[Solved] Network protocol issue?

[jaimarti]

Hi, Not sure what the issue is but I will try to explain it as best I can. I noticed long load times when using Firefox (102.11.0esr (64 bit)) compared to my Windows10 virtual machine using Firefox 113.0.2 (64-bit) that is bridged to the same Ethernet controller. An example is loading www.dnsleaktest.com and doing the standard test takes 120 sec or 2 min. loading the same web page and test from inside Debian with a Windows10 VM in Virtualbox takes 7 sec., so all the hardware is the same. I have noticed slow loading on most web pages. I then booted my computer on a Linux Mint live USB and noticed the same behavior and then spun up Pop! OS in a VM again the same. I then thought OK Browser issue so I launched Konqueror and it comes up with a different issue "The server failed the authenticity check (89ec995b-696d-47a7-b480-4a882b39bed7.test.dnsleaktest.com). The error is: Server's certificate does not match the URL. Do you want to ignore this error?". I have been trying to figure this out for a few hours that is why I was running the DNS leak check. I also ran a few trace routes interesting enough the trace routes on the Debian machine would get lots of time outs and never reach the destination even with 64 hops while the Windows 10 VM would reach the destination in around 15 hops destination was google.com. the results of the DNS Leak test confirmed that I was using the correct DNS. Any guidance is appreciated to include maybe better verbiage to search the archives.

Dual boot with rEFInd SSD to NVME
Processor Dual Intel(R) Xeon(R) CPU E5-2670 @ 2.60GHz
Memory 98899MB (3681MB used)
Machine Type HP z620
Operating System Debian GNU/Linux 11 (bullseye) Cinnamon Desktop
Video Card AMD Radeon RX 580 2048SP (POLARIS10, DRM 3.40.0, 5.10.0-23-amd64, LLVM 11.0.1)
Ethernet controller Realtek Semiconductor Co., Ltd. RTL8125 2.5GbE Controller (rev 05)

[Aki]

Hello,

Welcome to the forum.

What do you mean for "protical" ?

If I understand correctly, you are reporting that firefox-esr is slower then the latest firefox version comparing their performances between firefox-esr running in a Debian VM guest and latest firefox version running in a Windows VM host.

Firefox-esr could be slower in the guest virtual machine due to both best optimisation of the latest release and the overall lower efficiency of a VM guest OS (overhead caused by VM) compared to a VM host OS.

Probably it not a network issue.

[jaimarti]

Thank you for the response

Hello,

Welcome to the forum.

What do you mean for "protical" ?

Sorry I misspelled it I meant protocol.
I guess the reason I think it is an issue with how Debian is communicating or protocol is due to trace routes. as well as the time it takes web pages to load. I did try other web browsers Konqueror and Chrome both are still very slow.

Trace route via Debian bare metal
jaimarti@jaime-hpz620workstation[/highlight][/highlight]:~$

Code: Select all

traceroute www.bing.com

traceroute to www.bing.com (204.79.197.220), 30 hops max, 60 byte packets
1 MCI5a (10.0.40.1) 0.514 ms 0.477 ms 0.451 ms
2 MainRouter.Home (10.0.10.1) 1.826 ms 1.807 ms 1.783 ms
3 .res.spectrum.com () 12.664 ms 12.633 ms 17.079 ms
4 lag-62.krvltxap02h.netops.charter.com (66.68.1.85) 27.768 ms 27.738 ms 27.709 ms
5 lag-45.ausxtxir02r.netops.charter.com (24.175.42.64) 20.531 ms 14.989 ms 20.473 ms
6 lag-22.rcr01hstqtx02.netops.charter.com (24.175.41.48) 26.745 ms 25.417 ms 72.317 ms
7 lag-416.hstqtx0209w-bcr00.netops.charter.com (66.109.9.88) 25.318 ms 24.700 ms lag-16.hstqtx0209w-bcr00.netops.charter.com (66.109.6.108) 24.650 ms
8 lag-800.pr1.hou50.netops.charter.com (66.109.5.244) 24.934 ms 21.581 ms 21.524 ms
9 ae60-0.hou01-96cbe-1a.ntwk.msn.net (104.44.14.43) 25.064 ms 25.000 ms 24.965 ms
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

