SSL secured javascript slow

holunder · July 15, 2018, 1:08pm

Expected Behaviour:

Https request should be blocked by firewall rule

Actual Behaviour:

Connection to heise.de is very slow.
I selected one of the blocked pages which is https://static.chartbeat.com/js/chartbeat_video.js
When I run this in firefox I get a Timeout after 2 ... 4 s in firefox.
Without SSL, I get the proper pi-hole script reply from the server.
I understand, that this is not possible for SSL due to certificate check.
I already read a lot of similar forum entries, without finding any solution.
I also already added the ip(6)-table rules to block ssl traffic from port 433 as described here (Why do some sites take forever to load when using Pi-hole? (for versions < v4.0) - Point 2)

To exclude any ipv6 issue, U switched ipv6 off on the client's side (Win 10).
The iptables-output:

pi@raspberrypi:~ $ sudo iptables -nvL
    Chain INPUT (policy ACCEPT 6725 packets, 4550K bytes)
     pkts bytes target     prot opt in     out     source               destination
     1238 73924 fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:80 reject-with icmp-port-unreachable
      277 14740 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 reject-with tcp-reset
        0     0 REJECT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:443 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 5923 packets, 564K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain fail2ban-ssh (1 references)
 pkts bytes target     prot opt in     out     source               destination
 1238 73924 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0

How can I speed up connection reset for https?

Thanks a lot in advance
holunder

Debug Token:

s2kaszwavd

Mcat12 · July 15, 2018, 10:46pm

Open the dev tools and check the network request's timing tab. Take a screenshot of the timing. Is most of the time spent in DNS?

holunder · July 17, 2018, 4:55am

Thanks for your answer.
Please find a screenshot attached.

Mcat12 · July 18, 2018, 1:19am

One second was caused by some local process blocking the request, and the other second was actually resolving the domain. Check the query log to see if it also says the query took one second.

holunder · July 18, 2018, 4:46pm

I flushed the log (pihole -l off).
Then i started logging (pihole -l on).
Then I refreshed the firefox page with emptied cache.
Finally I switched off logging (pihole -l off)

