Slow browsing, DNS issues

RouterOS General
1

Hi,

on my RB3011 I face some issues with every client that browsing is slow. I am using the DNS server that my ISP assigns by PPPoE “using peer dns”. When I open a site sometimes its working quite fast another time the “small circle” in a firefox tab is spinning and the website does not appear… It seems like a DNS caching issue on the router os. Assining another DNS server like 8.8.8.8 directly on the windows machine causes a much faster browsing experience…

This is a really annoying bug, is there any workaround. Should I assign another DNS server by DHCP?
Any hints what I could do here?

Thanks, regards toby

2

I assume you have set up the DNS cache on ROS and set your ISP DNS as the server to forward the queries.

What ahappens if you assign your ISP DNS directly on the windows machine? If browsing is still slow, then the issue is on your ISP DNS.

If not, and proper firewalling isn’t set, it could be your DNS cache is being used as a DNS spoofing DDoS attack from the internet. Incoming DNS queries on the WAN interface should be filtered out.

A configuration export will be useful to diagnose this.

Additionally, use specific tools for the DNS testing, either nslookup or DNSBench on windows, or dig on *nix systems so that other variables (OS/browser cache, etc) could be ruled out.

3

ROS is 6.37rc27… Yes DNS cache on ROS is used.

Here are the results:
Final benchmark results, sorted by nameserver performance:
(average cached name retrieval speed, fastest to slowest)

192.168. 0.254 | Min | Avg | Max |Std.Dev|Reliab%|
----------------±------±------±------±------±------+

  • Cached Name | 0,000 | 0,000 | 0,000 | 0,000 | 100,0 |
  • Uncached Name | 0,051 | 0,113 | 0,487 | 0,104 | 100,0 |
  • DotCom Lookup | 0,052 | 0,067 | 0,139 | 0,017 | 100,0 |
    —<-------->—±------±------±------±------±------+
    Non-routable local internet address
    Local Network Nameserver


    129.250. 35.251 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,042 | 0,047 | 0,053 | 0,003 | 100,0 |
  • Uncached Name | 0,041 | 0,083 | 0,305 | 0,065 | 100,0 |
  • DotCom Lookup | 0,041 | 0,050 | 0,075 | 0,006 | 95,9 |
    —<-------->—±------±------±------±------±------+
    y.ns.gin.ntt.net
    NTT-COMMUNICATIONS-2914 - NTT America, Inc., US

    \
      1. 3 | Min | Avg | Max |Std.Dev|Reliab%|
        ----------------±------±------±------±------±------+
  • Cached Name | 0,043 | 0,047 | 0,053 | 0,003 | 100,0 |
  • Uncached Name | 0,045 | 0,112 | 0,426 | 0,094 | 100,0 |
  • DotCom Lookup | 0,045 | 0,065 | 0,131 | 0,019 | 100,0 |
    —<-------->—±------±------±------±------±------+
    c.resolvers.level3.net
    LEVEL3 - Level 3 Communications, Inc., US

    \
      1. 2 | Min | Avg | Max |Std.Dev|Reliab%|
        ----------------±------±------±------±------±------+
  • Cached Name | 0,041 | 0,047 | 0,053 | 0,003 | 98,0 |
  • Uncached Name | 0,042 | 0,116 | 0,404 | 0,104 | 100,0 |
  • DotCom Lookup | 0,040 | 0,061 | 0,131 | 0,020 | 95,9 |
    —<-------->—±------±------±------±------±------+
    b.resolvers.level3.net
    LEVEL3 - Level 3 Communications, Inc., US

    \
  1. 67.222.222 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,041 | 0,047 | 0,052 | 0,003 | 100,0 |
  • Uncached Name | 0,043 | 0,132 | 0,557 | 0,139 | 100,0 |
  • DotCom Lookup | 0,041 | 0,102 | 0,302 | 0,073 | 98,0 |
    —<-------->—±------±------±------±------±------+
    resolver1.opendns.com
    OPENDNS - OpenDNS, LLC, US

    \
  1. 67.220.222 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,039 | 0,047 | 0,052 | 0,003 | 100,0 |
  • Uncached Name | 0,040 | 0,143 | 0,595 | 0,154 | 100,0 |
  • DotCom Lookup | 0,049 | 0,104 | 0,335 | 0,066 | 100,0 |
    —<-------->—±------±------±------±------±------+
    resolver4.opendns.com
    OPENDNS - OpenDNS, LLC, US