Windows 10 VM
C:\Users\jaimarti>

Code: Select all

tracert www.bing.com

Tracing route to www.bing.com [204.79.197.220]
over a maximum of 30 hops:

1 <1 ms <1 ms <1 ms MCI5a [10.0.40.1]
2 1 ms <1 ms <1 ms MainRouter.Home [10.0.10.1]
3 16 ms 13 ms 10 ms .res.spectrum.com []
4 23 ms 30 ms 20 ms lag-62.krvltxap02h.netops.charter.com [66.68.1.85]
5 13 ms 11 ms 12 ms lag-45.ausxtxir02r.netops.charter.com [24.175.42.64]
6 22 ms 23 ms 21 ms lag-22.rcr01hstqtx02.netops.charter.com [24.175.41.48]
7 19 ms 23 ms 21 ms lag-16.hstqtx0209w-bcr00.netops.charter.com [66.109.6.108]
8 17 ms 26 ms 19 ms lag-800.pr1.hou50.netops.charter.com [66.109.5.244]
9 19 ms 20 ms 25 ms ae60-0.hou01-96cbe-1a.ntwk.msn.net [104.44.14.43]
10 * * * Request timed out.
11 23 ms 23 ms 24 ms 13.104.141.218
12 * * * Request timed out.
13 * * * Request timed out.
14 * * * Request timed out.
15 23 ms 26 ms 21 ms 204.79.197.220

Trace complete.

If I understand correctly, you are reporting that firefox-esr is slower then the latest firefox version comparing their performances between firefox-esr running in a Debian VM guest and latest firefox version running in a Windows VM host.

Firefox-esr could be slower in the guest virtual machine due to both best optimisation of the latest release and the overall lower efficiency of a VM guest OS (overhead caused by VM) compared to a VM host OS.

Probably it not a network issue.

[jaimarti]

Firefox-esr could be slower in the guest virtual machine due to both best optimisation of the latest release and the overall lower efficiency of a VM guest OS (overhead caused by VM) compared to a VM host OS.

Firefox was faster on the guest virtual machine. I realized that testing on two different Firefox levels was not the optimal way to test so I went ahead and uninstalled the one installed on Debian and installed the same release back on Debian via Flatpak. no change Firefox was very slow. I also went ahead and installed Google chrome and Edge. Chrome was quicker than Firefox and Edge was as slow as Firefox. so I am leaning towards it being a Firefox issue and the traceroute is just another rabbit hole.

[sunrat]

I suspect a driver or firmware issue. Check if driver is loaded, open a terminal and run:

Code: Select all

lspci -knn | grep -i -A 3 net

Check if firmware is installed:

Code: Select all

apt list -i firmware-realtek

Post the output of these commands inside code tags.

[jaimarti]

Thank you for the response. I also added the results of my Iperf3 test to my local proxmox server.

I suspect a driver or firmware issue. Check if driver is loaded, open a terminal and run:

Code: Select all

lspci -knn | grep -i -A 3 net

03:00.0 Ethernet controller [0200]: Realtek Semiconductor Co., Ltd. RTL8125 2.5GbE Controller [10ec:8125] (rev 05)
Subsystem: Realtek Semiconductor Co., Ltd. RTL8125 2.5GbE Controller [10ec:0123]
Kernel driver in use: r8169
Kernel modules: r8169

Check if firmware is installed:

Code: Select all

apt list -i firmware-realtek

Post the output of these commands inside code tags.

firmware-realtek/stable,stable,now 20210315-3 all [installed]

