Hi Nanog, Owen, I was wondering if many people are seeing horrendous latency on the free Hurricane Electric resolvers? Both accessing the v4 or v6 resolvers have horrendous latency. This could well be coupled to their free nature and popularity. So far when contacting Hurricane Electric they restart the resolver on their end and all is well again, but now other pfSense users in the US were noticing these latency issues as well, leading me to believe it is a larger issue. But I was wondering if a more permanent solution for these resolvers exist. 74.82.42.42 2373 msec 2001:470:20::2 2592 msec The google DNS server I'm using is doing swimmingly so far, OpenDNS seems ok too. 2001:4860:4860::8844 16 msec Kind regards, Seth Mos
Hi!
But I was wondering if a more permanent solution for these resolvers exist.
74.82.42.42 2373 msec 2001:470:20::2 2592 msec
The google DNS server I'm using is doing swimmingly so far, OpenDNS seems ok too. 2001:4860:4860::8844 16 msec
[root@ipv6proxy ~]# ping 74.82.42.42 PING 74.82.42.42 (74.82.42.42) 56(84) bytes of data. 64 bytes from 74.82.42.42: icmp_seq=1 ttl=61 time=0.664 ms 64 bytes from 74.82.42.42: icmp_seq=2 ttl=61 time=0.640 ms 64 bytes from 74.82.42.42: icmp_seq=3 ttl=61 time=0.551 ms 64 bytes from 74.82.42.42: icmp_seq=4 ttl=61 time=0.614 ms [root@ipv6proxy ~]# ping6 2001:470:20::2 PING 2001:470:20::2(2001:470:20::2) 56 data bytes 64 bytes from 2001:470:20::2: icmp_seq=1 ttl=61 time=0.488 ms 64 bytes from 2001:470:20::2: icmp_seq=2 ttl=61 time=0.478 ms 64 bytes from 2001:470:20::2: icmp_seq=3 ttl=61 time=0.739 ms 64 bytes from 2001:470:20::2: icmp_seq=4 ttl=61 time=0.515 ms Looks pretty normal here. Bye, Raymond.
On Wed, Jan 4, 2012 at 3:00 PM, Seth Mos <seth.mos@dds.nl> wrote:
Hi Nanog, Owen,
I was wondering if many people are seeing horrendous latency on the free Hurricane Electric resolvers?
Both accessing the v4 or v6 resolvers have horrendous latency. This could well be coupled to their free nature and popularity.
So far when contacting Hurricane Electric they restart the resolver on their end and all is well again, but now other pfSense users in the US were noticing these latency issues as well, leading me to believe it is a larger issue.
err, are all pfsense people automatically configured to use he's servers? that seems sorta rude if so...
But I was wondering if a more permanent solution for these resolvers exist.
74.82.42.42 2373 msec 2001:470:20::2 2592 msec
The google DNS server I'm using is doing swimmingly so far, OpenDNS seems ok too. 2001:4860:4860::8844 16 msec
Kind regards,
Seth Mos
On Wed, Jan 04, 2012 at 09:00:26PM +0100, Seth Mos wrote:
I was wondering if many people are seeing horrendous latency on the free Hurricane Electric resolvers?
Looks fine to me: (neodymium:15:27)% dig @74.82.42.42 cnn.com. A ; <<>> DiG 9.7.3 <<>> @74.82.42.42 cnn.com. A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53277 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;cnn.com. IN A ;; ANSWER SECTION: cnn.com. 299 IN A 157.166.226.26 cnn.com. 299 IN A 157.166.255.19 cnn.com. 299 IN A 157.166.255.18 cnn.com. 299 IN A 157.166.226.25 ;; Query time: 38 msec ;; SERVER: 74.82.42.42#53(74.82.42.42) ;; WHEN: Wed Jan 4 15:27:17 2012 ;; MSG SIZE rcvd: 89 (neodymium:15:32)% dig @2001:470:20::2 cnn.com. A ; <<>> DiG 9.7.3 <<>> @2001:470:20::2 cnn.com. A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41382 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;cnn.com. IN A ;; ANSWER SECTION: cnn.com. 295 IN A 157.166.226.25 cnn.com. 295 IN A 157.166.255.18 cnn.com. 295 IN A 157.166.255.19 cnn.com. 295 IN A 157.166.226.26 ;; Query time: 20 msec ;; SERVER: 2001:470:20::2#53(2001:470:20::2) ;; WHEN: Wed Jan 4 15:32:27 2012 ;; MSG SIZE rcvd: 89 That being said, keep in mind these are anycasted. I'm using 216.66.22.2 [tserv13.ash1.ipv6.he.net] for IPv4 and 209.51.161.14 [tserv4.nyc4.ipv6.he.net] according to the A record returned by whoami.akamai.net. I might not be hitting the same server you are. - Mark -- Mark Kamichoff prox@prolixium.com http://www.prolixium.com/