    \
  1. 67.222.123 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,040 | 0,047 | 0,055 | 0,003 | 100,0 |
  • Uncached Name | 0,042 | 0,146 | 0,574 | 0,151 | 98,0 |
  • DotCom Lookup | 0,048 | 0,110 | 0,294 | 0,068 | 100,0 |
    —<-------->—±------±------±------±------±------+
    resolver1-fs.opendns.com
    OPENDNS - OpenDNS, LLC, US

    \
  1. 67.222.220 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,041 | 0,047 | 0,054 | 0,003 | 100,0 |
  • Uncached Name | 0,043 | 0,151 | 0,518 | 0,142 | 100,0 |
  • DotCom Lookup | 0,047 | 0,090 | 0,285 | 0,050 | 98,0 |
    —<-------->—±------±------±------±------±------+
    resolver3.opendns.com
    OPENDNS - OpenDNS, LLC, US


    129.250. 35.250 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,040 | 0,048 | 0,056 | 0,003 | 100,0 |
  • Uncached Name | 0,042 | 0,081 | 0,272 | 0,060 | 100,0 |
  • DotCom Lookup | 0,041 | 0,051 | 0,067 | 0,005 | 98,0 |
    —<-------->—±------±------±------±------±------+
    x.ns.gin.ntt.net
    NTT-COMMUNICATIONS-2914 - NTT America, Inc., US


    198.153.194. 1 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,042 | 0,048 | 0,053 | 0,002 | 100,0 |
  • Uncached Name | 0,044 | 0,104 | 0,399 | 0,082 | 96,0 |
  • DotCom Lookup | 0,047 | 0,083 | 0,154 | 0,034 | 100,0 |
    —<-------->—±------±------±------±------±------+
    ··· no official Internet DNS name ···
    ULTRADNS - NeuStar, Inc., US


    156.154. 70. 25 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,042 | 0,048 | 0,055 | 0,003 | 100,0 |
  • Uncached Name | 0,043 | 0,107 | 0,396 | 0,091 | 100,0 |
  • DotCom Lookup | 0,045 | 0,076 | 0,152 | 0,031 | 100,0 |
    —<-------->—±------±------±------±------±------+
    ··· no official Internet DNS name ···
    ULTRADNS - NeuStar, Inc., US


    156.154. 70. 1 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,041 | 0,048 | 0,055 | 0,003 | 100,0 |
  • Uncached Name | 0,043 | 0,112 | 0,416 | 0,095 | 100,0 |
  • DotCom Lookup | 0,044 | 0,082 | 0,154 | 0,036 | 100,0 |
    —<-------->—±------±------±------±------±------+
    rdns1.ultradns.net
    ULTRADNS - NeuStar, Inc., US

    \
      1. 1 | Min | Avg | Max |Std.Dev|Reliab%|
        ----------------±------±------±------±------±------+
  • Cached Name | 0,040 | 0,048 | 0,056 | 0,003 | 98,0 |
  • Uncached Name | 0,048 | 0,115 | 0,373 | 0,093 | 100,0 |
  • DotCom Lookup | 0,046 | 0,064 | 0,086 | 0,009 | 100,0 |
    —<-------->—±------±------±------±------±------+
    a.resolvers.level3.net
    LEVEL3 - Level 3 Communications, Inc., US

    \
  1. 67.220.123 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,041 | 0,048 | 0,054 | 0,003 | 100,0 |
  • Uncached Name | 0,045 | 0,134 | 0,583 | 0,144 | 100,0 |
  • DotCom Lookup | 0,042 | 0,098 | 0,287 | 0,063 | 100,0 |
    —<-------->—±------±------±------±------±------+
    resolver2-fs.opendns.com
    OPENDNS - OpenDNS, LLC, US

    \
  1. 67.220.220 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,042 | 0,048 | 0,055 | 0,003 | 100,0 |
  • Uncached Name | 0,049 | 0,136 | 0,578 | 0,135 | 100,0 |
  • DotCom Lookup | 0,048 | 0,097 | 0,291 | 0,070 | 100,0 |
    —<-------->—±------±------±------±------±------+
    resolver2.opendns.com
    OPENDNS - OpenDNS, LLC, US


    156.154. 70. 22 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,040 | 0,049 | 0,058 | 0,004 | 100,0 |
  • Uncached Name | 0,045 | 0,106 | 0,360 | 0,082 | 98,0 |
  • DotCom Lookup | 0,044 | 0,074 | 0,151 | 0,032 | 100,0 |
    —<-------->—±------±------±------±------±------+
    ··· no official Internet DNS name ···
    ULTRADNS - NeuStar, Inc., US