The logfile:
Jul 18 18:40:46 dnsmasq[29265]: exiting on receipt of SIGTERM
Jul 18 18:40:47 dnsmasq[29513]: started, version 2.76 cachesize 10000
Jul 18 18:40:47 dnsmasq[29513]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
Jul 18 18:40:47 dnsmasq[29513]: warning: ignoring resolv-file flag because no-resolv is set
Jul 18 18:40:47 dnsmasq[29513]: using nameserver 2606:4700:4700::1111#53
Jul 18 18:40:47 dnsmasq[29513]: using nameserver 1.1.1.1#53
Jul 18 18:40:47 dnsmasq[29513]: using nameserver 2001:4860:4860::8888#53
Jul 18 18:40:47 dnsmasq[29513]: using nameserver 8.8.8.8#53
Jul 18 18:40:47 dnsmasq[29513]: read /etc/hosts - 6 addresses
Jul 18 18:40:47 dnsmasq[29513]: read /etc/pihole/local.list - 4 addresses
Jul 18 18:40:47 dnsmasq[29513]: read /etc/pihole/black.list - 24 addresses
Jul 18 18:40:56 dnsmasq[29513]: read /etc/pihole/gravity.list - 263646 addresses
Jul 18 18:40:56 dnsmasq[29513]: exiting on receipt of SIGTERM
Jul 18 18:40:56 dnsmasq[29623]: started, version 2.76 cachesize 10000
Jul 18 18:40:56 dnsmasq[29623]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
Jul 18 18:40:56 dnsmasq[29623]: warning: ignoring resolv-file flag because no-resolv is set
Jul 18 18:40:56 dnsmasq[29623]: using nameserver 2606:4700:4700::1111#53
Jul 18 18:40:56 dnsmasq[29623]: using nameserver 1.1.1.1#53
Jul 18 18:40:56 dnsmasq[29623]: using nameserver 2001:4860:4860::8888#53
Jul 18 18:40:56 dnsmasq[29623]: using nameserver 8.8.8.8#53
Jul 18 18:40:56 dnsmasq[29623]: read /etc/hosts - 6 addresses
Jul 18 18:40:56 dnsmasq[29623]: read /etc/pihole/local.list - 4 addresses
Jul 18 18:40:56 dnsmasq[29623]: read /etc/pihole/black.list - 24 addresses
Jul 18 18:41:05 dnsmasq[29623]: read /etc/pihole/gravity.list - 263646 addresses
Jul 18 18:41:05 dnsmasq[29623]: 1 192.168.21.25/61983 query[A] static.chartbeat.com from 192.168.21.25
Jul 18 18:41:05 dnsmasq[29623]: 1 192.168.21.25/61983 /etc/pihole/black.list static.chartbeat.com is 192.168.21.26
Jul 18 18:41:05 dnsmasq[29623]: 2 192.168.21.25/61983 query[A] static.chartbeat.com from 192.168.21.25
Jul 18 18:41:05 dnsmasq[29623]: 2 192.168.21.25/61983 /etc/pihole/black.list static.chartbeat.com is 192.168.21.26
Jul 18 18:41:05 dnsmasq[29623]: 3 192.168.21.25/61983 query[A] static.chartbeat.com from 192.168.21.25
Jul 18 18:41:05 dnsmasq[29623]: 3 192.168.21.25/61983 /etc/pihole/black.list static.chartbeat.com is 192.168.21.26
Jul 18 18:41:05 dnsmasq[29623]: 4 192.168.21.25/61983 query[A] static.chartbeat.com from 192.168.21.25
Jul 18 18:41:05 dnsmasq[29623]: 4 192.168.21.25/61983 /etc/pihole/black.list static.chartbeat.com is 192.168.21.26
Jul 18 18:41:05 dnsmasq[29623]: 5 192.168.21.25/54463 query[A] static.chartbeat.com from 192.168.21.25
Jul 18 18:41:05 dnsmasq[29623]: 5 192.168.21.25/54463 /etc/pihole/black.list static.chartbeat.com is 192.168.21.26
Jul 18 18:41:05 dnsmasq[29623]: 6 192.168.21.25/52996 query[AAAA] static.chartbeat.com from 192.168.21.25
Jul 18 18:41:05 dnsmasq[29623]: 6 192.168.21.25/52996 /etc/pihole/black.list static.chartbeat.com is fd00::c6a5:7758:9544:4ab1
Jul 18 18:41:08 dnsmasq[29623]: exiting on receipt of SIGTERM
Jul 18 18:41:09 dnsmasq[29747]: started, version 2.76 cachesize 10000
Jul 18 18:41:09 dnsmasq[29747]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth DNSSEC loop-detect inotify
Jul 18 18:41:09 dnsmasq[29747]: warning: ignoring resolv-file flag because no-resolv is set
Jul 18 18:41:09 dnsmasq[29747]: using nameserver 2606:4700:4700::1111#53
Jul 18 18:41:09 dnsmasq[29747]: using nameserver 1.1.1.1#53
Jul 18 18:41:09 dnsmasq[29747]: using nameserver 2001:4860:4860::8888#53
Jul 18 18:41:09 dnsmasq[29747]: using nameserver 8.8.8.8#53
Jul 18 18:41:09 dnsmasq[29747]: read /etc/hosts - 6 addresses
Jul 18 18:41:09 dnsmasq[29747]: read /etc/pihole/local.list - 4 addresses
Jul 18 18:41:09 dnsmasq[29747]: read /etc/pihole/black.list - 24 addresses
Jul 18 18:41:18 dnsmasq[29747]: read /etc/pihole/gravity.list - 263646 addresses

Firefox measures 4000 ms for DNS blocked and again the exact same duration for DNS resolve. Consequently the overall time needed is 8 s.

I wonder that there is more than one dns request.

Thanks for your support!

Mcat12 · July 20, 2018, 1:54am

Dnsmasq handled all of the queries within a second, so it is not slow at the resolver. Perhaps you have a network connectivity issue between your device and Pi-hole?

system · August 10, 2018, 1:54am

This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.