results of Iperf3 test
[ ID] Interval Transfer Bitrate Retr Cwnd
[ 5] 0.00-1.00 sec 283 MBytes 2.37 Gbits/sec 0 617 KBytes
[ 5] 1.00-2.00 sec 281 MBytes 2.36 Gbits/sec 0 682 KBytes
[ 5] 2.00-3.00 sec 280 MBytes 2.35 Gbits/sec 0 682 KBytes
[ 5] 3.00-4.00 sec 280 MBytes 2.35 Gbits/sec 0 716 KBytes
[ 5] 4.00-5.00 sec 280 MBytes 2.35 Gbits/sec 0 785 KBytes
[ 5] 5.00-6.00 sec 279 MBytes 2.34 Gbits/sec 0 785 KBytes
[ 5] 6.00-7.00 sec 281 MBytes 2.36 Gbits/sec 0 785 KBytes
[ 5] 7.00-8.00 sec 279 MBytes 2.34 Gbits/sec 0 824 KBytes
[ 5] 8.00-9.00 sec 280 MBytes 2.35 Gbits/sec 0 824 KBytes
[ 5] 9.00-10.00 sec 281 MBytes 2.36 Gbits/sec 0 824 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 2.74 GBytes 2.35 Gbits/sec 0 sender
[ 5] 0.00-10.04 sec 2.74 GBytes 2.34 Gbits/sec receiver

[jaimarti]

I went ahead and updated the driver. new output

lspci -knn | grep -i -A 3 net
03:00.0 Ethernet controller [0200]: Realtek Semiconductor Co., Ltd. RTL8125 2.5GbE Controller [10ec:8125] (rev 05)
Subsystem: Realtek Semiconductor Co., Ltd. RTL8125 2.5GbE Controller [10ec:0123]
Kernel driver in use: r8125
Kernel modules: r8125

apt list -i firmware-realtek
firmware-realtek/stable,stable,now 20210315-3 all [installed]

results of Iperf3 test
[ ID] Interval Transfer Bitrate Retr
[ 5] 0.00-10.00 sec 2.74 GBytes 2.35 Gbits/sec 0 sender
[ 5] 0.00-10.04 sec 2.74 GBytes 2.34 Gbits/sec receiver

No Change

[kent_dorfman766]

folks too often try to diagnose these kinds of problems at the highest layers of the ISO network layer model, essentially poking at it with a stick instead of being systematic. start at layer 2 and work upward.

on the machine that doesn't work:
does the NIC generate packet errors?
can you reliably ping/traceroute nodes on your local network by IP number?
can you reliably ping/traceroute nodes on your local network by hostname?
expand the above to non-local nodes
what does your routing table look like?
what does your iptables rule list look like?

Is firefox the only client that exhibits the problem? what about torrents or manually pulling content using wget?

only now can you start looking at it at the app/fireforx level...
Have you tried firefox as a different username? using minimalist window manager?
Have you cleared the firefox cache?
Have you verified that the CA certificates are correct?

Another thing that I don't think was mentioned: is the working VM running as a guest on the non-working linux machine? using what type of network passthru? bridging?

Addressing stuff in this order lets you identify where the problem exists and not just guess.

[jaimarti]

Thanks Everyone! It is fixed!!!!! I went through the steps provided by kent_dorfman766 and was able to narrow down the router that was causing the issue. The setting(Forced DNS Redirection) on the DD-WRT router was only effecting Debian and other Debian based distrubution nothing else that I could identify. not sure what the actual issue is I guess I might check over at the DD-WRT form to see if they know.

Commands I used where:

Code: Select all

netstat -ni

Code: Select all

netstat -s

Code: Select all

traceroute

Code: Select all

ping

Pings and traceroutes would take forever to respond and never time out once I went past the offending router, I guess network 101.

[jaimarti]

OK now that I am past the initial excitement of having Debian up and running lighting fast. I updated the firmware on my router and searched for information on the DD-WRT forum for similar issues when it dawned on me that I had fixed the symptom not fix the cause. I am trying to determine what to do next. It does seem to me there is a TCPIP protocol inconsistency. I use the Forced DNS Redirection setting as a security practice along with a specific DNS service to prevent any attempt to bypass that DNS Service. Since this seems to have had no effect on Windows it comes back down to a Debian issue I think.

All that being said I guess the actual issue would be defined better as network speed degraded due to Forced DNS Redirection or something to that effect. Is there a way to open a development ticket to address the issue? I am able to duplicate the issue on my machine every time I toggle the setting on. Or can someone with Debian installed and a DD-WRT router verify they see the same degradation? It is under Setup>Basic Setup>Network Setup then check Forced DNS Redirection.

[Aki]

Hello,
Following the @kent_dorfman766's advice in previous post, I suggest you to follow a more structured troubleshooting approach, documenting the commands (with their output) you use to replicate and analyse the issue. If you wish, you could also see here [1].