Hi, Just pointing out to other responding to this thread that I was referring to the *query* response times, I said nothing about ICMP which is perfectly fine. So please stop responding with ping response times already :-) No, pfSense does not set these per default, they are in wide use because these are part of the Google DNS whitelist for V6 records. Op 4 jan 2012, om 21:33 heeft Mark Kamichoff het volgende geschreven:
;; ANSWER SECTION: cnn.com. 299 IN A 157.166.226.26 cnn.com. 299 IN A 157.166.255.19 cnn.com. 299 IN A 157.166.255.18 cnn.com. 299 IN A 157.166.226.25
And a similar mistake I see others respond too as well, this is another domain with just a IPv4 record. That was not really what I was complaining about but I was not specific enough in my email When requesting the DNS for the hostname with a Quad A the story is entirely different! Try www.pfsense.com or www.didi.nl Those will definitely hit the issue, otherwise one can always use Nanog.org like below. 74.82.42.42 2204 msec 2001:4860:4860::8844 17 msec 2001:470:20::2 2890 msec Best regards, Seth
;; Query time: 38 msec ;; SERVER: 74.82.42.42#53(74.82.42.42) ;; WHEN: Wed Jan 4 15:27:17 2012 ;; MSG SIZE rcvd: 89
(neodymium:15:32)% dig @2001:470:20::2 cnn.com. A
; <<>> DiG 9.7.3 <<>> @2001:470:20::2 cnn.com. A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41382 ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;cnn.com. IN A
;; ANSWER SECTION: cnn.com. 295 IN A 157.166.226.25 cnn.com. 295 IN A 157.166.255.18 cnn.com. 295 IN A 157.166.255.19 cnn.com. 295 IN A 157.166.226.26
;; Query time: 20 msec ;; SERVER: 2001:470:20::2#53(2001:470:20::2) ;; WHEN: Wed Jan 4 15:32:27 2012 ;; MSG SIZE rcvd: 89
That being said, keep in mind these are anycasted. I'm using 216.66.22.2 [tserv13.ash1.ipv6.he.net] for IPv4 and 209.51.161.14 [tserv4.nyc4.ipv6.he.net] according to the A record returned by whoami.akamai.net. I might not be hitting the same server you are.
- Mark
-- Mark Kamichoff prox@prolixium.com http://www.prolixium.com/
Hi!
So please stop responding with ping response times already :-)
No, pfSense does not set these per default, they are in wide use because these are part of the Google DNS whitelist for V6 records.
And a similar mistake I see others respond too as well, this is another domain with just a IPv4 record. That was not really what I was complaining about but I was not specific enough in my email
When requesting the DNS for the hostname with a Quad A the story is entirely different!
Try www.pfsense.com or www.didi.nl
Tried those three for you and prolocation.net. All fine? This should not be on nanog i guess. Check with their support, or something :-) [root@ipv6proxy ~]# time host www.prolocation.net 2001:470:20::2 Using domain server: Name: 2001:470:20::2 Address: 2001:470:20::2#53 Aliases: www.prolocation.net has address 94.228.129.19 www.prolocation.net has IPv6 address 2a00:d00:ff:131:94:228:131:131 real 0m0.011s user 0m0.001s sys 0m0.008s [root@ipv6proxy ~]# [root@ipv6proxy ~]# time host pfsense.com 2001:470:20::2 Using domain server: Name: 2001:470:20::2 Address: 2001:470:20::2#53 Aliases: pfsense.com is an alias for pfsense.org. pfsense.org has address 69.64.6.21 pfsense.org has IPv6 address 2605:8000:d:1::167 pfsense.org mail is handled by 10 mail.pfsense.org. real 0m0.011s user 0m0.001s sys 0m0.007s [root@ipv6proxy ~]# time host www.didi.nl 2001:470:20::2 Using domain server: Name: 2001:470:20::2 Address: 2001:470:20::2#53 Aliases: www.didi.nl has address 82.94.161.132 www.didi.nl has IPv6 address 2001:888:2087:33::132 real 0m0.523s user 0m0.001s sys 0m0.006s Bye, Raymond.
On Wed, Jan 04, 2012 at 09:39:39PM +0100, Seth Mos wrote:
And a similar mistake I see others respond too as well, this is another domain with just a IPv4 record. That was not really what I was complaining about but I was not specific enough in my email
When requesting the DNS for the hostname with a Quad A the story is entirely different!