    \
      1. 6 | Min | Avg | Max |Std.Dev|Reliab%|
        ----------------±------±------±------±------±------+
  • Cached Name | 0,042 | 0,049 | 0,057 | 0,003 | 100,0 |
  • Uncached Name | 0,046 | 0,111 | 0,691 | 0,121 | 100,0 |
  • DotCom Lookup | 0,045 | 0,066 | 0,126 | 0,022 | 100,0 |
    —<-------->—±------±------±------±------±------+
    f.resolvers.level3.net
    LEVEL3 - Level 3 Communications, Inc., US

    \
      1. 4 | Min | Avg | Max |Std.Dev|Reliab%|
        ----------------±------±------±------±------±------+
  • Cached Name | 0,043 | 0,049 | 0,055 | 0,002 | 98,0 |
  • Uncached Name | 0,044 | 0,115 | 0,363 | 0,096 | 100,0 |
  • DotCom Lookup | 0,048 | 0,062 | 0,127 | 0,015 | 100,0 |
    —<-------->—±------±------±------±------±------+
    d.resolvers.level3.net
    LEVEL3 - Level 3 Communications, Inc., US

    \
      1. 5 | Min | Avg | Max |Std.Dev|Reliab%|
        ----------------±------±------±------±------±------+
  • Cached Name | 0,041 | 0,049 | 0,057 | 0,003 | 100,0 |
  • Uncached Name | 0,046 | 0,132 | 0,435 | 0,107 | 100,0 |
  • DotCom Lookup | 0,046 | 0,066 | 0,126 | 0,014 | 100,0 |
    —<-------->—±------±------±------±------±------+
    e.resolvers.level3.net
    LEVEL3 - Level 3 Communications, Inc., US


    156.154. 71. 22 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,048 | 0,054 | 0,059 | 0,003 | 100,0 |
  • Uncached Name | 0,052 | 0,130 | 0,384 | 0,108 | 100,0 |
  • DotCom Lookup | 0,049 | 0,072 | 0,140 | 0,026 | 100,0 |
    —<-------->—±------±------±------±------±------+
    ··· no official Internet DNS name ···
    ULTRADNS - NeuStar, Inc., US


    198.153.192. 1 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,048 | 0,054 | 0,060 | 0,002 | 100,0 |
  • Uncached Name | 0,053 | 0,131 | 0,469 | 0,110 | 100,0 |
  • DotCom Lookup | 0,049 | 0,082 | 0,145 | 0,031 | 100,0 |
    —<-------->—±------±------±------±------±------+
    ··· no official Internet DNS name ···
    ULTRADNS - NeuStar, Inc., US


    156.154. 71. 25 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,046 | 0,054 | 0,060 | 0,003 | 100,0 |
  • Uncached Name | 0,050 | 0,135 | 0,436 | 0,119 | 100,0 |
  • DotCom Lookup | 0,050 | 0,077 | 0,140 | 0,030 | 100,0 |
    —<-------->—±------±------±------±------±------+
    ··· no official Internet DNS name ···
    ULTRADNS - NeuStar, Inc., US


    156.154. 71. 1 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,048 | 0,054 | 0,060 | 0,003 | 100,0 |
  • Uncached Name | 0,052 | 0,141 | 0,431 | 0,114 | 100,0 |
  • DotCom Lookup | 0,049 | 0,069 | 0,137 | 0,021 | 100,0 |
    —<-------->—±------±------±------±------±------+
    rdns2.ultradns.net
    ULTRADNS - NeuStar, Inc., US

    \
      1. 8 | Min | Avg | Max |Std.Dev|Reliab%|
        ----------------±------±------±------±------±------+
  • Cached Name | 0,047 | 0,057 | 0,079 | 0,006 | 100,0 |
  • Uncached Name | 0,054 | 0,107 | 0,434 | 0,093 | 100,0 |
  • DotCom Lookup | 0,053 | 0,068 | 0,085 | 0,007 | 100,0 |
    —<-------->—±------±------±------±------±------+
    google-public-dns-a.google.com
    GOOGLE - Google Inc., US

    \
      1. 4 | Min | Avg | Max |Std.Dev|Reliab%|
        ----------------±------±------±------±------±------+
  • Cached Name | 0,047 | 0,062 | 0,194 | 0,026 | 100,0 |
  • Uncached Name | 0,055 | 0,116 | 0,451 | 0,107 | 100,0 |
  • DotCom Lookup | 0,057 | 0,071 | 0,136 | 0,013 | 100,0 |
    —<-------->—±------±------±------±------±------+
    google-public-dns-b.google.com
    GOOGLE - Google Inc., US


