Hi Nanog, Owen,
I was wondering if many people are seeing horrendous latency on the free Hurricane Electric resolvers?
Both accessing the v4 or v6 resolvers have horrendous latency. This could well be coupled to their free nature and popularity.
So far when contacting Hurricane Electric they restart the resolver on their end and all is well again, but now other pfSense users in the US were noticing these latency issues as well, leading me to believe it is a larger issue.
But I was wondering if a more permanent solution for these resolvers exist.
74.82.42.42 2373 msec
2001:470:20::2 2592 msec
The google DNS server I'm using is doing swimmingly so far, OpenDNS seems ok too.
2001:4860:4860::8844 16 msec
Kind regards,
Seth Mos
Hi!
But I was wondering if a more permanent solution for these resolvers exist.
74.82.42.42 2373 msec
2001:470:20::2 2592 msec
The google DNS server I'm using is doing swimmingly so far, OpenDNS seems ok too.
2001:4860:4860::8844 16 msec
[root@ipv6proxy ~]# ping 74.82.42.42
PING 74.82.42.42 (74.82.42.42) 56(84) bytes of data.
64 bytes from 74.82.42.42: icmp_seq=1 ttl=61 time=0.664 ms
64 bytes from 74.82.42.42: icmp_seq=2 ttl=61 time=0.640 ms
64 bytes from 74.82.42.42: icmp_seq=3 ttl=61 time=0.551 ms
64 bytes from 74.82.42.42: icmp_seq=4 ttl=61 time=0.614 ms
[root@ipv6proxy ~]# ping6 2001:470:20::2
PING 2001:470:20::2(2001:470:20::2) 56 data bytes
64 bytes from 2001:470:20::2: icmp_seq=1 ttl=61 time=0.488 ms
64 bytes from 2001:470:20::2: icmp_seq=2 ttl=61 time=0.478 ms
64 bytes from 2001:470:20::2: icmp_seq=3 ttl=61 time=0.739 ms
64 bytes from 2001:470:20::2: icmp_seq=4 ttl=61 time=0.515 ms
Looks pretty normal here.
Bye,
Raymond.
Hi Nanog, Owen,
I was wondering if many people are seeing horrendous latency on the free Hurricane Electric resolvers?
Both accessing the v4 or v6 resolvers have horrendous latency. This could well be coupled to their free nature and popularity.
So far when contacting Hurricane Electric they restart the resolver on their end and all is well again, but now other pfSense users in the US were noticing these latency issues as well, leading me to believe it is a larger issue.
err, are all pfsense people automatically configured to use he's
servers? that seems sorta rude if so...
Looks fine to me:
(neodymium:15:27)% dig @74.82.42.42 cnn.com. A
; <<>> DiG 9.7.3 <<>> @74.82.42.42 cnn.com. A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53277
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;cnn.com. IN A
;; ANSWER SECTION:
cnn.com. 299 IN A 157.166.226.26
cnn.com. 299 IN A 157.166.255.19
cnn.com. 299 IN A 157.166.255.18
cnn.com. 299 IN A 157.166.226.25
;; Query time: 38 msec
;; SERVER: 74.82.42.42#53(74.82.42.42)
;; WHEN: Wed Jan 4 15:27:17 2012
;; MSG SIZE rcvd: 89
(neodymium:15:32)% dig @2001:470:20::2 cnn.com. A
; <<>> DiG 9.7.3 <<>> @2001:470:20::2 cnn.com. A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41382
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;cnn.com. IN A
;; ANSWER SECTION:
cnn.com. 295 IN A 157.166.226.25
cnn.com. 295 IN A 157.166.255.18
cnn.com. 295 IN A 157.166.255.19
cnn.com. 295 IN A 157.166.226.26
;; Query time: 20 msec
;; SERVER: 2001:470:20::2#53(2001:470:20::2)
;; WHEN: Wed Jan 4 15:32:27 2012
;; MSG SIZE rcvd: 89
That being said, keep in mind these are anycasted. I'm using
216.66.22.2 [tserv13.ash1.ipv6.he.net] for IPv4 and 209.51.161.14
[tserv4.nyc4.ipv6.he.net] according to the A record returned by
whoami.akamai.net. I might not be hitting the same server you are.
- Mark
Hi,
Just pointing out to other responding to this thread that I was referring to the *query* response times, I said nothing about ICMP which is perfectly fine.
So please stop responding with ping response times already 
No, pfSense does not set these per default, they are in wide use because these are part of the Google DNS whitelist for V6 records.
;; ANSWER SECTION:
cnn.com. 299 IN A 157.166.226.26
cnn.com. 299 IN A 157.166.255.19
cnn.com. 299 IN A 157.166.255.18
cnn.com. 299 IN A 157.166.226.25
And a similar mistake I see others respond too as well, this is another domain with just a IPv4 record. That was not really what I was complaining about but I was not specific enough in my email
When requesting the DNS for the hostname with a Quad A the story is entirely different!
Try www.pfsense.com or www.didi.nl
Those will definitely hit the issue, otherwise one can always use Nanog.org like below.
74.82.42.42 2204 msec
2001:4860:4860::8844 17 msec
2001:470:20::2 2890 msec
Best regards,
Seth
Hi!
