adam:ONE has a new custom configuration switch available as of 3.4.2 as follows:
ipe-dns-response-delay=[x]
where [x] is measured in milliseconds.
Here’s some background as to how and why this may apply to you.
The traditional sequence of events in a DTTS (Don’t Talk to Strangers) environment works like this:
- endpointA makes a DNS query to adam:ONE, for, say
example.com - adam:ONE resolves
example.combased on assigned policy - adam:ONE sends the kernel an instruction to open an outbound hole for endpointA
- adam:ONE offers the DNS answer to endpointA
- endpointA makes an IP connection to
example.com
In some cases, steps 4 and 5 execute before step 3 has completed.
By adding ipe-dns-response-delay=125, for example, it adds a 125ms wait at the beginning of step 4 above, which prevents the endpoint from experiencing rejected connection attempts. 125ms is commonly used since it both solves the issue in most cases, but also does not introduce a noticeable end-user performance decrease.
To use this feature on adam:ONE in pfSense, use Services → adam:ONE → Custom Options.
Please make sure you’re running 3.4.2 or later.
NOTE: Feature has been removed in version 4+.
