So I have a backup network link (working from home means you need two network links) and it was feeling kind of slow. I had a Linksys BEsFx41 connected to it, which according to the specifications is an ok unit (does VPN, etc.) but in practice it felt really slow (web browsing was not fun). So let’s test this objectively I thought.
First obviously was to check the speed, am I getting what I paid for? a quick visit to www.speedtest.net showed that I was indeed getting the 4 megabits down and 1 megabit up (it’s a wireless link, so not super fast, but I don’t have to worry about backhoe fade) that I pay for. So if I’m getting good upload/download speeds why would it feel slow?
Luckily the DNSSEC has been in the news a lot recently and several DNS testing sites have come up in various blogs/conversations/etc. So I headed over to the ICSI Netalyzr which promises to “Debug your Internet.” It’s a java based test and takes a while, but I have to say the results are worth it. It checks for connection speed, filtering, DNS speed and filtering and a few other things. Turns out DNS lookups were horribly slow (on the order of several thousand milliseconds… aka seconds). No wonder web browsing felt slow!
Turns out the BEFSX41 intercepts DNS lookups and proxies them, good for filtering, terrible for performance.
So I tried out a Dlink EBR-2310, which had even worse DNS performance. To add insult to injury it doesn’t support routing properly. On the BEFSX41 I can specify static routes, i.e. a router on 192.168.1.1 can get to 10.1.2.0/255.255.255.0 through the machine at 192.168.1.2. The EBR-2310 simply doesn’t support any routing. It also does the DNS proxy intercept, worse than the BEFSX41 (about twice as slow, in other words completely unusable).
So off to the store I go for a Netgear RP614v4. I was hoping that because it was a relatively recent device it would have slightly better hardware and firmware. Luckily I was right. It’s a mildly retarded device; you can set it up as a DHCP server but you don’t really have many (well any) options as to what it serves out via DHCP (domain, DNS servers, default gateway, etc., it does these all with a brain dead default set). But it does DNS lookups in an average if 70-80ms (as opposed to 1-3 seconds).
On my main subnet Internet access is brokered through a pretty vanilla OpenBSD machine (apart from having IPv6 enabled it’s pretty bog standard) and DNS lookups/etc are much faster. If anything this experience has taught me that if you want performance go find a small cheap machine, load it up with OpenBSD and be happy. Time to buy a Soekris I suppose. Oh and if you want DNSSEC these hardware firewalls aren’t going to do the trick, they all pretty much only support short DNS replies, meaning that longer DNSSEC replies will be truncated (and thus broken). To test this you can use the OARC reply size test:
dig +short rs.dns-oarc.net txt
I also decided to test my network links for traffic shaping/etc., turns out my primary ISP does and my backups ISP doesn’t. To see if yours does/doesn’t check out the EFF page covering this.