In the meanwhile, It could useful to take a look at the general hardware information of your computer (in anonymous form) with the command (the inxi program must be installed):

Code: Select all

inxi -Fxxxz

---
[1] https://www.redhat.com/sysadmin/beginners-guide-network-troubleshooting-linux

[Random_Troll]

I use the Forced DNS Redirection setting as a security practice along with a specific DNS service to prevent any attempt to bypass that DNS Service.

Why not just configure Debian to use your chosen nameserver directly? No need to worry about the router then.

I like to use systemd-resolved with DoT and DNSSEC. It works well. Mostly.

[jaimarti]

Thank you for the reply I will give the attached link a read.

Hello,
Following the @kent_dorfman766's advice in previous post, I suggest you to follow a more structured troubleshooting approach, documenting the commands (with their output) you use to replicate and analyse the issue. If you wish, you could also see here [1].

In the meanwhile, It could useful to take a look at the general hardware information of your computer (in anonymous form) with the command (the inxi program must be installed):

Code: Select all

inxi -Fxxxz

Requested output of inxi -Fxxxz

Code: Select all

jaimarti@jaime-hpz620workstation:~$ inxi -Fxxxz
System:
  Kernel: 5.10.0-23-amd64 x86_64 bits: 64 compiler: gcc v: 10.2.1 
  Desktop: Cinnamon 4.8.6 tk: GTK 3.24.24 dm: LightDM 1.26.0 
  Distro: Debian GNU/Linux 11 (bullseye) 
Machine:
  Type: Desktop System: Hewlett-Packard product: HP Z620 Workstation v: N/A 
  serial: <filter> Chassis: type: 6 serial: <filter> 
  Mobo: Hewlett-Packard model: 158A v: 0.00 serial: <filter> 
  UEFI: Hewlett-Packard v: J61 v03.96 date: 10/29/2019 
Battery:
  Device-1: hidpp_battery_0 model: Logitech MK700 serial: <filter> 
  charge: 70% (should be ignored) rechargeable: yes status: Discharging 
  Device-2: hidpp_battery_1 
  model: Logitech Marathon Mouse/Performance Plus M705 serial: <filter> 
  charge: 55% (should be ignored) rechargeable: yes status: Discharging 
CPU:
  Info: 2x 8-Core model: Intel Xeon E5-2670 0 bits: 64 type: MT MCP SMP 
  arch: Sandy Bridge rev: 7 L2 cache: 40 MiB 
  flags: avx lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx 
  bogomips: 166031 
  Speed: 1197 MHz min/max: 1200/3300 MHz Core speeds (MHz): 1: 1239 2: 1238 
  3: 1197 4: 1197 5: 1197 6: 1197 7: 1197 8: 1197 9: 1210 10: 1335 11: 1236 
  12: 1329 13: 1230 14: 1236 15: 1481 16: 1444 17: 1529 18: 1197 19: 1197 
  20: 1197 21: 1197 22: 1197 23: 1550 24: 1197 25: 1197 26: 1197 27: 1412 
  28: 1946 29: 1585 30: 1251 31: 1197 32: 1197 
Graphics:
  Device-1: AMD Polaris 20 XL [Radeon RX 580 2048SP] driver: amdgpu 
  v: kernel bus ID: 05:00.0 chip ID: 1002:6fdf class ID: 0300 
  Display: x11 server: X.Org 1.20.11 driver: loaded: amdgpu,ati 
  unloaded: fbdev,modesetting,vesa resolution: 1: 1920x1080~60Hz 
  2: 1920x1080~75Hz s-dpi: 96 
  OpenGL: renderer: AMD Radeon RX 580 2048SP (POLARIS10 DRM 3.40.0 
  5.10.0-23-amd64 LLVM 11.0.1) 
  v: 4.6 Mesa 20.3.5 direct render: Yes 
