Using pfSense with a L3 core switch

[coxhaus]

View attachment 50959

Here's mine pretty much at 0ms.. Yeah 180sec was a lot..

Can you add another DNS QUAD9 and see what it shows on your box? You can remove it after the test running Microsoft.com. Let's see what response time you get.

 

[ddaenen1]

Ok, I disabled DNSSEC, unchecked it and it had no effect I could tell. It is still slow.
I don't think it is QUAD9 as the cache should pick up and make it faster but it does not.

I ran DNS lookup. Did you notice 127.0.0.1 shows in diagnostic as 180 msec whereas QUAD9 is 18 msec. Why so long on the loopback IP.
View attachment 50956

that looks very different on my end with DNS resolver and forwarding enabled

 

[coxhaus]

that looks very different on my end with DNS resolver and forwarding enabled


View attachment 50968

What processor are you running?

 

[ddaenen1]

What processor are you running?

Intel Xeon E3-1220 v2 with 16GB ECC RAM.

 

[avtella]

Can you add another DNS QUAD9 and see what it shows on your box? You can remove it after the test running Microsoft.com. Let's see what response time you get.

Here it is, Quad 9 IPv4/IPv6, top image in resolver mode and bottom in forwarding mode. Max latency on loopback I saw was 10-13 msec, mostly still at 0 otherwise.

I don't think it's your CPU, you have a more powerful one than me, my unit has a 2.4 Ghz Intel Atom C3758R.

What is the "PowerD" setting at right now? Mine is on "High Adaptive". Also try testing with Snort and other non default-packages temporarily disabled. Additionally, in regards to your encryption comment, what's the crypto setting at? Should be set to "AES-NI & BSD Crypto Device", it is set to "none" by default on custom installs for compatibility sake. QAT only selected if your CPU (Some Xeon D and Atom C3XXX models) has it or have a dedicated QAT card.

Other thing is maybe something to do with any additional rules/ordering that you did? In regards to that aspect, someone would with more experience could chime in.



Unbound - Resolver Mode

Unbound - Forwarding Mode

CPU Power Savings & Crypto settings.

 

[Christos]

that looks very different on my end with DNS resolver and forwarding enabled


View attachment 50968

1ms comes from cache.
For better results, use a random non-existent domain like "sfvafvwr3-454352.com" that cannot come from cache.

 

[coxhaus]

Well, I did not know I needed to turn on ASE-NI. So, I switched back to unbound and here is where I am. Still high on encryption but it does feel better not so laggy but I am not sure it is as fast as forwarding. I wonder if it has something to do with my L3 switch? I am using pfsense's LAN IP for my DNS on my laptop.

PS
I think the cache is building and it is running faster. I may try it this way.

 

[coxhaus]

When I test DNS lookup using Microsoft.com it is not cached.
I am thinking the issue was not turning on AES-NI.
Any way I think unbound caching is working for me. The high encryption rate is because it is not cached.
All three caching systems seem to work for me. I will try unbound for a while.

 

[sfx2000]

I am thinking the issue was not turning on AES-NI.

Likely - as this is an opt-in option...

As mentioned earlier - check powerd settings, as that is also opt-in

Been a while since I've used pfSense - walked away after the whole WG mess and moved on...

When I was using pfSense - unbound was fine for DNS - and playing around with shapers, had good performance overall.

 

[coxhaus]

The more I thought about it, the more I am not sure Unbound is really forwarding to QUAD9. Unbound may just be resolving itself. Has anyone traced Unbound doing forwarding? How did you do it?

Not sure how you can do DNSSEC with forwarding.

I switched back to forwarding to QUAD9.

 

[Christos]

https://dnsleaktest.com/ will help you see what happens.

 

[Clark Griswald]

https://dnscheck.tools/#results

I prefer this site.

 

[coxhaus]

Not sure what DNScheck.tools is checking.
I can run Steve Gibson DNS check and it shows QUAD9 as very low DNS response time. It checks on port 53.

PS
DNScheck.tools is coming up with WoodyNET which is not Spectrum. It is doing unbound I guess. Checking a resolver close to me.

So, I switched to unbound in pfsense with forwarding to QUAD9 and ran the test. The test looks the same, nowhere is there a forward that I can see to QUAD9. I guess it is running independent of what pfsense is doing so it is not forwarding to QUAD9. I have had both forwarding and unbound set in pfsense. DNScheck.tools is coming out the same. I think it is no help with determining what pfsense is doing.

 

[Christos]

WoodyNET is quad9

 

[avtella]

https://support.quad9.net/hc/en-us/articles/4422044032781-Quad9-Network-Providers-WoodyNet-PCH-net-i3D-GSL-Networks-EdgeUno-Equinix-Metal

According to Q9, a DNS leak test might show the following providers that Q9 uses:

• WoodyNet (AKA PCH.net)
• PCH.net
• GSL Networks
• i3D
• EdgeUno
• Equinix Metal (FKA: Packet, Packet.net, or Packethost)

For me it’s always been WoodyNet.