    204.117.214. 10 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,126 | 0,133 | 0,141 | 0,003 | 100,0 |
  • Uncached Name | 0,128 | 0,171 | 0,365 | 0,058 | 100,0 |
  • DotCom Lookup | 0,124 | 0,142 | 0,170 | 0,012 | 100,0 |
    —<-------->—±------±------±------±------±------+
    ns1.sprintlink.net
    SPRINTLINK - Sprint, US

    \
  1. 2.252. 10 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,128 | 0,135 | 0,140 | 0,003 | 100,0 |
  • Uncached Name | 0,134 | 0,175 | 0,356 | 0,054 | 100,0 |
  • DotCom Lookup | 0,133 | 0,153 | 0,166 | 0,010 | 100,0 |
    —<-------->—±------±------±------±------±------+
    ns2.sprintlink.net
    SPRINTLINK - Sprint, US

    \
  1. 97.212. 10 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,129 | 0,135 | 0,142 | 0,003 | 100,0 |
  • Uncached Name | 0,136 | 0,180 | 0,372 | 0,061 | 100,0 |
  • DotCom Lookup | 0,131 | 0,150 | 0,165 | 0,012 | 100,0 |
    —<-------->—±------±------±------±------±------+
    ns3.sprintlink.net
    SPRINTLINK - Sprint, US

    \
      1. 2 | Min | Avg | Max |Std.Dev|Reliab%|
        ----------------±------±------±------±------±------+
  • Cached Name | 0,134 | 0,139 | 0,145 | 0,003 | 100,0 |
  • Uncached Name | 0,138 | 0,185 | 0,415 | 0,064 | 100,0 |
  • DotCom Lookup | 0,143 | 0,158 | 0,184 | 0,010 | 98,0 |
    —<-------->—±------±------±------±------±------+
    bos.speakeasy.net
    MEGAPATH5-US - MegaPath Corporation, US


    216.254. 95. 2 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,132 | 0,139 | 0,146 | 0,003 | 100,0 |
  • Uncached Name | 0,137 | 0,194 | 0,521 | 0,088 | 97,9 |
  • DotCom Lookup | 0,138 | 0,154 | 0,176 | 0,009 | 97,9 |
    —<-------->—±------±------±------±------±------+
    dns.nyc1.speakeasy.net
    MEGAPATH5-US - MegaPath Corporation, US

    \
  1. 92.224. 2 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,134 | 0,141 | 0,151 | 0,004 | 100,0 |
  • Uncached Name | 0,138 | 0,186 | 0,458 | 0,068 | 100,0 |
  • DotCom Lookup | 0,144 | 0,161 | 0,239 | 0,019 | 100,0 |
    —<-------->—±------±------±------±------±------+
    phl.speakeasy.net
    MEGAPATH5-US - MegaPath Corporation, US

    \
  1. 27.175. 2 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,140 | 0,147 | 0,152 | 0,003 | 98,0 |
  • Uncached Name | 0,145 | 0,191 | 0,391 | 0,061 | 100,0 |
  • DotCom Lookup | 0,147 | 0,163 | 0,181 | 0,011 | 100,0 |
    —<-------->—±------±------±------±------±------+
    dns.atl1.speakeasy.net
    MEGAPATH5-US - MegaPath Corporation, US

    \
  1. 92.159. 2 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,139 | 0,147 | 0,156 | 0,003 | 100,0 |
  • Uncached Name | 0,143 | 0,193 | 0,385 | 0,057 | 98,0 |
  • DotCom Lookup | 0,148 | 0,163 | 0,249 | 0,020 | 100,0 |
    —<-------->—±------±------±------±------±------+
    dns.wdc1.speakeasy.net
    MEGAPATH5-US - MegaPath Corporation, US

    \
  1. 81.159. 2 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,145 | 0,150 | 0,157 | 0,002 | 100,0 |
  • Uncached Name | 0,144 | 0,197 | 0,414 | 0,064 | 100,0 |
  • DotCom Lookup | 0,148 | 0,175 | 0,209 | 0,018 | 100,0 |
    —<-------->—±------±------±------±------±------+
    dns.chi1.speakeasy.net
    MEGAPATH8-US - MegaPath Corporation, US

    \
    1. 0.110 | Min | Avg | Max |Std.Dev|Reliab%|
      ----------------±------±------±------±------±------+
  • Cached Name | 0,146 | 0,151 | 0,158 | 0,003 | 100,0 |
  • Uncached Name | 0,146 | 0,188 | 0,379 | 0,058 | 100,0 |
  • DotCom Lookup | 0,162 | 0,426 | 0,987 | 0,351 | 100,0 |
    —<-------->—±------±------±------±------±------+
    nsa.ibbsonline.com
    MOMENTUM - SinglePipe LLC, US

