slow dns lookups on router itself

[LevesqueOnline]

Good Day, my router is performing exteremely slow dns lookups internally, all of the machines on my network are fine they go to 8.8.8.8, but anything i try to do in SSH is so slow it times out scripts etc.

I also noticed i cant automatically check for firmware updates either assuming its also timing out. the below is an average of 12-13 seconds to resolve

 

[dave14305]

Is your WAN DNS also set to 8.8.8.8? It's unclear if your clients get DNS through LAN DHCP DNS settings or not. It's important to know what DNS servers the router's dnsmasq resolver are using.

And just to give some clarity on the slowness, please run this to time your command:

time nslookup google.com
time nslookup google.com 8.8.8.8

 

[Xentrk]

Good Day, my router is performing exteremely slow dns lookups internally, all of the machines on my network are fine they go to 8.8.8.8, but anything i try to do in SSH is so slow it times out scripts etc.

I also noticed i cant automatically check for firmware updates either assuming its also timing out. the below is an average of 12-13 seconds to resolve

View attachment 17540

View attachment 17539

I would look in the system log file for clues. Especially for wan-start and other services trying to start around the same time. Your pic shows WAN connection issues.

I wonder if you are having an NTP issue. Do you have Stubby installed? We had to solve a boot / DNS issue by adding the entry below in /jffs/configs/dnsmasq.conf.add.

server=/pool.ntp.org/1.1.1.1

followed by a service restart _dnsmasq

 

[LevesqueOnline]

Is your WAN DNS also set to 8.8.8.8? It's unclear if your clients get DNS through LAN DHCP DNS settings or not. It's important to know what DNS servers the router's dnsmasq resolver are using.

And just to give some clarity on the slowness, please run this to time your command:

time nslookup google.com
time nslookup google.com 8.8.8.8

Apologies if i can add more clarity let me know.

DHCP provides DNS of 1.1.1.1 8.8.8.8

 

[LevesqueOnline]

I would look in the system log file for clues. Especially for wan-start and other services trying to start around the same time. Your pic shows WAN connection issues.

I wonder if you are having an NTP issue. Do you have Stubby installed? We had to solve a boot / DNS issue by adding the entry below in /jffs/configs/dnsmasq.conf.add.

server=/pool.ntp.org/1.1.1.1

followed by a service restart _dnsmasq

im not sure what stubby is to be honest sir, the only thing i have done in the shell here is the script we did together for netflix to route over wan interface, the config file you mention above doesnt exist on mine if with the above info you think i should add it i can

my resolv.conf points to 127.0.0.1 should I just have it change to 1.1.1.1 or 8.8.8.8?

 

[Xentrk]

im not sure what stubby is to be honest sir, the only thing i have done in the shell here is the script we did together for netflix to route over wan interface, the config file you mention above doesnt exist on mine if with the above info you think i should add it i can

my resolv.conf points to 127.0.0.1 should I just have it change to 1.1.1.1 or 8.8.8.8?

Leave resolv.conf alone. The 127.0.0.1 is okay.

Change "Connect to DNS Server Automatically" to Yes and bounce the WAN. This will connect you to ISP DNS. If that works, it will point to an issue with your current DNS settings. If it works, change ""Connect to DNS Server Automatically" to "No". Enter 1.1.1.1 in DNS 1 field and leave DNS 2 field empty. Apply. See if the WAN comes back up. Go to ipleak.net and dnsleak.com. One thing you may see if it work is redundancy is already built into 1.1.1.1 and DNS requests are load balanced. Look at system log for clues too.

 

[LevesqueOnline]

Leave resolv.conf alone. The 127.0.0.1 is okay.

Change "Connect to DNS Server Automatically" to Yes and bounce the WAN. This will connect you to ISP DNS. If that works, it will point to an issue with your current DNS settings. If it works, change ""Connect to DNS Server Automatically" to "No". Enter 1.1.1.1 in DNS 1 field and leave DNS 2 field empty. Apply. See if the WAN comes back up. Go to ipleak.net and dnsleak.com. One thing you may see if it work is redundancy is already built into 1.1.1.1 and DNS requests are load balanced. Look at system log for clues too.

I did attempt going to ISP DNS which did not fix the slow lookups on the asus itself (clients all work fine) i will try putting one and checking the 2 sites you mention after changing to 1 dns on the WAN interface.

ty

 

[Xentrk]

Apologies if i can add more clarity let me know.

DHCP provides DNS of 1.1.1.1 8.8.8.8

View attachment 17543

View attachment 17544

This may be a difference for HND vs ARM routers. But I don't see the NAT Type field. Also, I have UPnP disabled.

 

[LevesqueOnline]

I did attempt going to ISP DNS which did not fix the slow lookups on the asus itself (clients all work fine) i will try putting one and checking the 2 sites you mention after changing to 1 dns on the WAN interface.

ty

FYI - DNSleak shows cloudflare and google, i went back and disabled the vpn configuration changes we did for getting netflix to route through WAN versus openvpn tunnel, and tried again, that works, im wondering if its because we added 192.168.50.1 to route through WAN in that policy? im going to remove that and start VPN again to see if it still works after starting the VPN again for those devices or maybe i have one of the below config settings misinterpreted .