Audio:
  Device-1: Intel C600/X79 series High Definition Audio 
  vendor: Hewlett-Packard driver: snd_hda_intel v: kernel bus ID: 00:1b.0 
  chip ID: 8086:1d20 class ID: 0403 
  Device-2: AMD Ellesmere HDMI Audio [Radeon RX 470/480 / 570/580/590] 
  driver: snd_hda_intel v: kernel bus ID: 05:00.1 chip ID: 1002:aaf0 
  class ID: 0403 
  Device-3: C-Media USB Audio Device type: USB 
  driver: hid-generic,snd-usb-audio,usbhid bus ID: 3-4:2 chip ID: 0d8c:0012 
  class ID: 0300 
  Sound Server: ALSA v: k5.10.0-23-amd64 
Network:
  Device-1: Intel 82579LM Gigabit Network vendor: Hewlett-Packard 
  driver: e1000e v: kernel port: e040 bus ID: 00:19.0 chip ID: 8086:1502 
  class ID: 0200 
  IF: eno1 state: down mac: <filter> 
  Device-2: Intel 82574L Gigabit Network vendor: Hewlett-Packard 
  driver: e1000e v: kernel port: d000 bus ID: 01:00.0 chip ID: 8086:10d3 
  class ID: 0200 
  IF: enp1s0 state: down mac: <filter> 
  Device-3: Realtek RTL8125 2.5GbE driver: r8125 v: 9.011.01-NAPI port: b000 
  bus ID: 03:00.0 chip ID: 10ec:8125 class ID: 0200 
  IF: ens4 state: up speed: 2500 Mbps duplex: full mac: <filter> 
Bluetooth:
  Device-1: ASUSTek Broadcom BCM20702A0 Bluetooth type: USB driver: btusb 
  v: 0.8 bus ID: 2-1.1:3 chip ID: 0b05:17cb class ID: fe01 serial: <filter> 
  Report: ID: hci0 state: up running pscan iscan bt-v: 2.1 lmp-v: 4.0 
  sub-v: 220e hci-v: 4.0 rev: 1000 address: <filter> 
RAID:
  Hardware-1: Intel C600/X79 series SATA RAID Controller driver: ahci v: 3.0 
  port: e020 bus ID: 00:1f.2 chip ID: 8086.2826 rev: 05 
Drives:
  Local Storage: total: 1.02 TiB used: 198.36 GiB (19.0%) 
  ID-1: /dev/nvme0n1 vendor: Western Digital model: WD Green SN350 1TB 
  size: 931.51 GiB speed: 31.6 Gb/s lanes: 4 rotation: SSD serial: <filter> 
  rev: 33006000 scheme: GPT 
  ID-2: /dev/sda vendor: Kingston model: SA400S37120G size: 111.79 GiB 
  speed: 6.0 Gb/s rotation: SSD serial: <filter> rev: 0009 scheme: GPT 
Partition:
  ID-1: / size: 914.38 GiB used: 198.36 GiB (21.7%) fs: ext4 
  dev: /dev/nvme0n1p2 
  ID-2: /boot/efi size: 511 MiB used: 5.8 MiB (1.1%) fs: vfat 
  dev: /dev/nvme0n1p1 
Swap:
  ID-1: swap-1 type: partition size: 977 MiB used: 0 KiB (0.0%) priority: -2 
  dev: /dev/nvme0n1p3 
Sensors:
  System Temperatures: cpu: 43.0 C mobo: N/A gpu: amdgpu temp: 39.0 C 
  Fan Speeds (RPM): N/A gpu: amdgpu fan: 1378 
Info:
  Processes: 468 Uptime: 38m wakeups: 10 Memory: 94.32 GiB 
  used: 4.4 GiB (4.7%) Init: systemd v: 247 runlevel: 5 Compilers: 
  gcc: 10.2.1 alt: 10 Packages: 3729 apt: 3714 flatpak: 15 Shell: Bash 
  v: 5.1.4 running in: gnome-terminal inxi: 3.3.01 

---
[1] https://www.redhat.com/sysadmin/beginners-guide-network-troubleshooting-linux

Moderator EDIT by Aki 2023/05/27 15:47: added code tags.

[jaimarti]

Thank you for the response

I use the Forced DNS Redirection setting as a security practice along with a specific DNS service to prevent any attempt to bypass that DNS Service.

Why not just configure Debian to use your chosen nameserver directly? No need to worry about the router then.

