Slow DNS queries

Help
1

Expected behavior:

DNS server performs queries within an acceptable timeframe.

Include as many details relevant to your system/installation as possible, including but not limited to:

Pihole running on the hardware and operating system below.

  • Operating system: Debian 12 Bookworm
    Hardware: Raspberry Pi 4B
    IP 192.168.1.105

I have a server Debian on this network running a Samba Active Directory Domain with IP 192.168.1.55. This Samba DNS configuration forwards DNS requests to the internet to the Raspberry Pi.

Clients on my LAN receive DNS servers from the router's DHCP server IP 192.168.1.1: 192.168.1.55 (samba ad-dc) and 192.168.1.105 (pihole).

Actual behavior:

Replace this text with what is actually happening.

DNS queries take a long time because pages return "no connection," but after several queries, the page loads.
This behavior occurs with any public website.

Replacing pihole's DNS with another public DNS server resolves the issue.

Debug token:

Replace this text with the debug token provided by running pihole -d.

Following token:

https://tricorder.pi-hole.net/6cgkOHDr/
1. Total number of queries:
root@mydns /home/jjsantos
# pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "SELECT count(*) FROM queries \ WHERE timestamp > strftime('%s','now','-7 days');"
7960843
2. Number of queries with long reply times over a second:
root@mydns /home/jjsantos
# pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "SELECT count(*) FROM queries \
WHERE reply_time > 1 AND timestamp > strftime('%s','now','-7 days');"
90
3. Top 10 most frequently requested domains with long reply times:
root@mydns /home/jjsantos
# pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "SELECT count(domain), domain, round(avg(reply_time),2) FROM queries \
WHERE reply_time > 1 AND timestamp > strftime('%s','now','-7 days') \
GROUP BY domain ORDER BY 1 DESC LIMIT 10;"
5|errortracking.deepl.com|16.48
4|p77-sign-va.tiktokcdn.com|5.68
4|github.com|14.9
4|187.44.135.106|25.55
3|webcast.tiktok.com|5.61
3|nrdp.prod.cloud.netflix.com|6.6
3|cdn-0.nflximg.com|8.03
3|bag.itunes.apple.com|14.54
3|10.72.47.132|27.53
2|uiboot.netflix.com|21.06
4. The overall average reply time for the last week?
root@mydns /home/jjsantos
# pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "SELECT count(*), round(avg(reply_time*1000),1) FROM queries \
WHERE timestamp > strftime('%s','now','-7 days');"
7964235|0.6
2

This is not ideal.

Devices will query one or the other of these at their own option.

There are several ways this could go, and neither are great:

  1. samba ad-dc will forward the queries it can't answer upstream, bypassing your pihole (not happening from your description)

or

  1. samba ad-dc will not give the answer to domains it doesn't know, and your queries will time out

From what you describe, #2 is the likely scenario.

Then when you retry, the device may choose the other server available to it (your pi-hole), which returns the answer, and the page loads.

1 Like
3

Your SQL results wouldn't support that slow DNS responses would be your issue.
During the last week, your Pi-hole served only 90 out of 7,960,843 total requests in over a second - that's only 0,001%.

Instead, your DNS resolution chain seems to be causing your observations.

A client may send a DNS request to any of those, so a given DNS request may take one of two routes:
a) client :right_arrow: samba AD :right_arrow: Pi-hole :right_arrow: public DNS
b) client :right_arrow: Pi-hole :right_arrow: public DNS

It's obvious that clients using b) won't be able to resolve local names defined by your samba AD.
This may explain your observation as far as locally hosted content is concerned: It would cause failures to access locally hosted websites, until a client would opt to send a consecutive DNS request via a).

For clients using a), you should be aware that your samba AD aggregates traffic for all your network.
At roughly 8 million DNS requests per week, it's highly likely that your samba AD would trigger Pi-hole's rate limit at times, which would result in REFUSED replies for your samba AD, until the rate limit would cool off - and this would affect all clients using a).
This may explain your observation as far as public DNS servers are involved.

Instead of trying to lift Pi-hole's rate limit, you should consider to rearrange your DNS resolution chain:
Have your router's DHCP server distribute Pi-hole as sole DNS server, point your Pi-hole to use your samba AD as its sole upstream, and point your samba AD to public upstreams, i.e.
client :right_arrow: Pi-hole :right_arrow: samba AD :right_arrow: public DNS

That way, Pi-hole would filter blocked domains as fast as possible, local hostnames would be provided by your samba AD (and cached by Pi-hole, respecting their TTL), and your AD would retrieve public replies (again to be cached by Pi-hole).
As clients are talking directly to Pi-hole, they are far less likely to trigger a rate limit. In case a single client would misbehave and send excessive amounts of requests, it would still be rate limited, but that would then only affect that one client.

