Enabling DNS Protection slows down DNS requests

[trparky]

AdGuard version

7.12

Browser version

Microsoft Edge 109.0.1518.70

OS version

Windows 11 22H2 (22621.1194)

What filters do you have enabled?

AdGuard Base filter, AdGuard Tracking Protection filter, AdGuard Social Media filter

What Stealth Mode options do you have enabled?

No response

Support ticket ID

No response

Issue Details

Enabling DNS Protection slows down DNS requests by a huge amount.

Expected Behavior

No response

Screenshots

No response

Additional Information

No response

[Aydinv13]

@trparky Hi there!

What do you mean by "...slows down DNS requests"? How did you check it? Any steps to reproduce?

[trparky]

Hard coding the same DNS over HTTPS servers into Windows 11's own DNS over HTTPS is significantly faster than using AdGuard's DNS over HTTPS component. I can tell this by how a web page is loaded, loading a web page using built-in Windows functionality loads the page in a fraction of the time that it takes when using AdGuard's functionality.

The only thing that I can think of is that it's doing a lot of simultaneous lookups and the Windows component is fully multi-threaded as versus the one in AdGuard isn't or at least isn't nearly as efficient when processing multiple lookups at the same time.

[Aydinv13]

@trparky

Could you please collect HAR files? Here's what we need you to do:

1. Go to Settings -> General settings -> Advanced settings -> Enable HAR writing - checked -> Save
2. Reproduce your issue
3. Open %programdata%/Adguard directory and archive HAR folder then send the archive to devteam@adguard.com

[trparky]

OK, it'll take some time; I'm rather busy. Give me a day or two to get back to you.

[Morku]

I can totally agree to this. It happens on any device I use. So I wonder why there aren't more reports here.

The DNS protection is incredible slow. This is since DNS protection is introduced and so I am suprised that this is now enabled by default. Sometimes it's waiting for many seconds until I get informations back:

But even if you get "directly a respond", browsing is slowed down about 2x-3x.

Disabling DNS protection makes browsing back responding as expected with a 300MBit down / 100Mbit up connection. So I have disabled DNS protection on all Windows devices.

Enabling HAR writing doesn't log anything. Thats the whole output:

{
  "log": {
    "version": "1.2",
    "creator": {
      "name": "AGProxy",
      "version": "1.0"
    },
    "browser": {
      "name": "",
      "version": ""
    },
    "entries": [
    ]
  }
}

[Aydinv13]

@Morku could you please send debug logs to devteam@adguard.com. Also, is this reproduced with any DNS server?

[Morku]

I have tested once more and tried this time "AdGuard without filtering " DNS-over-HTTPS. After reboot, browsing was quick for a short moment.

Than again, browsing got unbearable slow. Seconds until the page is loaded itself. Seconds until the whole page got loaded. Sometimes some elements (probably other DNS requests) just refuse to load at all (pictures on Reddit e.g.) The page needs to be reloaded to full loaded.

When it was worse, I created a new Logfile, uploaded on Dropbox and send you again.

I can't handle that sluggish browsing for long and disabled DNS filtering again.

I hope other users contribute, too.

[Eugene-Savenko]

I think we have a similar here:

I have a problem with what I think is very slow DNS lookups on the Windows desktop. It affects web pages and also other apps (e.g. my anti-virus program gives network errors because of connection time-outs). I get connection time-outs for many of the web pages I visit in more than one browser, so it’s definitely not a problem with just one app. The problem goes away when I turn off DNS filtering in AdGuard, and is not affected by which DNS service or protocol I select: I get the same problem with AdGuard DNS over QUIC, AdGuard DNS over TLS and also Cloudflare DNS over https.

A broader description and logs are available in the helpdesk system: 715319

[trparky]

So, what's going on with this issue? Are we anywhere closer to a reason why this issue is happening and a possible fix?

[Morku]

Seems so. They have added a 7.13 label :)

[Morku]

After Nightly 4 was released, I just thought to give another try. Sure, it still not have a Resolved tag, but it should have IMO an high priority. No one is assigned here.

Using DNS module is still completely unusable. Making this option On as Default is doing a suicide for the program and new users who will quickly jump back to uBlock.

Another DNS hell test is https://www.bild.de/ Let's see how long it takes until the Anti Adblock page is fully loaded:

https://user-images.githubusercontent.com/6276915/224729317-c4bf5d90-7d2a-435b-bbc7-50c22b8937a6.mp4

  And this is one of the better run. Sometimes it even takes 20-30 seconds until the page is even showing something.

And to compare, without DNS module:

https://user-images.githubusercontent.com/6276915/224729466-bf4f522e-7cee-4bbc-be77-968d23e15eeb.mp4

  For the test, I have always used a clean browser profile with cleared cache and Cookies and also run ipconfig /flushdns previously.

