Text only | Text with Images

OPNsense Forum

English Forums => 25.7, 25.10 Series => Topic started by: HolgerKuehn on January 18, 2026, 03:22:30 PM

Title: DNS requests delayed for 5000 ms if DNS server is reached over IPv6 address
Post by: HolgerKuehn on January 18, 2026, 03:22:30 PM
Hi folks,

I've been seeing delays for websites loading for some time now and finally found the reason for it. Watching the dev tools in network some resources are taking a long time to load. Doing some further digging I noticed the following.

When I do a DNS test under Interfaces, Diagnostics and DNS Lookup for a public domain some queries take between 5000 and 5050 ms.

I could narrow it down to

1. using IPv4 address of DNS server all requests are between 18ms to 45ms as expected, repeating them mostly down to 0-1ms (due to cache I assume)

2. using link local address of DNS server does not work at all, message "Error: error sending query: Could not send or receive, because of network error" is shown

3. using the ULA or GUA works, but query time are either between 0ms to 50ms or have a clear offset of 5000ms, it varies for all types A, AAAA, MX or TXT repeating it

This is one example:

TypeAnswerServerQuery time
Agoogle.de. 143 IN A 142.251.39.227fd11:f0d8:a7bb:135d:127c:61ff:fe2f:542c0 msec
AAAAgoogle.de. 111 IN AAAA 2a00:1450:4005:804::2003fd11:f0d8:a7bb:135d:127c:61ff:fe2f:542c5 msec
MXgoogle.de. 300 IN MX 0 smtp.google.com.fd11:f0d8:a7bb:135d:127c:61ff:fe2f:542c5024 msec
TXTgoogle.de. 106 IN TXT "v=spf1 -all"fd11:f0d8:a7bb:135d:127c:61ff:fe2f:542c5031 msec

The 5000 ms offset jumps from type to type if I repeat the test. Using IPv4 "always" show the expected times.

I've found this thread, but find it not applicable to my setting: https://www.reddit.com/r/OPNsenseFirewall/comments/14i1lyr/dns_often_takes_5_seconds/ (https://www.reddit.com/r/OPNsenseFirewall/comments/14i1lyr/dns_often_takes_5_seconds/)

I see this effect in my home network using SimpleDNS and at my workplace using Active Directory.
Testing the DNS server from different hosts (using powershell Resolve-DNSName) never takes 5 seconds, so I would assume its some OPNsense related stuff.


As for my settings on OPNsense:

* dnsmasaq is sending the DHCP-options and RA (stateless)
* no local DNS service (unbound and dnsmasq are off)
* system DNS is set to IPv4, ULA and link-local address of the DNS server on the LAN

Version is OPNsense 25.7.11_1-amd64 as well as OPNsense 25.1.12-amd64.


Any hints on what I can check to avoid those 5000ms offsets?

Cheers
Holger Kühn
Title: Re: DNS requests delayed for 5000 ms if DNS server is reached over IPv6 address
Post by: Maurice on January 18, 2026, 05:15:11 PM
Since it seems you're not using OPNsense for DNS at all, this is more likely an issue with your DNS servers. While OPNsense advertises the DNS server addresses (using DHCP / RAs), DNS requests are sent from the clients to the DNS servers, not to OPNsense.

Cheers
Maurice
Text only | Text with Images