Try www.pfsense.com or www.didi.nl
Still not seeing additional latency from here: (neodymium:15:44)% dig @2001:470:20::2 www.didi.nl. AAAA ; <<>> DiG 9.7.3 <<>> @2001:470:20::2 www.didi.nl. AAAA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33979 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.didi.nl. IN AAAA ;; ANSWER SECTION: www.didi.nl. 3520 IN AAAA 2001:888:2087:33::132 ;; Query time: 20 msec ;; SERVER: 2001:470:20::2#53(2001:470:20::2) ;; WHEN: Wed Jan 4 15:44:06 2012 ;; MSG SIZE rcvd: 57 And if that is already cached, let's try something that should require a fresh lookup: (neodymium:15:44)% dig @2001:470:20::2 tengigabitethernet.com. AAAA ; <<>> DiG 9.7.3 <<>> @2001:470:20::2 tengigabitethernet.com. AAAA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41662 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;tengigabitethernet.com. IN AAAA ;; ANSWER SECTION: tengigabitethernet.com. 3600 IN AAAA 2001:48c8:1:104::e ;; Query time: 84 msec ;; SERVER: 2001:470:20::2#53(2001:470:20::2) ;; WHEN: Wed Jan 4 15:44:41 2012 ;; MSG SIZE rcvd: 68 Again, not too bad.. - Mark -- Mark Kamichoff prox@prolixium.com http://www.prolixium.com/
On Jan 4, 2012, at 3:46 PM, Mark Kamichoff wrote:
On Wed, Jan 04, 2012 at 09:39:39PM +0100, Seth Mos wrote:
And a similar mistake I see others respond too as well, this is another domain with just a IPv4 record. That was not really what I was complaining about but I was not specific enough in my email
When requesting the DNS for the hostname with a Quad A the story is entirely different!
Try www.pfsense.com or www.didi.nl
Still not seeing additional latency from here:
Try <random string>.pfsense.org (see below) to avoid caching, since the problem in question does not rely on the name existing. I am able to reproduce it roughly every 3rd random string I try, definitely not every time. I am unable to reproduce it with other domains so far, only pfsense.org and when it does occur I see a 1500-2200ms query time: nova-dhcp-host111:~ ryan$ dig @ordns.he.net awegawregwaefg.pfsense.org ; <<>> DiG 9.6.0-APPLE-P2 <<>> @ordns.he.net awegawregwaefg.pfsense.org ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 24807 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;awegawregwaefg.pfsense.org. IN A ;; AUTHORITY SECTION: pfsense.org. 3600 IN SOA dns1.registrar-servers.com. hostmaster.registrar-servers.com. 2012010200 10001 1801 604801 3601 ;; Query time: 1695 msec ;; SERVER: 2001:470:20::2#53(2001:470:20::2) ;; WHEN: Wed Jan 4 18:34:17 2012 ;; MSG SIZE rcvd: 117 nova-dhcp-host111:~ ryan$
(neodymium:15:44)% dig @2001:470:20::2 www.didi.nl. AAAA
; <<>> DiG 9.7.3 <<>> @2001:470:20::2 www.didi.nl. AAAA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33979 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;www.didi.nl. IN AAAA
;; ANSWER SECTION: www.didi.nl. 3520 IN AAAA 2001:888:2087:33::132
;; Query time: 20 msec ;; SERVER: 2001:470:20::2#53(2001:470:20::2) ;; WHEN: Wed Jan 4 15:44:06 2012 ;; MSG SIZE rcvd: 57
And if that is already cached, let's try something that should require a fresh lookup:
(neodymium:15:44)% dig @2001:470:20::2 tengigabitethernet.com. AAAA
; <<>> DiG 9.7.3 <<>> @2001:470:20::2 tengigabitethernet.com. AAAA ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41662 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION: ;tengigabitethernet.com. IN AAAA
;; ANSWER SECTION: tengigabitethernet.com. 3600 IN AAAA 2001:48c8:1:104::e
;; Query time: 84 msec ;; SERVER: 2001:470:20::2#53(2001:470:20::2) ;; WHEN: Wed Jan 4 15:44:41 2012 ;; MSG SIZE rcvd: 68
Again, not too bad..
- Mark
-- Mark Kamichoff prox@prolixium.com http://www.prolixium.com/
Once upon a time, Ryan Rawdon <ryan@u13.net> said:
Try <random string>.pfsense.org (see below) to avoid caching, since the problem in question does not rely on the name existing. I am able to reproduce it roughly every 3rd random string I try, definitely not every time. I am unable to reproduce it with other domains so far, only pfsense.org and when it does occur I see a 1500-2200ms query time:
This appears to be a problem with the authoritative servers for pfsense.org. They are dns[1-5].registrar-servers.com (which each have multiple IP addresses). If I try each IP, I get no response from 38.101.213.194 and 2+ second response time from 69.16.244.25. Both of those IPs are listed for dns1.registrar-servers.com. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
does pfsense need real dns hosting maybe? I hear: http://puck.nether.net/dns ... works. On Wed, Jan 4, 2012 at 6:48 PM, Chris Adams <cmadams@hiwaay.net> wrote:
registrar-servers.com.
participants (6)
-
Chris Adams -
Christopher Morrow -
Mark Kamichoff -
Raymond Dijkxhoorn -
Ryan Rawdon -
Seth Mos