To make my network faster, I changed the DNS query cache size to 10,000 and the max concurrent queries to 1,500.(see screenshot)
Youtube in firefox takes now 3 seconds to open. With an account.
Short TTL is reality of these days. This reduces DNS caching effectiveness. Cache size of 10.000 for personal file browsing... - well, you probably use 2-3% of that max. Same about 1500 concurrent queries. Increasing min. cache TTL can give more benefits (notice, article by APNIC): https://blog.apnic.net/2019/11/12/stop-using-ridiculously-low-dns-ttls/
1 Like
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall
killall -s USR1 dnsmasq
sleep 1
logread -e dnsmasq | tail -20
Thanks. Let me clarify my situation first. I flashed my Turris Omnia router to OpenWrt (I'm running the newest version, 24.10).Because it is not possible to set my ISP router to bridge mode, I am using double NAT (In DMZ mode) IPv6 is not working in DMZ mode, which is why I have disabled IPv6. I hope my explanation is clear. What would be the best option in this situation?
root@Turris:~# ubus call system board
{
"kernel": "6.6.119",
"hostname": "Turris.Omnia.Router.",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Turris Omnia",
"board_name": "cznic,turris-omnia",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.5",
"revision": "r29087-d9c5716d1d",
"target": "mvebu/cortexa9",
"description": "OpenWrt 24.10.5 r29087-d9c5716d1d",
"builddate": "1766005702"
}
}
root@Turris:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdc1:87c7:d928::/48'
option packet_steering '1'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan0'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option gateway '192.168.2.254'
list dns '1.1.1.1'
config interface 'wan'
option device 'eth2'
option proto 'static'
option ipaddr '192.168.2.10'
option netmask '255.255.255.0'
option gateway '192.168.2.254'
list dns '1.1.1.1'
config device
option name 'br-wan'
option type 'bridge'
config interface 'IOT'
option proto 'static'
option device 'phy1-ap0'
option ipaddr '192.168.10.1'
option netmask '255.255.255.0'
option type 'bridge'
list dns '1.1.1.1'
root@Turris:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
list rebind_domain 'selfscan.store.ah.nl'
list rebind_domain 'msftncsi.com'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '168h'
option dhcpv4 'server'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
option start '100'
option limit '150'
option leasetime '168h'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
option piofolder '/tmp/odhcpd-piofolder'
config dhcp 'IOT'
option interface 'IOT'
option start '100'
option limit '240'
option leasetime '168h'
option force '1'
config host
option name 'Ring-Gong'
list mac '18:7F:88:FD:29:9D'
option ip '192.168.10.232'
option leasetime 'infinite'
config host
option name 'Ring-Deurbel'
list mac '5C:47:5E:BC:C5:2D'
option ip '192.168.10.141'
option leasetime 'infinite'
root@Turris:~# cat /etc/config/firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
option flow_offloading '1'
option flow_offloading_hw '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'IOT'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
list network 'IOT'
config forwarding
option src 'IOT'
option dest 'wan'
config rule
option src 'IOT'
option name 'Toegang DHCP'
list proto 'udp'
option src_port '67-68'
option target 'ACCEPT'
config rule
option src 'IOT'
option name 'Toegang DNS'
list proto 'udp'
option target 'ACCEPT'
config rule
option src 'IOT'
option dest 'wan'
option name 'Blokkeer KPN router'
list dest_ip '192.168.2.254'
option target 'REJECT'
config rule
option src 'IOT'
option dest 'lan'
option name 'blokkeer IOT naar LAN'
list proto 'all'
option target 'REJECT'
config redirect 'adblock_IOT53'
option name 'Adblock DNS (IOT, 53)'
option src 'IOT'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
option family 'any'
config rule 'adblock_IOT853'
option name 'Adblock DNS (IOT, 853)'
option src 'IOT'
option proto 'tcp udp'
option dest_port '853'
option target 'REJECT'
option dest '*'
config redirect 'adblock_lan53'
option name 'Adblock DNS (lan, 53)'
option src 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_port '53'
option target 'DNAT'
option family 'any'
config rule 'adblock_lan853'
option name 'Adblock DNS (lan, 853)'
option src 'lan'
option proto 'tcp udp'
option dest_port '853'
option target 'REJECT'
option dest '*'
root@Turris:~# killall -s USR1 dnsmasq
root@Turris:~# sleep 1
root@Turris:~# logread -e dnsmasq | tail -20
You don't have neither cachesize '10000' nor dnsforwardmax '1500' in your /etc/config/dhcp. So your browsing speed improvement is of purely psychological nature 
1 Like
Yes, i change it to default.
So, what's the question then?
Change it again to DNS query cache size of 10,000 and the max concurrent queries of1,500.or not?
You have to evaluate it yourself whether default cache size is too small for you...
... funny thing: Probably your OS does DNS caching too. Even Firefox does its own DNS caching - see about:networking#dns
Are there completely different settings to improve web browsing speed?
DNS is barely a bottleneck for most users. Open Firefox, press F12 and there are performance timings in network tab.
2 Likes
What was it earlier, 3.5s ? 4s ?
What's the problem you're trying to solve ?
1 Like
Earlier it was 4 seconds. No problem i will solved but get the most performance possible.
Are you sure you had your caches flushed before testing? One second for DNS requests - that's too much for most users.
1 Like
Yes, i give in cmd "ipconfonfig /flushdns"
1 Like
What about browser cache?
1 Like
IMO, what you do is non-sense. If you have 3 seconds to load whole YT page - you have pretty fast Internet connection and PC. You just can't have 1 second spent for DNS requests. Not even close to 1 second.
1 Like
You should keep a local copy of the internet DNS system, queries will probably drop below 1s.
1 Like
You do this of a ssd or usb on the usb3 port on the router of not?
Open Firefox, press F12, select Network tab and make screenshot with Timings subtab on the right. I want to make sure that you're not making numbers up.
1 Like