"
Hi folks,
I've been seeing delays for websites loading for some time now and finally found the reason for it. Watching the dev tools in network some resources are taking a long time to load. Doing some further digging I noticed the following.
When I do a DNS test under Interfaces, Diagnostics and DNS Lookup for a public domain some queries take between 5000 and 5050 ms.
I could narrow it down to
1. using IPv4 address of DNS server all requests are between 18ms to 45ms as expected, repeating them mostly down to 0-1ms (due to cache I assume)
2. using link local address of DNS server does not work at all, message "Error: error sending query: Could not send or receive, because of network error" is shown
3. using the ULA or GUA works, but query time are either between 0ms to 50ms or have a clear offset of 5000ms, it varies for all types A, AAAA, MX or TXT repeating it
This is one example:
The 5000 ms offset jumps from type to type if I repeat the test. Using IPv4 "always" show the expected times.
I've found this thread, but find it not applicable to my setting: https://www.reddit.com/r/OPNsenseFirewall/comments/14i1lyr/dns_often_takes_5_seconds/
I see this effect in my home network using SimpleDNS and at my workplace using Active Directory.
Testing the DNS server from different hosts (using powershell Resolve-DNSName) never takes 5 seconds, so I would assume its some OPNsense related stuff.
As for my settings on OPNsense:
* dnsmasaq is sending the DHCP-options and RA (stateless)
* no local DNS service (unbound and dnsmasq are off)
* system DNS is set to IPv4, ULA and link-local address of the DNS server on the LAN
Version is OPNsense 25.7.11_1-amd64 as well as OPNsense 25.1.12-amd64.
Any hints on what I can check to avoid those 5000ms offsets?
Cheers
Holger Kühn
I've been seeing delays for websites loading for some time now and finally found the reason for it. Watching the dev tools in network some resources are taking a long time to load. Doing some further digging I noticed the following.
When I do a DNS test under Interfaces, Diagnostics and DNS Lookup for a public domain some queries take between 5000 and 5050 ms.
I could narrow it down to
1. using IPv4 address of DNS server all requests are between 18ms to 45ms as expected, repeating them mostly down to 0-1ms (due to cache I assume)
2. using link local address of DNS server does not work at all, message "Error: error sending query: Could not send or receive, because of network error" is shown
3. using the ULA or GUA works, but query time are either between 0ms to 50ms or have a clear offset of 5000ms, it varies for all types A, AAAA, MX or TXT repeating it
This is one example:
| Type | Answer | Server | Query time |
| A | google.de. 143 IN A 142.251.39.227 | fd11:f0d8:a7bb:135d:127c:61ff:fe2f:542c | 0 msec |
| AAAA | google.de. 111 IN AAAA 2a00:1450:4005:804::2003 | fd11:f0d8:a7bb:135d:127c:61ff:fe2f:542c | 5 msec |
| MX | google.de. 300 IN MX 0 smtp.google.com. | fd11:f0d8:a7bb:135d:127c:61ff:fe2f:542c | 5024 msec |
| TXT | google.de. 106 IN TXT "v=spf1 -all" | fd11:f0d8:a7bb:135d:127c:61ff:fe2f:542c | 5031 msec |
The 5000 ms offset jumps from type to type if I repeat the test. Using IPv4 "always" show the expected times.
I've found this thread, but find it not applicable to my setting: https://www.reddit.com/r/OPNsenseFirewall/comments/14i1lyr/dns_often_takes_5_seconds/
I see this effect in my home network using SimpleDNS and at my workplace using Active Directory.
Testing the DNS server from different hosts (using powershell Resolve-DNSName) never takes 5 seconds, so I would assume its some OPNsense related stuff.
As for my settings on OPNsense:
* dnsmasaq is sending the DHCP-options and RA (stateless)
* no local DNS service (unbound and dnsmasq are off)
* system DNS is set to IPv4, ULA and link-local address of the DNS server on the LAN
Version is OPNsense 25.7.11_1-amd64 as well as OPNsense 25.1.12-amd64.
Any hints on what I can check to avoid those 5000ms offsets?
Cheers
Holger Kühn
