DNS requests delayed for 5000 ms if DNS server is reached over IPv6 address

Started by HolgerKuehn, January 18, 2026, 03:22:30 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
January 18, 2026, 03:22:30 PM Last Edit: January 18, 2026, 03:24:14 PM by HolgerKuehn
Hi folks,

I've been seeing delays for websites loading for some time now and finally found the reason for it. Watching the dev tools in network some resources are taking a long time to load. Doing some further digging I noticed the following.

When I do a DNS test under Interfaces, Diagnostics and DNS Lookup for a public domain some queries take between 5000 and 5050 ms.

I could narrow it down to

1. using IPv4 address of DNS server all requests are between 18ms to 45ms as expected, repeating them mostly down to 0-1ms (due to cache I assume)

2. using link local address of DNS server does not work at all, message "Error: error sending query: Could not send or receive, because of network error" is shown

3. using the ULA or GUA works, but query time are either between 0ms to 50ms or have a clear offset of 5000ms, it varies for all types A, AAAA, MX or TXT repeating it

This is one example:

TypeAnswerServerQuery time
Agoogle.de. 143 IN A 142.251.39.227fd11:f0d8:a7bb:135d:127c:61ff:fe2f:542c0 msec
AAAAgoogle.de. 111 IN AAAA 2a00:1450:4005:804::2003fd11:f0d8:a7bb:135d:127c:61ff:fe2f:542c5 msec
MXgoogle.de. 300 IN MX 0 smtp.google.com.fd11:f0d8:a7bb:135d:127c:61ff:fe2f:542c5024 msec
TXTgoogle.de. 106 IN TXT "v=spf1 -all"fd11:f0d8:a7bb:135d:127c:61ff:fe2f:542c5031 msec

The 5000 ms offset jumps from type to type if I repeat the test. Using IPv4 "always" show the expected times.

I've found this thread, but find it not applicable to my setting: https://www.reddit.com/r/OPNsenseFirewall/comments/14i1lyr/dns_often_takes_5_seconds/

I see this effect in my home network using SimpleDNS and at my workplace using Active Directory.
Testing the DNS server from different hosts (using powershell Resolve-DNSName) never takes 5 seconds, so I would assume its some OPNsense related stuff.


As for my settings on OPNsense:

* dnsmasaq is sending the DHCP-options and RA (stateless)
* no local DNS service (unbound and dnsmasq are off)
* system DNS is set to IPv4, ULA and link-local address of the DNS server on the LAN

Version is OPNsense 25.7.11_1-amd64 as well as OPNsense 25.1.12-amd64.


Any hints on what I can check to avoid those 5000ms offsets?

Cheers
Holger Kühn
January 18, 2026, 05:15:11 PM #1
Since it seems you're not using OPNsense for DNS at all, this is more likely an issue with your DNS servers. While OPNsense advertises the DNS server addresses (using DHCP / RAs), DNS requests are sent from the clients to the DNS servers, not to OPNsense.

Cheers
Maurice
OPNsense virtual machine images
OPNsense aarch64 firmware repository

Commercial support & engineering available. PM for details (en / de).
Print
Go Up Pages1
User actions