    \
  1. 81.127. 2 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,144 | 0,151 | 0,157 | 0,003 | 100,0 |
  • Uncached Name | 0,145 | 0,212 | 0,479 | 0,084 | 100,0 |
  • DotCom Lookup | 0,144 | 0,174 | 0,220 | 0,024 | 100,0 |
    —<-------->—±------±------±------±------±------+
    dns.dfw1.speakeasy.net
    MEGAPATH8-US - MegaPath Corporation, US

    \
    1. 1.220 | Min | Avg | Max |Std.Dev|Reliab%|
      ----------------±------±------±------±------±------+
  • Cached Name | 0,143 | 0,152 | 0,157 | 0,003 | 100,0 |
  • Uncached Name | 0,151 | 0,201 | 0,406 | 0,073 | 97,9 |
  • DotCom Lookup | 0,162 | 0,185 | 0,367 | 0,036 | 100,0 |
    —<-------->—±------±------±------±------±------+
    nsb.ibbsonline.com
    MOMENTUM - SinglePipe LLC, US


    204.194.232.200 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,151 | 0,158 | 0,167 | 0,004 | 98,0 |
  • Uncached Name | 0,156 | 0,238 | 0,595 | 0,106 | 100,0 |
  • DotCom Lookup | 0,153 | 0,239 | 0,415 | 0,073 | 100,0 |
    —<-------->—±------±------±------±------±------+
    ··· no official Internet DNS name ···
    302-DIRECT-MEDIA-ASN - 302 Direct Media LLC, US


    204.194.234.200 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,150 | 0,158 | 0,166 | 0,003 | 100,0 |
  • Uncached Name | 0,151 | 0,247 | 0,676 | 0,131 | 100,0 |
  • DotCom Lookup | 0,158 | 0,242 | 0,423 | 0,075 | 100,0 |
    —<-------->—±------±------±------±------±------+
    ··· no official Internet DNS name ···
    302-DIRECT-MEDIA-ASN - 302 Direct Media LLC, US


    216.231. 41. 2 | Min | Avg | Max |Std.Dev|Reliab%|
    ----------------±------±------±------±------±------+
  • Cached Name | 0,156 | 0,164 | 0,170 | 0,003 | 100,0 |
  • Uncached Name | 0,162 | 0,209 | 0,390 | 0,061 | 100,0 |
  • DotCom Lookup | 0,160 | 0,187 | 0,227 | 0,019 | 100,0 |
    —<-------->—±------±------±------±------±------+
    ns-legacy.speakeasy.net
    MEGAPATH8-US - MegaPath Corporation, US

    \
      1. 2 | Min | Avg | Max |Std.Dev|Reliab%|
        ----------------±------±------±------±------±------+
  • Cached Name | 0,197 | 0,205 | 0,211 | 0,003 | 100,0 |
  • Uncached Name | 0,201 | 0,273 | 0,502 | 0,077 | 100,0 |
  • DotCom Lookup | 0,245 | 0,278 | 0,371 | 0,034 | 98,0 |
    —<-------->—±------±------±------±------±------+
    dns.sea1.speakeasy.net
    MEGAPATH9-US - MegaPath Corporation, US

    \
      1. 2 | Min | Avg | Max |Std.Dev|Reliab%|
        ----------------±------±------±------±------±------+
  • Cached Name | 0,216 | 0,223 | 0,229 | 0,003 | 100,0 |
  • Uncached Name | 0,220 | 0,286 | 0,417 | 0,062 | 100,0 |
  • DotCom Lookup | 0,215 | 0,243 | 0,298 | 0,021 | 97,9 |
    —<-------->—±------±------±------±------±------+
    dns.sfo1.speakeasy.net
    MEGAPATH5-US - MegaPath Corporation, US

    \
      1. 2 | Min | Avg | Max |Std.Dev|Reliab%|
        ----------------±------±------±------±------±------+
  • Cached Name | 0,222 | 0,229 | 0,236 | 0,003 | 100,0 |
  • Uncached Name | 0,223 | 0,288 | 0,453 | 0,062 | 100,0 |
  • DotCom Lookup | 0,236 | 0,265 | 0,302 | 0,019 | 98,0 |
    —<-------->—±------±------±------±------±------+
    dns.lax1.speakeasy.net
    MEGAPATH8-US - MegaPath Corporation, US