 

[Xentrk]

Those settings look good. I have multiple vpn clients running. If I don't specif the router DNS in OpenVPN Client 1 to use WAN, then I have issues. I recommend leaving the entry for the router.

Check DNS Filter?

Most people also set up LAN -> DNSFILTER, Global Filter Mode to "Router" to force all LAN client DNS requests to use the DNS specified in the router.

iptables -nvL PREROUTING -t nat --line

command will also show you if it is set.

Try setting "Accept DNS Configuration" = Disabled. This will tell the VPN to use DNS specified on the WAN page and not the VPN specified by the tunnel. I stopped using my providers DNS when I did the install Stubby project. With DoT all of the DNS traffic is encrypted. So that checked that box for me.

 

[dave14305]

Check DNS Filter?

Most people also set up LAN -> DNSFILTER, Global Filter Mode to "Router" to force all LAN client DNS requests to use the DNS specified in the router.

In his case, since LAN DHCP DNS 1 is set to 1.1.1.1, it will force all clients to Cloudflare, bypassing the router.

 

[Xentrk]

In his case, since LAN DHCP DNS 1 is set to 1.1.1.1, it will force all clients to Cloudflare, bypassing the router.

I saw where he set WAN DNS to 1.1.1.1 but not LAN DNS set to 1.1.1.1. It's getting late in my timezone.

But he should also check the DNS settings on the LAN -> DHCP Server page and make sure those are empty and not a source of conflict with DNS on the WAN page.

 

[LevesqueOnline]

I can confirm the issue would a

I saw where he set WAN DNS to 1.1.1.1 but not LAN DNS set to 1.1.1.1. It's getting late in my timezone.

But he should also check the DNS settings on the LAN -> DHCP Server page and make sure those are empty and not a source of conflict with DNS on the WAN page.

FYI - I can recreate the issue now. a few notes on my setup. I live in canada, and i am not looking to bypass any content filters etc.

1. Router is setup pretty much default, nothing too fancy
2. I have open VPN setup and 4 devices associated with it to route through my VPN. everything else goes over the wan. For example, my desktop here if i go to whatismyip.com it shows properly. if i go to 1 of the 4 devices i route through the VPN it shows where ever i have my VPN routing through.
3. When I go to netflix on the devices I route through the VPN it knows I am going through a proxy and blocks me, i was working with Xen to router netflix traffic through WAN instead of VPN for those 4 devices for that traffic only.

throughout that is when the DNS slowness occured, and the setting i found was causing this, which was only giving me problems downloading the scripts is "Redirect internet traffic Strict". When this is set DNS is crazy slow in SSH on the router only. This also causes the error where internet status shows disconnected above.

appreciate all of the help, at least i know i can turn off that function to download scripts when required in SSH

 

[LevesqueOnline]

I can confirm the issue would a


FYI - I can recreate the issue now. a few notes on my setup. I live in canada, and i am not looking to bypass any content filters etc.

1. Router is setup pretty much default, nothing too fancy
2. I have open VPN setup and 4 devices associated with it to route through my VPN. everything else goes over the wan. For example, my desktop here if i go to whatismyip.com it shows properly. if i go to 1 of the 4 devices i route through the VPN it shows where ever i have my VPN routing through.
3. When I go to netflix on the devices I route through the VPN it knows I am going through a proxy and blocks me, i was working with Xen to router netflix traffic through WAN instead of VPN for those 4 devices for that traffic only.

throughout that is when the DNS slowness occured, and the setting i found was causing this, which was only giving me problems downloading the scripts is "Redirect internet traffic Strict". When this is set DNS is crazy slow in SSH on the router only. This also causes the error where internet status shows disconnected above.

appreciate all of the help, at least i know i can turn off that function to download scripts when required in SSH

one last clarification, it was DNS STRICT that causes the issue with the router to have slow dns lookups, not redirect internet traffic as i mentioned above.

thanks again all

 

[Xentrk]

one last clarification, it was DNS STRICT that causes the issue with the router to have slow dns lookups, not redirect internet traffic as i mentioned above.

thanks again all

I wrote a new blog post on Policy Routing and the behavior of the Accept DNS Configuration settings you may want to read when you have time:

https://x3mtek.com/policy-rule-routing-on-asuswrt-merlin-firmware/

 

[ItsMeDude]

Good Day, my router is performing exteremely slow dns lookups internally, all of the machines on my network are fine they go to 8.8.8.8, but anything i try to do in SSH is so slow it times out scripts etc.

I also noticed i cant automatically check for firmware updates either assuming its also timing out. the below is an average of 12-13 seconds to resolve

View attachment 17540

View attachment 17539

Test it with a different DNS provider. I'm in southern Colorado in a smaller town, and have tried using 1.1.1.1 a couple of times. I've had many issues with it, and I've never figured out what the problem was. I would get time outs intermittently for some reason. I'm guessing it's something with routes with comcast from here.

Strangely enough, if I ping it the ping times are around 10ms so it's very fast with no packet loss. I switched to a combo of DNS Watch in DE along with with a couple of no log OpenNIC in TX servers for redundancy, and have no issues whatsoever. The pings on them are 2x higher at a minimum but everything is snappy, and works perfectly.

The interesting thing is that it was happening with my RT-AC3200, and it does the same thing with the RT-AX88U that I picked up a couple of months ago. It happened on stock firmware, and merlin.