 

[coxhaus]

OK, then there are no hops that I can tell. I thought rrdns is old road runner which was Time Warner which became Spectrum. Here is the test.
And it does not make sense to me that if I have forwarding set to QUAD9 in pfsense then when I run DNScheck.tools I get the exact same response as if I had unbound set in pfsense.

PS
I guess there is a direct exit from Spectrum to QUAD9. Trace route shows the same path for both 9.9.9.9 and 66.185.112.242.

Your DNS resolvers are:
WoodyNet

• 66.185.112.242ptr: res100.dfw.rrdns.pch.netDallas, Texas, US
• 66.185.112.243ptr: res200.dfw.rrdns.pch.netDallas, Texas, US
• 66.185.112.244ptr: res300.dfw.rrdns.pch.netDallas, Texas, US
• 66.185.112.246ptr: res110.dfw.rrdns.pch.netDallas, Texas, US
• 66.185.112.247ptr: res210.dfw.rrdns.pch.netDallas, Texas, US
• 66.185.112.248ptr: res310.dfw.rrdns.pch.netDallas, Texas, US
• 66.185.112.249ptr: res720.dfw.rrdns.pch.netDallas, Texas, US
• 2620:171:e0:f0::2ptr: res100.dfw.rrdns.pch.netDallas, Texas, US
• 2620:171:e0:f0::3ptr: res200.dfw.rrdns.pch.netDallas, Texas, US
• 2620:171:e0:f0::4ptr: res300.dfw.rrdns.pch.netDallas, Texas, US
• 2620:171:e0:f0::6ptr: res110.dfw.rrdns.pch.netDallas, Texas, US
• 2620:171:e0:f0::7ptr: res210.dfw.rrdns.pch.netDallas, Texas, US
• 2620:171:e0:f0::8ptr: res310.dfw.rrdns.pch.netDallas, Texas, US
• 2620:171:e0:f0::9ptr: res720.dfw.rrdns.pch.netDallas, Texas, US

Great! Your DNS responses are authenticated with DNSSEC:

• correct P-256 signature... connected
• invalid P-256 signature... not connected
• expired P-256 signature... not connected
• missing P-256 signature... not connected
• correct P-384 signature... connected
• invalid P-384 signature... not connected
• expired P-384 signature... not connected
• missing P-384 signature... not connected
• correct Ed25519 signature... connected
• invalid Ed25519 signature... not connected
• expired Ed25519 signature... not connected
• missing Ed25519 signature... not connected

 

[Christos]

pch.net is one of the three major sponsors of quad9

Packet Clearing House | PCH

Tagline

www.pch.net

The reason I'm not using quad9 is because Akamai blocks their EDNS Client Subnet (ECS) functionality, so when you are using quad9 you are not sent to the closest Akamai server. Akamai has caching servers inside my ISP and I prefer to using them than using quad9, if I have to choose between them.

 

[sfx2000]

rrdns.pch.net

rrdns - this is round-robin DNS - it's a high availability strategy with redundancy - if a host dies, DNS does the lookup to the next available host...

It's load-balancing at the application layer - and important also for content delivery networks...

Remember, in cloud architecture - servers are cattle, not pets - if the cat or dog gets sick, you take it to the vet, if a cow gets sick, you take it back behind the barn and shoot it...

The History of Pets vs Cattle and How to Use the Analogy Properly

I have been meaning to write this post for a long time, but one thing or another has gotten in the way. It’s important to me to provide an accurate history, ...

cloudscaling.com

 

[coxhaus]

The old Steve Gibson DNS checker shows QUAD9 as one of the fastest DNS servers for me. I am going to stay with QUAD9.

Since DNSchecker.tools is showing the same for pfsense forwarding not using unbound and unbound with forwarding so I think I will keep using forwarding. I don't have the slow encryption to start with.

I have my wireless system running automatically so I dropped my 5 GHz APs down to 2 channels which makes it easier to run on auto, less channel contention in my way of thinking. I notice a little bit slower when scrolling pictures, but you have to push it. This also gives me room for another AP. The neighbors are using 4 channels so it seems to fit to where I can avoid them better. I have to run it for a while to see if I stay with it. My granddaughter games on wire, much lower latency. But I can still tell the differences in DNS and DNS cache using my wireless. My i9 laptop using Windows 11 is fast on my Cisco 150ax wireless APs.

Hopefully using my Cisco wireless APs set to auto for channels, power levels and roaming they keep adjusting dynamically in the background all the time. All the other times I have tried auto in older units they ended up not working well after a while they ended on a few weird channels. These new Cisco units seem better.

 

[coxhaus]

My granddaughter left and went home for a while. I swapped computers to the lower watt Intel i3-6100T. I used my usb stick which had pfsense 2.6 on it. I upgraded to 2.7RC code as it was an upgrade option. I did not want to run the old FreeBSD 12 version.
I took the default for DNS which is DNS resolver. I am getting much lower timings than my last PC. I don't have forwarder set in the DNS resolver and it seems much faster. So, I will try it for a while. I am wondering if it could be the newer 6th generation CPU or maybe it is not doing encryption. 30 msec seems like it is.
The Intel i3-6100T is so quiet and much cooler.
PS
I am running an dual port Intel 1000baseT NIC instead of the broadcom 10 gig dual port NIC. I did not switch them.