    24.113. 32. 29 | The DNS server at this IP address does
    not provide domain name service answering client queries.
    It should not be used for normal client-based resolution.
    —<-------->—±------±------±------±------±------+
    ns1.wavecable.com
    WAVE-CABLE - Wave Broadband, US


    24.113. 32. 30 | The DNS server at this IP address does
    not provide domain name service answering client queries.
    It should not be used for normal client-based resolution.
    —<-------->—±------±------±------±------±------+
    ns2.wavecable.com
    WAVE-CABLE - Wave Broadband, US

    \
  1. 81.111. 2 | DNS queries are not answered at this IP.
    —<-------->—±------±------±------±------±------+
    den.speakeasy.net
    MEGAPATH5-US - MegaPath Corporation, US

    \
      1. 25 | DNS queries are not answered at this IP.
        —<-------->—±------±------±------±------±------+
        ns2.at.cox.net
        ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc., US

        \
      1. 30 | DNS queries are not answered at this IP.
        —<-------->—±------±------±------±------±------+
        ns1.at.cox.net
        ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc., US

        \
      1. 25 | DNS queries are not answered at this IP.
        —<-------->—±------±------±------±------±------+
        ns2.ph.cox.net
        ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc., US

        \
      1. 30 | DNS queries are not answered at this IP.
        —<-------->—±------±------±------±------±------+
        ns1.ph.cox.net
        ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc., US

        \
      1. 25 | DNS queries are not answered at this IP.
        —<-------->—±------±------±------±------±------+
        ns2.oc.cox.net
        ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc., US

        \
      1. 30 | DNS queries are not answered at this IP.
        —<-------->—±------±------±------±------±------+
        ns1.oc.cox.net
        ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc., US

        \
      1. 25 | DNS queries are not answered at this IP.
        —<-------->—±------±------±------±------±------+
        ns2.sd.cox.net
        ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc., US

        \
      1. 30 | DNS queries are not answered at this IP.
        —<-------->—±------±------±------±------±------+
        ns1.sd.cox.net
        ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc., US

        \
      1. 25 | DNS queries are not answered at this IP.
        —<-------->—±------±------±------±------±------+
        ns2.ri.cox.net
        ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc., US

        \
      1. 30 | DNS queries are not answered at this IP.
        —<-------->—±------±------±------±------±------+
        ns1.ri.cox.net
        ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc., US

        \
      1. 25 | DNS queries are not answered at this IP.
        —<-------->—±------±------±------±------±------+
        ns2.hr.cox.net
        ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc., US

        \
      1. 30 | DNS queries are not answered at this IP.
        —<-------->—±------±------±------±------±------+
        ns1.hr.cox.net
        ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc., US

        \
      1. 25 | DNS queries are not answered at this IP.
        —<-------->—±------±------±------±------±------+
        ns2.no.cox.net
        ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc., US

        \
      1. 30 | DNS queries are not answered at this IP.
        —<-------->—±------±------±------±------±------+
        ns1.no.cox.net
        ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc., US

        \
      1. 25 | DNS queries are not answered at this IP.
        —<-------->—±------±------±------±------±------+
        ns2.ok.cox.net
        ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc., US

        \
      1. 30 | DNS queries are not answered at this IP.
        —<-------->—±------±------±------±------±------+
        ns1.ok.cox.net
        ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc., US

        \
      1. 25 | DNS queries are not answered at this IP.
        —<-------->—±------±------±------±------±------+
        ns2.om.cox.net
        ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc., US

        \
      1. 30 | DNS queries are not answered at this IP.
        —<-------->—±------±------±------±------±------+
        ns1.om.cox.net
        ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc., US

        \
    1. 64.154 | DNS queries are not answered at this IP.
      —<-------->—±------±------±------±------±------+
      phil-dns-trial.inflow.pa.bo.comcast.net
      COMCAST-7922 - Comcast Cable Communications, LLC, US

      \
    1. 68.170 | DNS queries are not answered at this IP.
      —<-------->—±------±------±------±------±------+
      ··· no official Internet DNS name ···
      COMCAST-7922 - Comcast Cable Communications, LLC, US

      \
    1. 69.154 | DNS queries are not answered at this IP.
      —<-------->—±------±------±------±------±------+
      bvrt-dns-trial.beaverton.or.bverton.comcast.net
      COMCAST-7922 - Comcast Cable Communications, LLC, US


      68.100. 16. 25 | DNS queries are not answered at this IP.
      —<-------->—±------±------±------±------±------+
      ns2.dc.cox.net
      ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc., US


      68.100. 16. 30 | DNS queries are not answered at this IP.
      —<-------->—±------±------±------±------±------+
      ns1.dc.cox.net
      ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc., US


