Why is DNS resolution via UDP slower than TCP on Mac?
My understanding is that DNS queries via UDP (the default) should be faster, but I am seeing the opposite on two Macs I own, and other 3 people I have asked who are also on Mac, see exactly the same thing. It's weird, but queries over UDP are 3-5 times slower than queries over TCP. I cannot reproduce this on my Linux servers for example.
On my Macs I switched to DNS over TLS which is much faster than the default UDP querying for me, but I am still curious.
Can readers with Macs try as well? To test, I run the command `dig @1.1.1.1 somedomain.com` to test with UDP (with Cloudflare's public DNS in this case, and any domain you want), and the same command but with the additional argument`+tcp` to query over TCP. Try each command a few times. Which one is faster for you? UDP or TCP?
Trying to understand if it's a Mac issue. Thanks in advance!
25 comments
[ 3.3 ms ] story [ 57.8 ms ] threadQuerying my local DNS, a pi-hole instance running in Docker on a Synology DSM: TCP is 3 msec, UDP is 0 msec (per the dig output).
So my initial take is that DNS over UDP is faster on the local network and thus you need to start digging into why Cloudflare is behaving as it is, or maybe there's something with all the hops between you and there. Some transparent DNS proxy or something?
TCP is around ~10ms including overhead, 3ms excluding.
TLS is ~100ms including overhead, 5ms excluding.
1.1.1.1:
udp - 5ms
tcp - 15ms / 10ms
tls - 70ms / 4ms
Use a sniffer (e.g. wireshark) to get a better idea for timing, I wouldn't count on dig for that.
[Edit 3] I am seeing the same thing to 1.1.1.1. But I can also reproduce this to a few other places on the internet... Yet I do not see this to a handful of UDP listeners I have throughout the US. It seems to be route specific but not CF specific. Perhaps someone here has a 1thousand eyes account and happens to have TCP and UDP probes around the world? The "nc" tests should be performed against all the open resolvers and many authoritative servers around the world to compare results.
Simple tests can be done with "nc" to take dig out of the picture. netcat should be available in macports and homebrew. If not, nmap also has a version of netcat. I suggesting taking dig out of the picture as it overrides the OS tcp and socket default options.
The same tests could also be done against any daemons listening for UDP on something other than port 53 to rule out mac or other devices on your network intercepting port 53 and trying to do something intelligent with it.