Differences

This shows you the differences between two versions of the page.

--- pfsense:dns:troubleshooting:slow_dns_response [2021/01/31 17:02] – peter
+++ pfsense:dns:troubleshooting:slow_dns_response [2021/02/01 09:24] (current) – peter
@@ Line 1: / Line 1: @@
 ====== PFSense - DNS - Troubleshooting - Slow DNS Response ======
+Various things to check.
+<WRAP info>
+**CONCLUSION:**  Unbound restarts each time a DHCP lease gets initiated or renewed.
+Ideally, Unbound should not restart but simply needs to refresh.  Unbound needs to be fixed.
+If pfBlockerNG is being used, this could mean upwards of 60 seconds of downtime whilst it reloads any blocklists.
+</WRAP>
 ----
@@ Line 8: / Line 19: @@
   * Firewall Maximum Table Entries:  2000000
+<WRAP info>
+**NOTE:**  If this figure is too low, it will result in slowness.
+The higher this value, the more memory it will use, so be careful setting this too high on systems with low memory.
+</WRAP>
 ----
@@ Line 21: / Line 39: @@
 ----
+  * Left Axis:  **Quality**.
+  * Right Axis:  **None**.
+  * Click **Update Graphs**.
+<WRAP info>
+**NOTE:**  This will show the status of a continuous ping to your default gateway over time.
+</WRAP>
+{{:pfsense:dns:troubleshooting:pfsense_-_status_-_monitoring_-_settings_-_default_-_settings.png?800|}}
+----
+Check if there is any recent slowness being reported:
+{{:pfsense:dns:troubleshooting:pfsense_-_status_-_monitoring_-_settings_-_default_-_interactive_graph.png?800|}}
+{{:pfsense:dns:troubleshooting:pfsense_-_status_-_monitoring_-_settings_-_default_-_data_summary.png?800|}}
+----
 ===== Check what interfaces are running =====
@@ Line 87: / Line 124: @@
 <code bash>
-total.num.queries=1297
+total.num.queries=11060
 total.num.queries_ip_ratelimited=0
-total.num.cachehits=1026
+total.num.cachehits=10669
-total.num.cachemiss=271
+total.num.cachemiss=391
-total.num.prefetch=96
+total.num.prefetch=342
-total.num.expired=88
+total.num.expired=295
-total.num.recursivereplies=271
+total.num.recursivereplies=438
-msg.cache.count=1552
+msg.cache.count=2073
-rrset.cache.count=3277
+rrset.cache.count=4222
-infra.cache.count=3255
+infra.cache.count=6734
-key.cache.count=132
+key.cache.count=174
 </code>
@@ Line 127: / Line 164: @@
 </WRAP>
+----
+===== Check System Logs for the DNS Resolver =====
+Navigate to **Status -> System Logs -> System -> DNS Resolver**.
+Check if the DNS Resolver is restarting when this issue occurs.
+{{:pfsense:dns:troubleshooting:pfsense_-_status_-_system_logs_-_system_-_dns_resolver_-_restart_of_unbound.png?800|}}
+<WRAP info>
+**NOTE:**  This shows Unbound restarting!
+See:  https://forum.netgate.com/topic/115482/frequent-unbound-restarts/67
+It seems that Unbound restarts when the WAN DHCP lease gets renewed.
+  * Compare the DNS and DHCP logs will probably show there is a correlation.
+  * Every time a Remote Client connection is initiated or stopped, Unbound has to restart.
+    * The DHCP code is currently sending a HUP signal to the DNS Resolver, which Unbound takes as needing to do a restart.
+    * Ideally, when a new host enters the DNS local zone because it gets a DHCP release the correct thing to do is reload that zone, not restart the DNS service.  Unbound needs to be fixed.
+  * If pfBlockerNG is being used, this could mean upwards of 60 seconds of downtime whilst it reloads any blocklists.
+A temporary workaround is not to use DHCP.
+  * For every DHCP entry, you could set and maintain, at the bottom of the page, the **DHCP Static Mappings for this Interface**.
+  * On the **Status -> DHCP Leases** page you can also choose what lease you want to add as a Static lease.
+Other options to try:
+  * Reduce the number of pfBlockerNG blocks.
+  * This should speed up the restart of Unbound.
+</WRAP>
+----
+===== References =====
+https://forum.netgate.com/topic/115482/frequent-unbound-restarts/67