OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: jwendl on August 23, 2017, 06:58:42 am

Title: DNS Resolver Slowness
Post by: jwendl on August 23, 2017, 06:58:42 am: Hello All - finally upgraded to 17.7 and used a complete fresh re-install from the mirror. By default the DNS Resolver is enabled and the DNS Forwarder is disabled.

www.google.com for instance on the DNS Lookup screen when DNS Resolver is enabled shows:
Code: [Select]
Server Query time 127.0.0.1 5276 msec 75.75.75.75 16 msec 75.75.76.76 45 msec
Code: [Select]
Server Query time 127.0.0.1 No response 75.75.75.75 18 msec 75.75.76.76 52 msec
Most of the times it's > 5k ms for the 127.0.0.1 lookup. Sometimes it shows no response and has all sorts of issues with internet.

Switching the DNS Resolver off and turning on DNS Forwarder (including using the ISPs DNS servers) works way better.

Code: [Select]
Server Query time 127.0.0.1 14 msec 75.75.75.75 18 msec 75.75.76.76 49 msec
No additional settings were changed. Plus internet becomes more stable from the LAN ports with the lookup response times lower.
Title: Re: DNS Resolver Slowness
Post by: jwe on August 28, 2017, 03:28:55 pm: Resolver is always(or in most cases) slower than just redirecting.

Resolver is asking all the nameservers from the root ones down to the authoritative ones for a record.
This is slow.

If you need this to be done faster(resulting in faster DNS Resolution) you could stick with the DNS-Server of your provider or the googles ones.

these public nameserver are heavily used and are caching the responses for some time so they can answer without going all the way for name resolution for every query.

You still can use unbound without using its resolving features by enabling the forwarding mode and setting the correct DNS Servers in the system settings.
Title: Re: DNS Resolver Slowness
Post by: pylox on August 29, 2017, 09:48:17 am: Hi jwe,

i think your answer is not true in general. I'd like to use the resolver too and i have the same issues like the OP (when i use the Unbound resolver -not forwarding- on my OPnSense box).

So i created a separate FreeBSD-VM on my LAN with Unbound. When i use this one for DNS resolving on my LAN the answers are very quick and at 100% level (10-20ms, no time out). The root zone is not the bottleneck.

But what is the difference in configuration ?
On my OpnSense box i have blocked IPV6 and the Unbound has a configuration with IPV6=YES. The Unbound on separate VM does not...only IPV4. I'm not sure this is the only difference.

Regards pylox