses Safari's connection on the background, but I am sure that the latencies are way too high for some reason.


  • LAYER 8 Global Moderator

    "I am expecting the DNS Resolver (Unbound) to have somewhat similar performance as Google's own DNS servers."

    How exactly would happen??  Google has servers all over the planet, that share their cache.. They have 100's of thousands of users most likely…  So things are always being looked up and ttl refreshed.. So pretty much guarantee that ANYTHING you go to resolve is cached already.. So your response time is going to be the nearest google dns server..

    Now if you let your resolver cache it and then run your test your going to BLOW away google dns.. Since unbound should be less than 1ms from you..  But if you have not cached what your looking for, then your resolver has to walk the tree to get to the authoritative server for that domain and query it directly.. How is that going to be faster than asking googledns and it giving you what was in its cache already..

    "10.0.0.1 (pfSense with Google DNS)"

    How is that??  Though you said you were using unbound.. Do you have it forward mode??  Why not just use dnsmasq and the forwarder if your going to do that??  Do you have unbound in resolver mode (default) or did you enable forwarder mode??  Are you doing dnssec?

    My guess is you don't really understand what the difference between a resolver and a forwarder is..  Even if by some chance a domain is not cached by googledns, and it had to query walk the tree for it to get to the authoritative server..  Their connection and bandwidth is going to blow yours away.. So more than likely they would do it faster than your local resolver would..

    If you want SPEEDY dns then just use the forwarder and forward to something that has a large cache..  If you actually want to do dnssec and know for sure you talked to the horses mouth for something you did a query on then sure use the resolver.. But its not going to be FASTER by any means...




  • @johnpoz:

    "I am expecting the DNS Resolver (Unbound) to have somewhat similar performance as Google's own DNS servers."

    How exactly would happen??  Google has servers all over the planet, that share their cache.. They have 100's of thousands of users most likely…  So things are always being looked up and ttl refreshed.. So pretty much guarantee that ANYTHING you go to resolve is cached already.. So your response time is going to be the nearest google dns server..

    Now if you let your resolver cache it and then run your test your going to BLOW away google dns.. Since unbound should be less than 1ms from you..  But if you have not cached what your looking for, then your resolver has to walk the tree to get to the authoritative server for that domain and query it directly.. How is that going to be faster than asking googledns and it giving you what was in its cache already..

    My understanding was that Unbound was the same as Dnsmasq but with added features like "Prefetch Support" and stuff like that. But thanks to your explanation I now understand that Unbound is way more than Dnsmasq.

    "10.0.0.1 (pfSense with Google DNS)"

    How is that??  Though you said you were using unbound..

    I am, in General I have configured the Google DNS server which I was expecting Unbound to use and forward to my network after adding it's own features.

    Do you have it forward mode??  Why not just use dnsmasq and the forwarder if your going to do that??  Do you have unbound in resolver mode (default) or did you enable forwarder mode??  Are you doing dnssec?

    I did not have Forward Mode enabled. Just de default settings except for "Prefetch Support" which I set to enabled.

    My guess is you don't really understand what the difference between a resolver and a forwarder is..  Even if by some chance a domain is not cached by googledns, and it had to query walk the tree for it to get to the authoritative server..  Their connection and bandwidth is going to blow yours away.. So more than likely they would do it faster than your local resolver would..

    I didn't exactly know the difference indeed, but thanks to your explanation I now do.

    If you want SPEEDY dns then just use the forwarder and forward to something that has a large cache..  If you actually want to do dnssec and know for sure you talked to the horses mouth for something you did a query on then sure use the resolver.. But its not going to be FASTER by any means…

    I now disabled Unbound (Resolver) and enabled Dnsmasq (Forwarder) and its working perfectly and the latency is 10.23ms average with the Max of 141.9ms. I also tried it with Unbound in Forwarder mode, just to see the Latency difference. Unbound in Forwarder mode had more then double the Latency of Dnsmasq: 24.95ms average with the Max of 622.5ms.

    I will keep Dnsmasq as my DNS Forwarder. Thanks for your help!


  • LAYER 8 Global Moderator

    Was unbound still set to do dnssec?  dnsmasq doesn't do anything with dnssec.. So that can explain some slowness as well.

    Also the forwarder out of the box in default config will query ALL the dns server you have setup in system at the same time and take the first one to answer, unless you enabled sequential mode.

    The prefetch mode is unbound will look up stuff it has cached before the ttl expires on its own, so it will keep stuff you go to in the cache more likely..  But even when you turn on forwarder mode it only asks the 1st server you have setup.. It doesn't forward to all of them and use the fastest response.

    That you feel there is really a big difference between 10 and 24ms is cute ;)  If this is your concern that queries take 10 ms vs 24 ms.. Then sure use the forwarder and forward to something with a LARGE cache and is close to you.



  • Maybe I'm not seeing the same thing then, my issue is bigger than  few milliseconds here or there. With Safari I see 1 in 20 page loads completely fail, the loading bar stalls very soon and then nothing happens until you refresh the page or go to another site. Its reproducible with random surfing but never happens with chrome or firefox. I was hoping installing El capitain would fix it TBH.


  • LAYER 8 Global Moderator

    So are you using unbound in forwarder mode too, or as real resolver?  Do you have prefetch enabled?  What is your internet connection, maybe your isp sucks and or blocks your own dns queries?

    Why don't you just sniff the dns traffic when using safari and see if really related to dns…



  • Time has been the issue.
    I use forwarding mode as I have a multi WAN configuration with a VPN connection too.
    Using Verizon FIOS. Packet sniffing shows a DNS result is returned but Safari hangs and fails to initiate any content downloads.


  • Banned

    Suggestion: Stop using shitty browsers.



  • Safari == New IE!?


Log in to reply