DoT resolvers - Slow results

Joe Abley jabley at
Fri Mar 20 13:57:16 UTC 2020


On Fri, 20 Mar 2020 at 09:45, Talkabout via Unbound-users <
unbound-users at> wrote:

But the Problem arises when it Comes to Resolution times. With my initial
> configuration I have an average resolution time of < 100ms. [...]
> With the TLS way the Resolution time increases to > 200ms. When I query
> one of those TLS DNS Servers directly via kdig, I get results in approx.
> 30-60ms.
> Is this something that one has to live with when using TLS or do I have a
> configuration Problem on my end?

This is very much a meta-answer (I have no suggestions for your unbound
question) but it may be worth remembering that the performance that the
clients of your resolver see generally has far more to do with the cache
hit rate than the time taken to process a cache miss.

A difference of 100ms in resolution time looks like a 100% increase in
processing time and I appreciate why that looks worrying.

However, if a particular upstream server sends responses with a TTL of 3600
seconds and your client traffic needs those responses once a second,
though, then it's only 1/3600 of your queries that see the extra latency.
This looks far less worrying.

A better test of resolver performance is to find some standard, repeatable
tests that emulate what end-users are doing and run them regularly. Tests
like "load the front page of" or "Load the front page of" still involve a lot of DNS traffic and are more reflective of
what users actually do than "retrieve a particular RRSet from a particular

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Unbound-users mailing list