Internal DNS server bogging down realtime connection page HARD

I've got an internal server running 'unbound', set up to talk to the root servers directly. If I look at realtime connections, it basically stalls and Firefox throws a "A web page is slowing down your browser, what would you like to do?" for a while.

On further inspection, OpenWRT is tracking the connections from the internal DNS connection out to the internet, and also all the connections from the router to the internal DNS server. With reverse lookups, I have seen the UDP count go over 1500. In order to reduce this number, I could basically 'notrack' the LAN-LAN DNS lookups, but the LUCI firewall only has "don't track" as a action that is set along with 'forward'. What's the best way to keep these connections from being tracked?

OK, I turned off the tracking of the openwrt requests with (the specific to my setup) iptables command
iptables -t raw -A PREROUTING -p udp -s 192.168.0.2 --sport 53 -j CT --notrack
but there was not much difference in the behavior. The CPU is maxxed out on an i7-8700 when rendering the page, not sure if this is due to the SVG or the many lines of text. I may look into figuring out some way to suppress DNS look-ups for this display as been suggested before - most people are probably using an external name server so this is not (as much of) an issue for them.

Is this a LuCI page or a page from an external site?

Edit: Using Chrome/Chromium Developer Tools allows one to look at timeline, including render time. I don’t know if Firefox has similar capabilities.

This is a LuCI page causing the slowdown, it's the only page I am looking at. I can see the CPU getting saturated as well. I'll look at the timeline this evening or tomorrow morning and put the results here. I thought there might be an issue with inefficient rendering as I primarily use Firefox on FreeBSD, but the issue happens with Windows and Linux as well. I think that Firefox throws that warning up if something takes more than 10 seconds to run.

One approach might be to filter out UDP port 53 from that page (especially as conntrack may be required for the return packets). Unfortunately I don’t know the LuCI internals and my Lua knowledge is very dusty.

Is this CPU the router's or the client viewing the page?

That's quite normal depending on client DNS lookups and you're using root hints. Perhaps there should be a button added to that page - to turn off reverse lookups.

This is the CPU on the machine where I am running the web browser. I am thinking that an option to either turn off reverse lookups or filter out DNS traffic (to filter out the reverse lookups triggering further reverse lookups) is the ticket, perhaps I will think about this as a project assuming I can get my head around the code...

2 Likes

As a workaround, on Firefox, it's possible to type 'about:config' in the address bar, and modify 'dom.max_script_run_time' from the default 10 seconds. I changed it to 30 and stopped getting the warning from Firefox - of course the CPU is still churning away.

I am not 100% sure, but I think I saw that the web browser is actually requesting the reverse lookups via a separate request, so it might be possible to turn this off in the Javascript served to the web client.

Arguably I rarely use this feature so I'll marked this 'solved'.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.