Table of Contents
PFSense - DNS - Troubleshooting - Slow DNS Response
Various things to check.
CONCLUSION: Unbound restarts each time a DHCP lease gets initiated or renewed.
Ideally, Unbound should not restart but simply needs to refresh. Unbound needs to be fixed.
If pfBlockerNG is being used, this could mean upwards of 60 seconds of downtime whilst it reloads any blocklists.
Change Firewall Maximum Table Entries
Navigate to System → Advanced > Firewall & Nat:
- Firewall Maximum Table Entries: 2000000
NOTE: If this figure is too low, it will result in slowness.
The higher this value, the more memory it will use, so be careful setting this too high on systems with low memory.
Monitor the Status
Navigate to Status → Monitoring.
- Click the Settings Icon.
- Left Axis: Quality.
- Right Axis: None.
- Click Update Graphs.
NOTE: This will show the status of a continuous ping to your default gateway over time.
Check if there is any recent slowness being reported:
Check what interfaces are running
Navigate to Diagnostics → Command Prompt.
pciconf -lv | grep -A1 -B3 network
returns:
em0@pci0:1:0:0: class=0x020000 card=0x00008086 chip=0x150c8086 rev=0x00 hdr=0x00 vendor = 'Intel Corporation' device = '82583V Gigabit Network Connection' class = network subclass = ethernet em1@pci0:2:0:0: class=0x020000 card=0x00008086 chip=0x150c8086 rev=0x00 hdr=0x00 vendor = 'Intel Corporation' device = '82583V Gigabit Network Connection' class = network subclass = ethernet em2@pci0:3:0:0: class=0x020000 card=0x00008086 chip=0x150c8086 rev=0x00 hdr=0x00 vendor = 'Intel Corporation' device = '82583V Gigabit Network Connection' class = network subclass = ethernet em3@pci0:4:0:0: class=0x020000 card=0x00008086 chip=0x150c8086 rev=0x00 hdr=0x00 vendor = 'Intel Corporation' device = '82583V Gigabit Network Connection' class = network subclass = ethernet em4@pci0:5:0:0: class=0x020000 card=0x00008086 chip=0x150c8086 rev=0x00 hdr=0x00 vendor = 'Intel Corporation' device = '82583V Gigabit Network Connection' class = network subclass = ethernet em5@pci0:6:0:0: class=0x020000 card=0x00008086 chip=0x150c8086 rev=0x00 hdr=0x00 vendor = 'Intel Corporation' device = '82583V Gigabit Network Connection' class = network subclass = ethernet
NOTE: This shows Intel NICs.
Intel usually works well with pfSense.
If on the otherhand this was not Intel, this could be a cause for the slowness.
Check DNS Resolver Caching Figures
Navigate to Diagnostics → Command Prompt.
unbound-control -c /var/unbound/unbound.conf stats_noreset | egrep 'total.num|cache.count'
returns:
total.num.queries=11060 total.num.queries_ip_ratelimited=0 total.num.cachehits=10669 total.num.cachemiss=391 total.num.prefetch=342 total.num.expired=295 total.num.recursivereplies=438 msg.cache.count=2073 rrset.cache.count=4222 infra.cache.count=6734 key.cache.count=174
NOTE: This combines the output of:
- unbound-control -c /var/unbound/unbound.conf stats_noreset | grep total.num
- unbound-control -c /var/unbound/unbound.conf stats_noreset | grep cache.count
Output is:
- num.queries: number of queries received by thread.
- num.cachehits: number of queries that were successfully answered using a cache lookup.
- num.cachemiss: number of queries that needed recursive processing.
- num.prefetch: number of cache prefetches performed.
- This number is included in cachehits, as the original query had the unprefetched answer from cache, and resulted in recursive processing, taking a slot in the requestlist.
- Not part of the recursivereplies (or the histogram thereof) or cachemiss, as a cache response was sent.
- num.zero_ttl: number of replies with ttl zero, because they served an expired cache entry.
- num.recursivereplies: The number of replies sent to queries that needed recursive processing.
- Could be smaller than threadX.num.cachemiss if due to timeouts no replies were sent for some queries.
- msg.cache.count: The number of items (DNS replies) in the message cache.
- rrset.cache.count: The number of RRsets in the rrset cache. This includes rrsets used by the messages in the message cache, but also delegation information.
- infra.cache.count: The number of items in the infra cache.
- These are IP addresses with their timing and protocol support information.
- key.cache.count: The number of items in the key cache.
- These are DNSSEC keys, one item per delegation point, and their validation status.
Check System Logs for the DNS Resolver
Navigate to Status → System Logs → System → DNS Resolver.
Check if the DNS Resolver is restarting when this issue occurs.
NOTE: This shows Unbound restarting!
See: https://forum.netgate.com/topic/115482/frequent-unbound-restarts/67
It seems that Unbound restarts when the WAN DHCP lease gets renewed.
- Compare the DNS and DHCP logs will probably show there is a correlation.
- Every time a Remote Client connection is initiated or stopped, Unbound has to restart.
- The DHCP code is currently sending a HUP signal to the DNS Resolver, which Unbound takes as needing to do a restart.
- Ideally, when a new host enters the DNS local zone because it gets a DHCP release the correct thing to do is reload that zone, not restart the DNS service. Unbound needs to be fixed.
- If pfBlockerNG is being used, this could mean upwards of 60 seconds of downtime whilst it reloads any blocklists.
A temporary workaround is not to use DHCP.
- For every DHCP entry, you could set and maintain, at the bottom of the page, the DHCP Static Mappings for this Interface.
- On the Status → DHCP Leases page you can also choose what lease you want to add as a Static lease.
Other options to try:
- Reduce the number of pfBlockerNG blocks.
- This should speed up the restart of Unbound.