1 Like
4

The suggested changes were made.

Current scope...
Router 192.168.1.1 (DHCP server)
Samba AD-DC 192.168.1.55 (DNS upstream of Pi-Hole)
Pi-Hole 192.168.1.105 (only distributed DNS server on the network)

Query results after the changes.

1. Total number of queries:
root@mydns /home/jjsantos
# pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "SELECT count(*) FROM queries \
WHERE timestamp > strftime('%s','now','-3 days');"
2243278
2. Number of queries with long reply times over a second:
root@mydns /home/jjsantos
# pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "SELECT count(*) FROM queries \
WHERE reply_time > 1 AND timestamp > strftime('%s','now','-3 days');"
682
3. Top 10 most frequently requested domains with long reply times:
root@mydns /home/jjsantos
# pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "SELECT count(domain), domain, round(avg(reply_time),2) FROM queries \
WHERE reply_time > 1 AND timestamp > strftime('%s','now','-3 days') \
GROUP BY domain ORDER BY 1 DESC LIMIT 10;"
11|gue1-spclient.spotify.com|5.02
8|spclient.wg.spotify.com|7.78
8|h.jsuol.com.br|11.83
6|newassets.hcaptcha.com|5.05
5|push.prod.netflix.com|3.75
4|vlibras.gov.br|5.08
4|trinitymedia.ai|8.1
4|translate.google.com|10.11
4|teams.live.com|2.19
4|tags.globo.com|6.09
4. The overall average reply time for the last week?
root@mydns /home/jjsantos
# pihole-FTL sqlite3 /etc/pihole/pihole-FTL.db "SELECT count(*), round(avg(reply_time*1000),1) FROM queries \
WHERE timestamp > strftime('%s','now','-3 days');"
2241816|3.0
Nslookup pihole
root@mydns /home/jjsantos
# nslookup google.com.br
Server:		127.0.0.1
Address:	127.0.0.1#53

Non-authoritative answer:
Name:	google.com.br
Address: 142.250.219.195
Name:	google.com.br
Address: 2800:3f0:4001:808::2003
Resolv.conf pihole
root@mydns /home/jjsantos
# cat /etc/resolv.conf
# Generated by resolvconf
nameserver 127.0.0.1
root@mydns /home/jjsantos
DNS query of a pihole lan client
7502/15677MB	0.38 0.42 0.45 1/1475 676475
[154539:154528 0:1391] 10:19:18 Thu Jul 31 [root@jjsantos: +2] /home/jjsantos 
(2:1391)# nslookup tricorder.pi-hole.net
;; communications error to 192.168.1.105#53: timed out
Server:		192.168.1.105
Address:	192.168.1.105#53

Non-authoritative answer:
tricorder.pi-hole.net	canonical name = docker-2-ny1.pi-hole.net.
Name:	docker-2-ny1.pi-hole.net
Address: 164.90.255.4
DNS query of a samba-ad-dc
1435/7940MB	0.13 0.19 0.18 1/366 4064950
[4032260:4031611 0:1997] 10:25:48 Thu Jul 31 [root@jjsdc:/dev/pts/0 +2] /home/jjsantos 
(2:1997)# nslookup google.com.br
Server:		127.0.0.1
Address:	127.0.0.1#53

Non-authoritative answer:
Name:	google.com.br
Address: 142.250.219.195
Name:	google.com.br
Address: 2800:3f0:4001:808::2003

1439/7940MB	0.12 0.19 0.18 1/366 4064964
[4032260:4031611 0:1997] 10:25:51 Thu Jul 31 [root@jjsdc:/dev/pts/0 +2] /home/jjsantos 
(2:1997)# nslookup tricorder.pi-hole.net
Server:		127.0.0.1
Address:	127.0.0.1#53

Non-authoritative answer:
tricorder.pi-hole.net	canonical name = docker-2-ny1.pi-hole.net.
Name:	docker-2-ny1.pi-hole.net
Address: 164.90.255.4

New following token:
https://tricorder.pi-hole.net/OfQE6p4j/
5

Solved. After changing the DNS in pihole's resolv.conf file to the samba-ad-dc IP, queries now work normally. With very low response times, using the pihole cache and block list.

root@mydns /home/jjsantos
# cat /etc/resolv.conf
# Generated by resolvconf
#nameserver 127.0.0.1
nameserver 192.168.1.55
New following token:
https://tricorder.pi-hole.net/ObOTlSMJ/

Before changing resolv.conf, it pointed to pihole's locahost, so queries would often time out and return the error below.

DNS_PROBE_FINISHED_BAD_CONFIG
DNS_PROBE_STARTED
6

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.