It is part of my home network and I guess I am lazy and maybe paranoid I prefer to just use DHCP and force the DNS redirection so that all DNS request are filtered through a PiHole with DNSSEC enabled. As opposed to setting up each individual piece of equipment separately. I have several IOT devices that I have segmented via the router as well.

I like to use systemd-resolved with DoT and DNSSEC. It works well. Mostly.

I did try and setup the Debian PC separately to see if I would work around the redirection. But it had the same result. I have several Servers that I need access to so I did not want to insolate it onto its own VLAN, but I might give that a shot.

[Aki]

Requested output of inxi -Fxxxz

Code: Select all

jaimarti@jaime-hpz620workstation:~$ inxi -Fxxxz
[...]
Network:
  Device-1: Intel 82579LM Gigabit Network vendor: Hewlett-Packard 
  driver: e1000e v: kernel port: e040 bus ID: 00:19.0 chip ID: 8086:1502 
  class ID: 0200 
  IF: eno1 state: down mac: <filter> 
  Device-2: Intel 82574L Gigabit Network vendor: Hewlett-Packard 
  driver: e1000e v: kernel port: d000 bus ID: 01:00.0 chip ID: 8086:10d3 
  class ID: 0200 
  IF: enp1s0 state: down mac: <filter> 
  Device-3: Realtek RTL8125 2.5GbE driver: r8125 v: 9.011.01-NAPI port: b000 
  bus ID: 03:00.0 chip ID: 10ec:8125 class ID: 0200 
  IF: ens4 state: up speed: 2500 Mbps duplex: full mac: <filter> 
[..]

Therefore, the affected network adapter should be /dev/ens4:

Code: Select all

  Device-3: Realtek RTL8125 2.5GbE driver: r8125 v: 9.011.01-NAPI port: b000 
  bus ID: 03:00.0 chip ID: 10ec:8125 class ID: 0200 
  IF: ens4 state: up speed: 2500 Mbps duplex: full mac: <filter> 

---
[1] https://www.redhat.com/sysadmin/beginners-guide-network-troubleshooting-linux

What is the command (and its output) that makes you suppose a network issue ?

[..] I guess I am lazy and maybe paranoid I prefer to just use DHCP and force the DNS redirection so that all DNS request are filtered through a PiHole with DNSSEC enabled. As opposed to setting up each individual piece of equipment separately. I have several IOT devices that I have segmented via the router as well [..] I did try and setup the Debian PC separately to see if I would work around the redirection. But it had the same result. I have several Servers that I need access to so I did not want to insolate it onto its own VLAN, but I might give that a shot.

This is an important aspect of your configuration. How have you configured it in Debian as client ?

How have you set up the general network configuration in Debian ?

[jaimarti]

Thank you again for the reply

Therefore, the affected network adapter should be /dev/ens4:

It is ens4 but I have tried with the other adapters same issue.

What is the command (and its output) that makes you suppose a network issue ?

It is a not just a command it is just everything slows way down when using the internet. I not sure how to classify it now that I know what its router setting is causing the behavior “Forced DNS Redirection”? The fact that it does not effect any of the Windows devices and a search on the DD-WRT forum for similar issues leads me to believe it is Debian centric.

An example is loading www.dnsleaktest.com and doing the standard test takes 120 sec or 2 min. with Forced DNS Redirection enabled. With Forced DNS Redirection disabled loading the same web page and test now takes 5 sec..

with Forced DNS Redirection enabled ping hangs and after about 2 min I hit ^C to stop after that

Code: Select all

jaimarti@jaime-hpz620workstation:~$ ping www.google.com
PING www.google.com (216.239.38.120) 56(84) bytes of data.
64 bytes from 216.239.38.120 (216.239.38.120): icmp_seq=1 ttl=57 time=27.1 ms
^C64 bytes from 216.239.38.120: icmp_seq=2 ttl=57 time=31.7 ms

--- www.google.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 10034ms
rtt min/avg/max/mdev = 27.146/29.446/31.747/2.300 ms

Forced DNS Redirection disabled pings continuous works fine.