I have sent you another Logfile after doing that test to devteam@adguard.com

[ngorskikh]

@trparky @Morku Hi, could you please set Settings -> General Settings -> Advanced Settings -> Action applied to blocked DNS requests to Custom IP address (don't change anything else) and report the result? This will make the DNS proxy respond with an unspecified address instead of a REFUSED code. I was able to reproduce something that looked like your issues, and this seems to help. Might be a Chromium bug.

[Morku]

@ngorskikh Hi, changing to Custom IP address seems to have only a very minor impact on me (or let's say, placebo). It's still stuck and extremly slow on several DNS requests. Also, I don't use Chromium. I use Firefox (Gecko). Changing to Custom IP address looks like, the protocoll shows less blocked DNS requests in a row than the default setting "Refused" error.

Here is again a video of it. It takes ages to show something. My Down/Upload is 300/100MBit, so it's not the issue and without DNS module it is quick as expected.

https://user-images.githubusercontent.com/6276915/225004482-55c23abe-e39a-43df-88ab-006126f71495.mp4

[Aydinv13]

@Morku Hi again!

We are already fixing it. Could you clarify one more thing:

I can totally agree to this. It happens on any device I use.

Do you mean any Windows device?

[Morku]

@Aydinv13 Hi. Yes, I mean only Windows devices with AdGuard for Windows.

I am using some iOS devices and my family also Android devices without any issue using local VPN DNS filtering. All requests are quick and filtered fine.

This weekend I setup another Windows device with AGfW 7.13 Beta 2. DNS requests became so sluggish (waiting 3-4 seconds for DNS lookup) or even timeout, that I had to disable DNS filtering.

[trparky]

God, I can't believe that this isn't fixed yet. And as you said, having this enabled by default is like suicide for AdGuard. I can't imagine how the people who don't know how to troubleshoot issues like this are thinking, they must be thinking AdGuard is a piece of crap and rightfully so.

Good God guys, you might as well have shot yourself in the foot here.

[trparky]

After Nightly 4 was released, I just thought to give another try. Sure, it still not have a Resolved tag, but it should have IMO an high priority. No one is assigned here.

Using DNS module is still completely unusable. Making this option On as Default is doing a suicide for the program and new users who will quickly jump back to uBlock.

Another ~DNS hell~ test is https://www.bild.de/ Let's see how long it takes until the Anti Adblock page is fully loaded:

  And this is one of the better run. Sometimes it even takes 20-30 seconds until the page is even showing something.

And to compare, without DNS module:

  For the test, I have always used a clean browser profile with cleared cache and Cookies and also run ipconfig /flushdns previously.

I have sent you another Logfile after doing that test to devteam@adguard.com

Wow, just wow. That makes it even worse in terms of showing just how bad DNS filtering being enabled causes even the most capable high-speed Internet connection look like dial-up. Guys, fix this issue or at least put out a hot patch to disable DNS Filtering on all systems that had it enabled by default so as to at least save some of the respect of the public.

[sfionov]

@trparky This task has highest priority for Win 7.13 release and we are working on it.

[trparky]

@trparky This task has highest priority for Win 7.13 release and we are working on it.

Yeah, but in the meantime put out a interim release to turn off DNS Filtering on existing installations or all you guys are going to have left after shooting yourselves in the foot is a bloody stump.

Reminds me of that meme with the dog in the house that's on fire and he says "This is fine" as he sips his coffee.

[Aydinv13]

@trparky @Morku

could you check the newest nightly build?

[trparky]

@Morku, do you mind being the lab rat?

[Morku]

@Aydinv13 Looks fine so far from my first test on Desktop, Laptop and virtual machine :) I used the default setting. I didn't encounter any abnormal delay or even timeout in the 2 hours of testing.

However, on my 13 years old laptop there is a little slowdown noticable with DNS module. But because of age and lack of power thats the way.

I don't want conclude for final that the issue is resolved, because I can't test another internet connection when once again I had big issues with Beta 2. But for now, it looks resolved for me.

[adbuker]

@Morku , nice to read. Issues with the Beta 2 are expectable, because it hasn't the fix

[trparky]

I've had the chance to load it on three systems; my desktop, a Hyper-V installation, and my notebook. It's a little slower on my notebook for whatever reason but not nearly as slow as what DNS Protection presented before. Maybe it's got something to do with how the DNS Protection Proxy (whatever) is being ran on the E-Cores as versus the P-Cores (God, I hate Intel).

[trparky]

I'd say the issue has been solved with DNS Protection. Perhaps the only thing I could suggest at this point is that any and all AdGuard related processed are routed to the P-Cores as versus E-Cores on these stupid hybrid Intel chips.

I have no issues on my Ryzen 7700X desktop. Yeah, I know... it's massively overpowered.

[trparky]

Any idea as to when this will be a final release?