Products Firewalla Gold SE Firewalla Gold Pro Firewalla Gold Plus Firewalla Purple Firewalla Purple SE Firewalla Wi-Fi SD Product Comparison Product Reviews

Poor DNS performance

Follow
Avatar
Tonydecker51301

Hey guys,

My setup is a Firewall Gold with Ruckus Networks switches and access points

I'm testing out an Aruba UX sensor for work and noticed some interesting results on my network.  I received alarms for poor DNS response time, so as an experiment I changed the DNS settings on my management network.  By default, all of the networks have the DNS set to the Firewalla interface IP (or gateway IP for that subnet).   On the management network, I changed the DNS settings to my ISPs DNS servers.  

Results using Firewalla DNS: 74ms average lookup time
Results using ISP DNS: 34ms average lookup time

Is there anything I can do about this?  Is this a known issue?  I do have family protect enabled on some of my networks, so not sure if that is a factor or not.  It seems that Firewalla is acting as a DNS cache or proxy.  Maybe this is how it enforces family protect.  Any information or help would be appreciated!

0

Comments

6 comments

Sort by Date Votes
  • Avatar
    Firewalla

    There is no difference if you set to firewalla DNS or ISP DNS, they all go to firewalla DNS. 

    What's important is what your DNS server set to. (LAN or WAN segment) 

    0
    Comment actions Permalink
  • Avatar
    Tonydecker51301

    Good to know.  I'm doing another test now where I changed the DNS servers to the Open DNS Family Shield IPs.  If I get the same results as with the default gateway set I know the problem is Open DNS.  

    I just found this little tidbit here which makes sense. 

    https://help.firewalla.com/hc/en-us/articles/4570608120979-Firewalla-DNS-Services#h_01FYDNDFPJ91AM9EQ3GMDYVH5D

    "Please note that if a device has another DNS protocol (DoH/Family Protect/Unbound) enabled in the Firewalla app, Firewalla will no longer send that device's DNS requests to the configured DNS server– the other protocols take precedence."

    One thing that's not clear to me is what happens if you have Family Protect disabled for a VLAN.  What DNS server does it use by default?  

    0
    Comment actions Permalink
  • Avatar
    Tonydecker51301

    Okay so also just read about DNS booster which is enabled by default and I assume is required for things like Family Protect.  Interesting that DNS response times aren't much quicker considering caching is involved.

    https://help.firewalla.com/hc/en-us/articles/360035362614-What-is-DNS-Booster

    0
    Comment actions Permalink
  • Avatar
    Tonydecker51301

    Confirmed that OpenDNS is the culprit for slow DNS performance.  Shoot :(

    0
    Comment actions Permalink
  • Avatar
    Tonydecker51301

    Just to follow up on this, after changing Family Protect to Native, I still experience DNS issues when I have the Primary DNS Server under networks set to use that networks gateway.  If I set primary DNS in there to a server of my choice, the problem goes away.  When I do a packet capture of a device, I can tell that it is using whatever DNS Server I put in the network settings on Firewalla.  From what I understand, DNS booster is intercepting the request either way, but then why is the behavior different depending on how I set my DNS under networks? 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    DNS is always intercepted, regardless of what you point your device at. 

    May I know the DNS issue you are encountering? is it slow? if it is, how slow? how did you test? if it is correctness, can you give me an example.

    Must of the DNS problem we see are with rules based blocks, if you put the device in question into emergency access mode, do you still see the problem?

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post