Code: Select all

jaimarti@jaime-hpz620workstation:~$ ping www.google.com
PING www.google.com (216.239.38.120) 56(84) bytes of data.
64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=1 ttl=57 time=31.9 ms
64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=2 ttl=57 time=50.7 ms
64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=3 ttl=57 time=30.5 ms
64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=4 ttl=57 time=30.7 ms
64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=5 ttl=57 time=29.0 ms
64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=6 ttl=57 time=33.7 ms
64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=7 ttl=57 time=34.0 ms
64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=8 ttl=57 time=27.2 ms
64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=9 ttl=57 time=30.0 ms
64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=10 ttl=57 time=30.3 ms
64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=11 ttl=57 time=41.8 ms
64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=12 ttl=57 time=25.7 ms
64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=13 ttl=57 time=29.0 ms
64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=14 ttl=57 time=30.2 ms
64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=15 ttl=57 time=27.5 ms
64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=16 ttl=57 time=30.6 ms
64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=17 ttl=57 time=28.8 ms
64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=18 ttl=57 time=28.9 ms
64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=19 ttl=57 time=29.4 ms
64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=20 ttl=57 time=26.8 ms
64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=21 ttl=57 time=31.4 ms
64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=22 ttl=57 time=27.8 ms
64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=23 ttl=57 time=28.7 ms
64 bytes from any-in-2678.1e100.net (216.239.38.120): icmp_seq=24 ttl=57 time=27.5 ms
^C
--- www.google.com ping statistics ---
24 packets transmitted, 24 received, 0% packet loss, time 23033ms
rtt min/avg/max/mdev = 25.739/30.925/50.725/5.179 ms

Forced DNS Redirection enabled Traceroute takes about a minite

Code: Select all

jaimarti@jaime-hpz620workstation:~$ traceroute www.google.com
traceroute to www.google.com (216.239.38.120), 30 hops max, 60 byte packets
 1  _gateway (10.0.40.1)  0.252 ms  0.220 ms  0.199 ms
 2  10.0.10.1 (10.0.10.1)  0.568 ms  0.538 ms  0.633 ms
 3   17.669 ms  17.643 ms  22.257 ms
 4  66.68.1.77 (66.68.1.77)  36.188 ms  36.169 ms  36.151 ms
 5  24.175.42.62 (24.175.42.62)  19.835 ms  25.401 ms  25.383 ms
 6  24.175.41.46 (24.175.41.46)  29.856 ms  28.623 ms  28.294 ms
 7  142.250.169.86 (142.250.169.86)  38.542 ms 142.250.169.138 (142.250.169.138)  27.907 ms 142.250.169.242 (142.250.169.242)  27.580 ms
 8  * * *
 9  216.239.38.120 (216.239.38.120)  24.609 ms  30.335 ms  24.513 ms

Forced DNS Redirection disabled Traceroute takes maybe 5 secs.

Code: Select all

traceroute to www.google.com (216.239.38.120), 30 hops max, 60 byte packets
 1  _gateway (10.0.40.1)  0.238 ms  0.207 ms  0.187 ms
 2  10.0.10.1 (10.0.10.1)  0.680 ms  0.659 ms  0.781 ms
 3  14.370 ms  19.976 ms  19.957 ms
 4  lag-62.krvltxap01h.netops.charter.com (66.68.1.77)  39.184 ms  39.167 ms  39.148 ms
 5  lag-45.ausutxla01r.netops.charter.com (24.175.42.62)  23.084 ms  23.283 ms  23.046 ms
 6  lag-22.rcr01dllatx37.netops.charter.com (24.175.41.46)  27.436 ms  26.029 ms  26.162 ms
 7  142.250.170.142 (142.250.170.142)  25.978 ms 142.250.170.122 (142.250.170.122)  25.283 ms 142.250.169.242 (142.250.169.242)  25.260 ms
 8  * * *
 9  any-in-2678.1e100.net (216.239.38.120)  35.261 ms  34.754 ms  34.711 ms

This is an important aspect of your configuration. How have you configured it in Debian as client ?

It was default DHCP Automatic, I have tried setting up with IPv4 address and DNS IPv6 turned off

How have you set up the general network configuration in Debian ?

