DNS response delay to solve slow kernel response

adam:ONE has a new custom configuration switch available as of 3.4.2 as follows:

ipe-dns-response-delay=[x]

where [x] is measured in milliseconds.

Here’s some background as to how and why this may apply to you.

The traditional sequence of events in a DTTS (Don’t Talk to Strangers) environment works like this:

  1. endpointA makes a DNS query to adam:ONE, for, say example.com
  2. adam:ONE resolves example.com based on assigned policy
  3. adam:ONE sends the kernel an instruction to open an outbound hole for endpointA
  4. adam:ONE offers the DNS answer to endpointA
  5. endpointA makes an IP connection to example.com

In some cases, steps 4 and 5 execute before step 3 has completed.

By adding ipe-dns-response-delay=125, for example, it adds a 125ms wait at the beginning of step 4 above, which prevents the endpoint from experiencing rejected connection attempts. 125ms is commonly used since it both solves the issue in most cases, but also does not introduce a noticeable end-user performance decrease.

To use this feature on adam:ONE in pfSense, use Services -> adam:ONE -> Custom Options.

Please make sure you’re running 3.4.2 or later.

Thanks for the technical explanation David. It’s nice to know how stuff works in the backend. (or doesn’t work.)