3+ second query time on pihole vs single digit ms for external DNS

xilni · April 22, 2020, 1:54pm

New install so I don't have anything to compare to 4+ versions.

Problem with Beta 5.0:
EDIT: Changed dig output to represent the same domain.

Title explains it all, you can see it on the query time of these two requests.

Clean install + official instructions for setting up DNS over HTTPS although switching to normal 8.8.8.8 doesn't help the problem.

➜  ~ dig reddit.com

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> reddit.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43931
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;reddit.com.                    IN      A

;; ANSWER SECTION:
reddit.com.             200     IN      A       151.101.65.140
reddit.com.             200     IN      A       151.101.193.140
reddit.com.             200     IN      A       151.101.1.140
reddit.com.             200     IN      A       151.101.129.140

;; Query time: 6135 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Wed Apr 22 10:17:29 EDT 2020
;; MSG SIZE  rcvd: 143

➜  ~ dig @8.8.8.8 reddit.com

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> @8.8.8.8 reddit.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50506
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;reddit.com.                    IN      A

;; ANSWER SECTION:
reddit.com.             177     IN      A       151.101.193.140
reddit.com.             177     IN      A       151.101.129.140
reddit.com.             177     IN      A       151.101.1.140
reddit.com.             177     IN      A       151.101.65.140

;; Query time: 4 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Apr 22 10:17:36 EDT 2020
;; MSG SIZE  rcvd: 103

Debug Token:
https://tricorder.pi-hole.net/pcootfr4fv

jfb · April 22, 2020, 2:45pm

The two outputs you provided show that the dig through Pi-hole is going to the encrypted upstream DNS? Or to 8.8.8.8? I assume Cloudflare since this is what is configured in the debug log you provided.

We can take the Pi-hole out of the process with this command and see if the delay is in the encrypted DNS service.

time dig reddit.com @127.0.0.1 -p5053

xilni · April 22, 2020, 2:53pm

pi@pi-hole-1:~ $ time dig reddit.com @127.0.0.1 -p5053

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> reddit.com @127.0.0.1 -p5053
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29837
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;reddit.com.                    IN      A

;; ANSWER SECTION:
reddit.com.             170     IN      A       151.101.1.140
reddit.com.             170     IN      A       151.101.65.140
reddit.com.             170     IN      A       151.101.129.140
reddit.com.             170     IN      A       151.101.193.140

;; Query time: 6 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Wed Apr 22 15:53:29 BST 2020
;; MSG SIZE  rcvd: 143


real    0m0.073s
user    0m0.024s
sys     0m0.042s

jfb · April 22, 2020, 3:00pm

Is the slow response when using Pi-hole DNS pointing to Clouflare repeatable?

time dig reddit.com

xilni · April 22, 2020, 3:15pm

I'm investigating this in parallel with the people on the Ubiquiti discord and I discovered I may have inadvertently created a DNS loop of sorts.

On my Unifi UDM Pro I had set the pihole as DNS in two separate places:

Settings -> Network -> WAN -> DNS Server
and
Settings -> Network -> LAN -> DHCP Name Server

The solution seems to be to set your pi-hole only in the LAN section, and set your WAN DNS directly to 1.1.1.1 (or your choice).

So far so good, waiting to see if this fixes everything as settings propagate but so far so good:

➜  ~ time dig reddit.com

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> reddit.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18625
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;reddit.com.                    IN      A

;; ANSWER SECTION:
reddit.com.             131     IN      A       151.101.193.140
reddit.com.             131     IN      A       151.101.65.140
reddit.com.             131     IN      A       151.101.129.140
reddit.com.             131     IN      A       151.101.1.140

;; Query time: 0 msec
;; SERVER: 192.168.1.253#53(192.168.1.253)
;; WHEN: Wed Apr 22 11:09:14 EDT 2020
;; MSG SIZE  rcvd: 103

dig reddit.com  0.02s user 0.02s system 47% cpu 0.066 total

jfb · April 22, 2020, 3:24pm

OK. Let us know if the changes don't resolve the problem. We can do some more Pi-hole digging.

Bucking_Horn · April 22, 2020, 3:39pm

Your router will query Pi-hole (as per WAN) and your clients will query Pi-hole (as per DHCP) for DNS.

That doesn't constitute a loop yet.

To close a loop, your Pi-hole would have to be configured to use your router (or one of your clients) as its only upstream DNS server.

With such a closed DNS loop, you'd observe time-outs rather than slow resolution speeds, as a DNS lookup would never be able to finish.

xilni · April 22, 2020, 3:51pm

That's what I thought when I set it up! That the pi-hole would always reach out to cloudflare no matter what.

Unfortunately in my attempts to resolve this issue I may have changed other settings and with the delay in settings propagating I may be falsely attributing resolving this to the wrong change.

I'll be sure to keep an eye out and continuously monitor DNS query times for this problem to show its ugly head again.

ilyesm · July 22, 2020, 5:42pm

Hi,

I don't know if I am late here, but I am using my UniFi Dream Machine Pro with a Pi-hole installation.

I set the IP for my Raspberry Pi on both the LAN and WAN settings, as the only DNS server, as I found that if I only defined it in the LAN section, clients would still use the WAN automatic DNS server.

I am getting regular lookup times, see below for reddit.

; <<>> DiG 9.10.6 <<>> reddit.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28864
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;reddit.com.			IN	A

;; ANSWER SECTION:
reddit.com.		16	IN	A	151.101.129.140
reddit.com.		16	IN	A	151.101.1.140
reddit.com.		16	IN	A	151.101.65.140
reddit.com.		16	IN	A	151.101.193.140

;; Query time: 2 msec
;; SERVER: 192.168.1.45#53(192.168.1.45)
;; WHEN: Wed Jul 22 18:41:53 WEST 2020
;; MSG SIZE  rcvd: 103

And for pi-hole.net

; <<>> DiG 9.10.6 <<>> pi-hole.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64868
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;pi-hole.net.			IN	A

;; ANSWER SECTION:
pi-hole.net.		3599	IN	A	192.124.249.118

;; Query time: 50 msec
;; SERVER: 192.168.1.45#53(192.168.1.45)
;; WHEN: Wed Jul 22 18:42:24 WEST 2020
;; MSG SIZE  rcvd: 56