pfSense DNS Resolver oddly slow

foureight84

Active Member
Jun 26, 2018
147
111
43
fc6653c2-df8b-4c5a-a471-62c14f0c721b-image.png



I was testing out a bare metal install of pfSense 2.6.0 on my Dell Wyse 5070 and I noticed that the DNS Resolver was noticeably slow on certain occasions. So I ran DNS Benchmark and saw that it is indeed slower when it comes to uncached and dotcom requests. It's also reported to be not 100% reliable.

The image above shows 192.168.1.4 which is PiHole docker container that is using an Unbound docker container as its upstream DNS (running in a HP ProDesk 600 G4 i5-8500T). 192.168.2.1 is pfSense stock install running only DNS Resolver (DNS Forward not enabled).

Not sure if there are additional settings to configure in pfSense? Just seems kind of odd that it's slower. I would think that it would at least be on par if not faster than the containerized PiHole / Unbound setup.
 

nabsltd

Active Member
Jan 26, 2022
156
87
28
Not sure if there are additional settings to configure in pfSense? Just seems kind of odd that it's slower.
The likely reason the DotCom lookup was so much slower was because the errors added very big numbers. This is also indicated by the fairly large standard deviation. My pfSense install on a Celeron J3160 has numbers similar to your non-pfSense:
DNSBenchmark.png
Since my test with the same external server you used is about the same, I'd say our ISP speed and reliability are similar.

If you get the same sort of failures on repeat runs, I'd take a look at the "domains.txt" file and manually run each line against your pfSense box to see which ones are erroring.
 
  • Like
Reactions: foureight84

foureight84

Active Member
Jun 26, 2018
147
111
43
The likely reason the DotCom lookup was so much slower was because the errors added very big numbers. This is also indicated by the fairly large standard deviation. My pfSense install on a Celeron J3160 has numbers similar to your non-pfSense:
View attachment 23986
Since my test with the same external server you used is about the same, I'd say our ISP speed and reliability are similar.

If you get the same sort of failures on repeat runs, I'd take a look at the "domains.txt" file and manually run each line against your pfSense box to see which ones are erroring.
I've retested it since and reliability seems to be more consistent at 100%. It looks like there's a long thread on the pfSense forums with people experiencing general slow DNS with Unbound when only DNS Resolver is being used. For them it seems like turning off ipv6 reclaims the performance loss. However, I have not been able to see a difference (plus I already had ipv6 turned off). I will test the dotcom individually against my pihole-unbound setup as you've suggested to help narrow down the issue.
 

foureight84

Active Member
Jun 26, 2018
147
111
43
Hmm quite interesting. I know this is not 1:1 comparison but I swapped to OPNSense and it's currently using unbound 1.16.1 whereas PFSense is using 1.15.3.

DNS benchmark now shows that it's on par with the dockerized solution. I haven't looked at the changelog for unbound to see if there were optimization changes. But it would be either that or difference in implementation / out-of-the-box settings differences between the two.

1660443085518.png
 

mathiastro

New Member
Oct 12, 2016
14
2
3
31
Ive too have been struggeling with dns resolving on pfsense being super slow the last week. I have disabled the option for "register DHCP clients in dns when acuiring lease " and run the wizard for pfblocker again as my feeds would not resolve (dont know if its related) but I feel now that its better.
 

foureight84

Active Member
Jun 26, 2018
147
111
43
Ive too have been struggeling with dns resolving on pfsense being super slow the last week. I have disabled the option for "register DHCP clients in dns when acuiring lease " and run the wizard for pfblocker again as my feeds would not resolve (dont know if its related) but I feel now that its better.
I couldn't figure out what it was. The strange part was that it was a clean install. I've also tried different settings for unbound and even clean installs but always the same result.
 

mathiastro

New Member
Oct 12, 2016
14
2
3
31
Mine has become super slow again now, its like the dns cache is not working. How should I verify if the cache is ok?
 

mathiastro

New Member
Oct 12, 2016
14
2
3
31
I finally found the culprit to all my network problems, my ISP had started with CGNAT which my pfsense did not like. This means everything was double NATed from my LAN to the internet. I noticed that the ip on my WAN interface was not the same as the public ip shown in whatsmyip.com eg.

The solution was to call the ISP and ask to give me a regular public Ip instead of this CGNAT crap.