Netgate SG-1000 microFirewall

Author Topic: Performance issue  (Read 239 times)

0 Members and 1 Guest are viewing this topic.

Offline mloiterman

  • Jr. Member
  • **
  • Posts: 73
  • Karma: +2/-0
    • View Profile
Performance issue
« on: December 23, 2017, 05:43:07 pm »
I run unbound as a resolver and have a question regarding Query Times from client machines which seem way higher than the should be.


1.  After visiting www.cnn.com from any computer on my network the dns information gets cached.  Then:

2.  FROM THE PFSENSE BOX (Note Query Time of 0 msec)
===================================================
[2.4.2-RELEASE][root@pfsense.localnetwork]/root: dig cnn.com

; <<>> DiG 9.11.2 <<>> cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48189
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cnn.com.         IN   A

;; ANSWER SECTION:
cnn.com.      53   IN   A   151.101.1.67
cnn.com.      53   IN   A   151.101.193.67
cnn.com.      53   IN   A   151.101.129.67
cnn.com.      53   IN   A   151.101.65.67

;; AUTHORITY SECTION:
cnn.com.      3406   IN   NS   ns-1086.awsdns-07.org.
cnn.com.      3406   IN   NS   ns-1630.awsdns-11.co.uk.
cnn.com.      3406   IN   NS   ns-47.awsdns-05.com.
cnn.com.      3406   IN   NS   ns-576.awsdns-08.net.

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Dec 23 17:27:50 CST 2017
;; MSG SIZE  rcvd: 236

3.  FROM THE MACHINE THAT VISITED CNN.COM (Note avg ping time to pfsense of 0.398ms)
===================================================
imac:Downloads user$ ping pfsense
PING pfsense.ascendencyhome.net (192.168.1.1): 56 data bytes
64 bytes from 192.168.1.1: icmp_seq=0 ttl=64 time=0.400 ms
64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.409 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=64 time=0.325 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=64 time=0.431 ms
64 bytes from 192.168.1.1: icmp_seq=4 ttl=64 time=0.425 ms
^C
--- pfsense.ascendencyhome.net ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.325/0.398/0.431/0.038 ms

4.  FROM THE MACHINE THAT VISITED CNN.COM (Note avg ping time to cnn.com of 11.433ms)
imac:Downloads user$ ping cnn.com
PING cnn.com (151.101.1.67): 56 data bytes
64 bytes from 151.101.1.67: icmp_seq=0 ttl=58 time=15.382 ms
64 bytes from 151.101.1.67: icmp_seq=1 ttl=58 time=10.672 ms
64 bytes from 151.101.1.67: icmp_seq=2 ttl=58 time=9.763 ms
64 bytes from 151.101.1.67: icmp_seq=3 ttl=58 time=9.916 ms
^C
--- cnn.com ping statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 9.763/11.433/15.382/2.306 ms

5.  FROM THE CLIENT MACHINE THAT VISITED CNN.COM (Note Query time of 33 msec)
===================================================
imac:Downloads user$ dig cnn.com

; <<>> DiG 9.9.7-P3 <<>> cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1928
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;cnn.com.         IN   A

;; ANSWER SECTION:
cnn.com.      0   IN   A   151.101.1.67
cnn.com.      0   IN   A   151.101.193.67
cnn.com.      0   IN   A   151.101.129.67
cnn.com.      0   IN   A   151.101.65.67

;; AUTHORITY SECTION:
cnn.com.      3173   IN   NS   ns-1086.awsdns-07.org.
cnn.com.      3173   IN   NS   ns-1630.awsdns-11.co.uk.
cnn.com.      3173   IN   NS   ns-47.awsdns-05.com.
cnn.com.      3173   IN   NS   ns-576.awsdns-08.net.

;; Query time: 33 msec
;; SERVER: 2601:249::831:21b:21ff:fec5:8258#53(2601:249:0:831:21b:21ff:fec5:8258)
;; WHEN: Sat Dec 23 17:31:42 CST 2017
;; MSG SIZE  rcvd: 236


So my question is this:

If pfsense dig time to cnn.com is 0 msec (due to cache) and the ping to pfsense is 0.398ms why would dig from client computer show 33 msec?  Should it be similar to a ping to the local pfsense server of .398 msec?
« Last Edit: December 23, 2017, 05:47:21 pm by mloiterman »

Offline mloiterman

  • Jr. Member
  • **
  • Posts: 73
  • Karma: +2/-0
    • View Profile
Re: Performance issue
« Reply #1 on: December 23, 2017, 06:06:18 pm »
This is an interesting article and may help explain what I'm seeing:

https://www.easydns.com/blog/2011/05/02/dns-speeds-debunked/