So please stop responding with ping response times already
No, pfSense does not set these per default, they are in wide use because these are part of the Google DNS whitelist for V6 records.
And a similar mistake I see others respond too as well, this is another domain with just a IPv4 record. That was not really what I was complaining about but I was not specific enough in my email
When requesting the DNS for the hostname with a Quad A the story is entirely different!
Try www.pfsense.com or www.didi.nl
Tried those three for you and prolocation.net. All fine? This should not be on nanog i guess. Check with their support, or something
[root@ipv6proxy ~]# time host www.prolocation.net 2001:470:20::2
Using domain server:
Name: 2001:470:20::2
Address: 2001:470:20::2#53
Aliases:
www.prolocation.net has address 94.228.129.19
www.prolocation.net has IPv6 address 2a00:d00:ff:131:94:228:131:131
real 0m0.011s
user 0m0.001s
sys 0m0.008s
[root@ipv6proxy ~]#
[root@ipv6proxy ~]# time host pfsense.com 2001:470:20::2
Using domain server:
Name: 2001:470:20::2
Address: 2001:470:20::2#53
Aliases:
pfsense.com is an alias for pfsense.org.
pfsense.org has address 69.64.6.21
pfsense.org has IPv6 address 2605:8000:d:1::167
pfsense.org mail is handled by 10 mail.pfsense.org.
real 0m0.011s
user 0m0.001s
sys 0m0.007s
[root@ipv6proxy ~]# time host www.didi.nl 2001:470:20::2
Using domain server:
Name: 2001:470:20::2
Address: 2001:470:20::2#53
Aliases:
www.didi.nl has address 82.94.161.132
www.didi.nl has IPv6 address 2001:888:2087:33::132
real 0m0.523s
user 0m0.001s
sys 0m0.006s
Bye,
Raymond.
Still not seeing additional latency from here:
(neodymium:15:44)% dig @2001:470:20::2 www.didi.nl. AAAA
; <<>> DiG 9.7.3 <<>> @2001:470:20::2 www.didi.nl. AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33979
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.didi.nl. IN AAAA
;; ANSWER SECTION:
www.didi.nl. 3520 IN AAAA 2001:888:2087:33::132
;; Query time: 20 msec
;; SERVER: 2001:470:20::2#53(2001:470:20::2)
;; WHEN: Wed Jan 4 15:44:06 2012
;; MSG SIZE rcvd: 57
And if that is already cached, let's try something that should require a
fresh lookup:
(neodymium:15:44)% dig @2001:470:20::2 tengigabitethernet.com. AAAA
; <<>> DiG 9.7.3 <<>> @2001:470:20::2 tengigabitethernet.com. AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41662
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;tengigabitethernet.com. IN AAAA
;; ANSWER SECTION:
tengigabitethernet.com. 3600 IN AAAA 2001:48c8:1:104::e
;; Query time: 84 msec
;; SERVER: 2001:470:20::2#53(2001:470:20::2)
;; WHEN: Wed Jan 4 15:44:41 2012
;; MSG SIZE rcvd: 68
Again, not too bad..
- Mark
And a similar mistake I see others respond too as well, this is
another domain with just a IPv4 record. That was not really what I was
complaining about but I was not specific enough in my email
When requesting the DNS for the hostname with a Quad A the story is
entirely different!
Try www.pfsense.com or www.didi.nl
Still not seeing additional latency from here:
Try <random string>.pfsense.org (see below) to avoid caching, since the problem in question does not rely on the name existing. I am able to reproduce it roughly every 3rd random string I try, definitely not every time. I am unable to reproduce it with other domains so far, only pfsense.org and when it does occur I see a 1500-2200ms query time:
nova-dhcp-host111:~ ryan$ dig @ordns.he.net awegawregwaefg.pfsense.org
; <<>> DiG 9.6.0-APPLE-P2 <<>> @ordns.he.net awegawregwaefg.pfsense.org
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24807
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;awegawregwaefg.pfsense.org. IN A
;; AUTHORITY SECTION:
pfsense.org. 3600 IN SOA dns1.registrar-servers.com. hostmaster.registrar-servers.com. 2012010200 10001 1801 604801 3601
;; Query time: 1695 msec
;; SERVER: 2001:470:20::2#53(2001:470:20::2)
;; WHEN: Wed Jan 4 18:34:17 2012
;; MSG SIZE rcvd: 117
nova-dhcp-host111:~ ryan$
Once upon a time, Ryan Rawdon <ryan@u13.net> said:
Try <random string>.pfsense.org (see below) to avoid caching, since the problem in question does not rely on the name existing. I am able to reproduce it roughly every 3rd random string I try, definitely not every time. I am unable to reproduce it with other domains so far, only pfsense.org and when it does occur I see a 1500-2200ms query time:
This appears to be a problem with the authoritative servers for
pfsense.org. They are dns[1-5].registrar-servers.com (which each have
multiple IP addresses). If I try each IP, I get no response from
38.101.213.194 and 2+ second response time from 69.16.244.25. Both of
those IPs are listed for dns1.registrar-servers.com.
does pfsense need real dns hosting maybe?
I hear: http://puck.nether.net/dns ... works.