And, yes i agree, DNS over TLS might be slower, but really, if you have to wait seconds for a DNS reply... imagine.. Lots of websites have 10-20 hosts in them, if you have to wait 10 sec for a website, well, im gone already then. Thats why i also showed the direct tests my internal Authoritive DNS servers. ( and i can pick any host, will show the same results ). All im saying is, before you are going to hunt for "possible" problems. Make sure the resolving is perfectly setup. It will fix at least a lot of problems. I just dont like Dns over HTTPS.. https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/ https://www.samknows.com/blog/dns-over-https-performance Good articles to read. Enjoy. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] Namens > Klaus Westkamp > Verzonden: woensdag 30 december 2020 10:57 > Aan: squid-users@xxxxxxxxxxxxxxxxxxxxx > Onderwerp: Re: Anyone has experience with Windows clients > DNS timeout > > > Hi, > > i fully agree with Amos. I experience several seconds delay these days > in resolving names. > > Using google, which is having a very fast and heavily caching dns, > is not a good example for recreating this effect. > > I could imagine that the seveal DNS encryption methods, > DNS-over-TLS and -over-HTTPS, that are only supported by some > adding to that delay, as they require more overhead > and also the client has to find out which method is supported and which > not > > Cheers, > > Klaus Westkamp > > > On 30/12/2020 09:07, L.P.H. van Belle wrote: > > Hai Elizer > > > > Sorry, im not fully agreeing with Amos here.. > > > > If you DNS is taking 7-10 sec, i would investigate why the dns is that > slow. > > Something is off, that simple. > > > > > > A small example of my dns resolving to internet and my lan dnsservers. > > > > time dig a www.google.nl @8.8.8.8 @internet dns > > real 0m0.115s > > > > real 0m0.031s @lan dns, lookup 1. > > real 0m0.016s @lan dns, lookup 2. (cached one) > > > > So, in my opinion 7-10 seconds timeout is really off. > > In the last we.. > > > > Is the lan dns set as an authoritive server. > > Are the pc's correctly registering in the dns with there primary DNS > domain. > > > > in resolv.conf make sure the primaryDns domain is first in resolv.conf > > primary.dnsdomain.tld = output of $(hostname -d) > > > > search primary.dnsdomain.tld (optional extra, other.dnsdomain.tld > dnsdomain.tld ) > > nameserver 192.168.1.1 > > nameserver 192.168.1.2 > > nameserver 192.168.1.3 > > nameserver 192.168.1.4 > > nameserver 192.168.1.5 > > > > # these are the options to look into also. ( in this order ) > > options edns0 # allowed 4096 byte packages. > > options rotate # if you have more then 1 dns server this can > help. > > options timeout:3 > > options no-check-names # dont check for invalid characters such as > underscore (_), non-ASCII, or control characters. > > > > > > Check the following. > > - the DNS server tries to query first to the internet. > > fix might be, resolving (search line) in /etc/resolv.conf > > > > ipv4 / ipv6, try disableing ipv6 on the windows clients. > > Dns is Non authoritive where it might be needed to set it to > Authoritive. > > Dns server is missing forwaring to the authoritive server. > > Routing and routing orders > > Are EDNS (4096bytes) big packages allowed > > And is the firewall allowing UDP and TCP packages on port 53 > > > > I run 3 samba-AD dns servers with Bind9_DLZ > > My proxy runs a Bind9 caching and forwarding setup. > > The primay DNS domain is forwarded to the Samba-AD dns server. > > These are the Authoritive servers. > > > > This is on average my slowest querie 0.1-0.2 sec ( on the samba dns ) > > i checked the last year in my monitoring. > > Normal is 0.03-0.01 sec > > > > If there are problems in samba these days its 80% of all cases a > resolving setup problem. > > > > I hope this gave you some ideas. > > > > > > Greetz, > > > > Louis > > > >> -----Oorspronkelijk bericht----- > >> Van: squid-users [mailto:squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx] > Namens > >> NgTech LTD > >> Verzonden: dinsdag 29 december 2020 21:02 > >> Aan: Squid Users > >> Onderwerp: Anyone has experience with Windows clients DNS > >> timeout > >> > >> I have seen this issue on Windows clients over the past. > >> Windows nslookup shows that the query has timed out after 2 seconds. > >> On Linux and xBSD I have researched this issue and have seen that: > >> the DNS server is doing a recursive lookup and it takes from 7 to 10++ > >> seconds sometimes. > >> When I pre-warn the DNS cache and the results are cached it takes > >> lower then 500 ms for a response to be on the client side and then > >> everything works fine. > >> > >> I understand that Windows DNS client times out.. > >> When using froward proxy with squid or any other it works as expected > >> since the DNS resolution is done on the proxy server. > >> However for this issue I believe that this timeout should be increased > >> instead of moving to DNS over HTTPS. > >> > >> I would like to hear if anyone has any resolution for this issue on > >> the Windows clients side. > >> > >> Thanks, > >> Eliezer > >> > >> ---- > >> Eliezer Croitoru > >> Tech Support > >> Mobile: +972-5-28704261 > >> Email: ngtech1ltd@xxxxxxxxx > >> _______________________________________________ > >> squid-users mailing list > >> squid-users@xxxxxxxxxxxxxxxxxxxxx > >> http://lists.squid-cache.org/listinfo/squid-users > > _______________________________________________ > > squid-users mailing list > > squid-users@xxxxxxxxxxxxxxxxxxxxx > > http://lists.squid-cache.org/listinfo/squid-users > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users