      68.111. 16. 25 | DNS queries are not answered at this IP.
      —<-------->—±------±------±------±------±------+
      ns2.lv.cox.net
      ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc., US


      68.111. 16. 30 | DNS queries are not answered at this IP.
      —<-------->—±------±------±------±------±------+
      ns1.lv.cox.net
      ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc., US


      74.118.212. 1 | DNS queries are not answered at this IP.
      —<-------->—±------±------±------±------±------+
      ··· no official Internet DNS name ···
      ··· unknown owner ···


      74.118.212. 2 | DNS queries are not answered at this IP.
      —<-------->—±------±------±------±------±------+
      ··· no official Internet DNS name ···
      ··· unknown owner ···


      UTC: 2016-09-05, from 10:59:15 to 11:01:40, for 02:24,776

Interpreting your benchmark results above:

The following guide is only intended as a quick
“get you going” reference and reminder.

To obtain a working understanding of this program’s operation, and to familiarize yourself with its many features, please see the main DNS Benchmark web page by clicking on the “Goto DNS Page” button below.

Referring to this sample:

  1. 81.159. 2 | Min | Avg | Max |Std.Dev|Reliab%
    ----------------±------±------±------±------±------
  • Cached Name | 0.001 | 0.001 | 0.001 | 0.000 | 100.0
  • Uncached Name | 0.021 | 0.033 | 0.045 | 0.016 | 100.0
  • DotCom Lookup | 0.021 | 0.022 | 0.022 | 0.001 | 100.0
    ——±------±------±------±------±------
    dns.chi1.speakeasy.net
    Speakeasy

The Benchmark creates a table similar to the one above for each DNS resolver (nameserver) tested. The top line specifies the IP address of the nameserver for this table.

The first three numeric columns provide the minimum, average, and maximum query-response times in seconds. Note that these timings incorporate all network delays from the querying computer, across the Internet, to the nameserver, the nameserver’s own processing, and the return of the reply. Since the numbers contain three decimal digits of accuracy, the overall resolution of the timing is thousandths of a second, or milliseconds.

The fourth numeric column shows the “standard deviation” of the collected query-response times which is a common statistical measure of the spread of the values - a smaller standard deviation means more consistency and less spread.

The fifth and last numeric column shows the reliability of the tested nameserver’s replies to queries. Since lost, dropped, or ignored queries introduce a significant lookup delay (typically a full second or more each) a nameserver’s reliability is an important consideration.

The labels of the middle three lines are colored red, green, and blue to match their respective bars on the response time bar chart.

The “Cached Name” line presents the timings for queries that are answered from the server’s own local name cache without requiring it to forward the query to other name servers. Since the name caches of active public nameservers will always be full of the IPs of common domains, the vast majority of queries will be cached. Therefore, the Benchmark gives this timing the highest weight.

The “Uncached Name” line presents the timings for queries which could not be answered from the server’s local cache and required it to ask another name server for the data. Specifically, this measures the time required to resolve the IP addresses of the Internet’s 30 most popular web sites. The Benchmark gives this timing the second highest weight.

The “DotCom Lookup” line presents the timings for the resolution of dot com nameserver IP addresses. This differs from the Cached and Uncached tests above, since they measure the time required to determine a dot com’s IP, whereas the DotCom Lookup measures the time required to resolve the IP of a dot com’s nameserver, from which a dot com’s IP would then be resolved. This test presents a measure of how well the DNS server being tested is connected to the dot com nameservers.

The lower border of the table contains a set of eight indicators (O and -) representing non-routable networks whose IP addresses are actively blocked by the resolver to protect its users from DNS rebinding attacks: . The “O” character indicates that blocking is occurring for the corresponding network, whereas the “-” character indicates that non-routable IP addresses are being resolved and rebinding protection is not present. The first four symbols represent the four IPv4 networks beginning with 10., 127., 172., and 192. respectively, and the second four symbols are the same networks but for IPv6.

The final two lines at the bottom of each chart duplicate the information from the Name and Owner tabs on the Nameserver page:

dns.chi1.speakeasy.net
Speakeasy

The first line displays the “Reverse DNS” name of the server, if any. (This is the name looked up by the nameserver’s IP address.) The second line displays the Ownership information, if any, of the network containing the nameserver

The final line of the automatically generated chart is a timestamp that shows the date and time of the start, completion, and total elapsed time of the benchmark:

UTC: 2009-07-15 from 16:41:50 to 16:44:59 for 03:08.703

All times are given in Universal Coordinated Time (UTC) which is equivalent to GMT. In the sample shown above, the entire benchmark required 3 minutes, 8.703 seconds to run to completion.