I have gone back to DHCP automatic. I have tried it set up with static IP, Subnet, gateway and DNS. made no difference

---
Moderator edit (aki) Sun May 28 08:41:47 CEST 2023 - modified code tags to include outputs of commands

[Aki]

Hello,

From previous commands, it seems that the Debian client cannot timely resolve destination hostnames when the "Forced DNS Redirection" option is enabled in your DD-WRT router that acts as your primary DNS server (as your reported). You can see it in both ping and traceroute output: IP addresses are not replaced by hostnames when "Forced DNS Redirection" option is enabled.

In your previous post you reported that the router running DD-WRT (acting as your default DNS server) is configured to force DNS redirection so that all DNS request are filtered through a PiHole (raspberry Pi appliance) with DNSSEC enabled.

When you disable "Forced DNS Redirection" in your router you exclude the PiHole (raspberry Pi appliance) from the loop. Probably you should investigate how the PiHole appliance interacts with the router.

In the meanwhile, you could use the following commands in Debian to generate a log for each of the two cases ("Forced DNS Redirection" ON or OFF). Note that after changing the router configuration, you should restart the Debian server before start running the following commands:

Code: Select all

# start recording of commands and output.
# replace STATUS in the following line with ON or OFF according to "Forced DNS Redirection" in your router
script forced_redirection_STATUS.txt

# check network device configuration and IP address of the active network card
ip link
ip add

# check IP routes 
ip route

# verify ipupdown configuration 
cat /etc/network/interfaces

# verify systemd networking service (the root password will be asked, unless you use sudo)
su -l -c "systemctl status networking.service"

# verify NetworkManager service  (the root password will be asked, unless you use sudo)
su -l -c "systemctl status NetworkManager.service"

# verify system wide resolver configuration
cat /etc/resolv.conf

# verify DHCP lease configuration
find /var/lib/dhcp/*.leases -exec cat {} \;

# measure latency to default DNS router; replace IP.OF.YOUR.NAMESERVER 
# with the IP of your nameserver from /etc/resolv.conf ooutput
ping -c 5   IP.OF.YOUR.NAMESERVER
ping -c 5   www.debian.net

# test your nameserver (the dig command must be installed)
dig www.debian.net www.debian.net www.debian.net www.debian.net www.debian.net
dig +trace www.debian.net www.debian.net www.debian.net www.debian.net www.debian.net

# stop recording the output
exit

You could send the generated logs with a follow-up message (as zipped attachments) and read it with the command:

Code: Select all

less -r forced_redirection_*.txt

Last but not least, it would interesting to know if VPNs come in to play into your network configuration, since you have named them in your previous post.

[jaimarti]

Hello,

From previous commands, it seems that the Debian client cannot timely resolve destination hostnames when the "Forced DNS Redirection" option is enabled in your DD-WRT router that acts as your primary DNS server (as your reported). You can see it in both ping and traceroute output: IP addresses are not replaced by hostnames when "Forced DNS Redirection" option is enabled.

In your previous post you reported that the router running DD-WRT (acting as your default DNS server) is configured to force DNS redirection so that all DNS request are filtered through a PiHole (raspberry Pi appliance) with DNSSEC enabled.

When you disable "Forced DNS Redirection" in your router you exclude the PiHole (raspberry Pi appliance) from the loop. Probably you should investigate how the PiHole appliance interacts with the router.

I will investigate this. I have dns masq enabled.

In the meanwhile, you could use the following commands in Debian to generate a log for each of the two cases ("Forced DNS Redirection" ON or OFF). Note that after changing the router configuration, you should restart the Debian server before start running the following commands:
You could send the generated logs with a follow-up message (as zipped attachments) and read it with the command:

I will pm these to you shortly.

Last but not least, it would interesting to know if VPNs come in to play into your network configuration, since you have named them in your previous post.

I am not using a VPN.

[jaimarti]

Here are the generated Logs.

forced_redirection.tar.gz

(9.28 KiB) Downloaded 3 times

[Random_Troll]

You can try systemd-resolved, just to see if that fixes the problem:

Code: Select all

# systemctl enable --now systemd-resolved
# ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

Then check

Code: Select all

resolvectl

Disable systemd-resolved.service, remove the symlink and restart NetworkManager to revert to the previous configuration.