All, or a marked portion, of the Tabular Data results on this page may be copied to the Windows’ clipboard or saved to a file for safe keeping, sharing, or later comparison.
• • •



Here is the firewall export, additionally there is a srcnat:

/ip firewall filter
add action=accept chain=input comment=\
    "Accept established and related packets" connection-state=\
    established,related
add action=accept chain=input comment=\
    "Accept all connections from local network" in-interface=PPPoE-Inexio
add action=drop chain=input comment="Drop invalid packets" connection-state=\
    invalid
add action=drop chain=input comment=\
    "Drop all packets which are not destined to routes IP address" \
    dst-address-type=!local
add action=drop chain=input comment=\
    "Drop all packets which does not have unicast source IP address" \
    src-address-type=!unicast
add action=drop chain=input comment="Drop all packets from public internet whi\
    ch should not exist in public network" in-interface=PPPoE-Inexio \
    src-address-list=NotPublic
add action=accept chain=forward comment=\
    "Accept established and related packets" connection-state=\
    established,related
add action=drop chain=forward comment="Drop invalid packets" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "Drop new connections from internet which are not dst-natted" \
    connection-nat-state=!dstnat connection-state=new in-interface=\
    PPPoE-Inexio
add action=drop chain=forward comment="Drop all packets from public internet w\
    hich should not exist in public network" in-interface=PPPoE-Inexio \
    src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets from local network to \
    internet which should not exist in public network" dst-address-list=\
    NotPublic in-interface=ether2_homenet src-address-list=!local-addresses
add action=drop chain=forward comment="Drop all packets in local network which\
    \_does not have local network address" in-interface=ether2_homenet \
    src-address-list="!Subnet Ellert Heimnetz"
4

Its just sporadic and just some sites. I read a lot of problems like that in the forum but I have no idea what to do. I could use the google dns in DHCP DNS settings then I would override my ROS DNS cache, correct? But i dont’ wanna do that because I like the idea of cached DNS…

5 
add action=accept chain=input in-interface=PPPoE-Inexio comment="Accept all connections from local network" 
   
add action=drop chain=input in-interface=PPPoE-Inexio src-address-list=NotPublic comment="Drop all packets from public internet which should not exist in public network"

I can’t make sense of your firewall rules… I’d start with an absolutely essential set of filter rules, test, and then proceed from there:

/ip firewall filter
             add chain=input action=accept protocol=icmp comment="accept ICMP"
             add chain=input action=accept connection-state=established,related comment="accept established,related"
             add chain=input action=drop in-interface=YOUR_WAN_INTERFACE comment="drop all from WAN"
             add chain=forward action=accept connection-state=established,related comment="accept established,related"
             add chain=forward action=drop connection-state=invalid comment="drop invalid"
             add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=YOUR_WAN_INTERFACE
6

The rules were taken from here:
http://wiki.mikrotik.com/wiki/Tips_and_Tricks_for_Beginners_and_Experienced_Users_of_RouterOS#Firewall

You are right the make no sense for me too if I have an closer look. Now I did it in that way you said, it is more comprehensible to me:

chain=input action=accept connection-state=established,related log=no log-prefix="" 
chain=input action=drop in-interface=PPPoE-Inexio log=no log-prefix="" 
chain=forward action=accept connection-state=established,related log=no log-prefix="" 
chain=forward action=drop connection-state=invalid log=no log-prefix="" 
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=PPPoE-Inexio log=no log-prefix=""

Now I found one major issue in my network setup, I was missing to change the MSS of TCP connection in my PPPoE tunnel. This caused sudden failures to open some websites… For now it works. Lets’s see if the DNS works also…

One thing I don’t understand is the last rule. How does it fit to my srcnat?

chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=PPPoE-Inexio log=no log-prefix=""
7

That rule could be read as:

Drop all packets arriving at the WAN interface and traversing the router towards the LAN, unless there’s a explicit dst-nat rule matching it, i.e. a port forwarding from the router to an inside host.

This is an elegant and efficient way that allows for a single ip > firewall > filter rule to cope with all ip > firewall > nat dst-nat rules; once you add a dst-nat rule, traffic will be able to pass the firewall, without the need for an specific allow rule on ip > firewall > filter for each.

Keep in mind that with this approach, you’re automatically “piercing” the firewall when you add dst-nat rules; so if you want to filter access to these inner dst-natted services, you’ll need either an specific filter rule for each, or set a condition (e.g. src.address, src-address-list) on the dst-nat rule (which from a management point of view isn’t the best practice tho)