DNS Queries Taking 5+ Seconds
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/entity//" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/entity//Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/entity//)Use the native HTML custom element.
DNS resolution takes an unusually long time — often 5 to 30 seconds — before eventually succeeding or timing out. Page loads stall on the 'Resolving host' phase, TCP connections that follow DNS succeed quickly, and the slow queries may only affect certain domain types (e.g., IPv6 AAAA records) or certain upstream resolvers, pointing to a specific bottleneck rather than a total failure.
Symptoms
- ⚠ Browser's status bar stalls on 'Resolving host...' for 5–30 seconds before the page loads
- ⚠ dig or nslookup shows 'Query time: 5432 msec' for most lookups
- ⚠ TCP connections after DNS resolves are fast — only the resolution phase is slow
- ⚠ AAAA (IPv6) queries time out while A (IPv4) queries succeed quickly
- ⚠ Lookups through a specific resolver (e.g., corporate DNS) are slow; public resolvers (8.8.8.8) are fast
- ⚠ Intermittent — some queries resolve in <10ms while identical queries take 5s
Possible Root Causes
- • IPv6 AAAA queries timing out on networks that silently drop IPv6 packets instead of returning ICMP unreachable — the resolver waits for a 5-second timeout before falling back to IPv4
- • The configured resolver is geographically distant or overloaded, adding 50–500ms per query that compounds across multiple DNS hops
- • Local resolver cache is disabled or undersized, forcing full recursive lookups for every repeated query
- • A network appliance (firewall, transparent proxy, or captive portal) is intercepting DNS and introducing processing delay
- • The authoritative server for a queried zone is unreachable, forcing the recursive resolver to exhaust all retries before returning SERVFAIL
Diagnosis Steps
Step 1 — Measure baseline query times
# Linux / macOS — query multiple resolvers and compare
dig @127.0.0.53 google.com # Local stub resolver
dig @192.168.1.1 google.com # Router/DHCP resolver
dig @8.8.8.8 google.com # Google Public DNS
dig @1.1.1.1 google.com # Cloudflare DNS
# Add +stats to see query time
dig @8.8.8.8 +stats google.com | grep "Query time"
# Windows
Measure-Command { Resolve-DnsName google.com }
Measure-Command { Resolve-DnsName google.com -Server 8.8.8.8 }
Compare times across resolvers. If public resolvers are fast and your local resolver is slow, the bottleneck is the local resolver's upstream connectivity or configuration.
Step 2 — Check for IPv6 AAAA timeout pattern
A very common cause of 5-second delays is the resolver attempting AAAA queries on a network that drops IPv6 packets (instead of returning ICMP unreachable):
# Time A vs AAAA query separately
time dig @8.8.8.8 A google.com
time dig @8.8.8.8 AAAA google.com
# Check if your host has a usable IPv6 route
ip -6 route show default # Linux
netstat -rn -f inet6 # macOS
If AAAA queries take 5 seconds while A queries are instant, disable IPv6 or fix the IPv6 routing before the resolver.
Step 3 — Check resolver cache hit rate
# systemd-resolved statistics
resolvectl statistics
# Check if cache is returning fast (TTL > 0 in response means cache miss or short TTL)
dig @127.0.0.53 google.com | grep -E "Query time|ANSWER"
# Run same command twice — second run should be much faster if caching works
Step 4 — Measure round-trip time to the resolver
Slow DNS often means the resolver itself is far away or under load:
# Measure latency to configured resolvers
ping -c 10 8.8.8.8
ping -c 10 1.1.1.1
ping -c 10 192.168.1.1 # Your local resolver
# Trace the path to the resolver
traceroute 8.8.8.8
mtr --report 8.8.8.8
High latency (>50ms) to the resolver directly inflates every DNS query.
Step 5 — Inspect resolver logs for timeouts
# systemd-resolved verbose logging
sudo resolvectl log-level debug
journalctl -u systemd-resolved -f
# Unbound (if used)
sudo unbound-control stats | grep -E "total|cache|timeout"
tail -f /var/log/unbound/unbound.log
# Reset log level afterward
sudo resolvectl log-level info
Step 6 — Check for DNS over TCP fallback triggering
Some networks block UDP port 53 and fall back to TCP, which adds latency:
# Force TCP for a query
dig @8.8.8.8 +tcp google.com
# Check if UDP port 53 is reachable
nc -zuv 8.8.8.8 53
If +tcp is fast but UDP is slow, a network device is rate-limiting or redirecting UDP/53.
Solution
Fix 1 — Address IPv6 AAAA timeout (most common cause)
If AAAA queries time out on a network without functional IPv6:
# Option A: Disable IPv6 on the interface (Linux)
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1
sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1
# Make permanent:
echo "net.ipv6.conf.all.disable_ipv6=1" | sudo tee -a /etc/sysctl.d/99-disable-ipv6.conf
# Option B: Configure systemd-resolved to not query AAAA on broken IPv6 networks
# Edit /etc/systemd/resolved.conf
[Resolve]
LLMNR=no
MulticastDNS=no
Alternatively, fix IPv6 routing so AAAA queries return results rather than timing out.
Fix 2 — Switch to a low-latency resolver
# NetworkManager — set fast resolvers
nmcli connection modify "Wired connection 1" ipv4.dns "1.1.1.1 1.0.0.1"
nmcli connection up "Wired connection 1"
# /etc/resolv.conf (servers close to you)
nameserver 1.1.1.1
nameserver 8.8.8.8
options timeout:2 attempts:2
Fix 3 — Enable local caching resolver (reduces repeat-query latency to <1ms)
# Install and enable unbound as a local caching resolver
sudo apt install unbound -y
sudo systemctl enable --now unbound
# Point /etc/resolv.conf to local unbound
echo "nameserver 127.0.0.1" | sudo tee /etc/resolv.conf
# Verify cache is working
dig @127.0.0.1 google.com # First query: full recursive
dig @127.0.0.1 google.com # Second query: cache hit, <1ms
Fix 4 — Add resolver timeout/attempts tuning
# /etc/resolv.conf — reduce per-attempt timeout
nameserver 8.8.8.8
nameserver 1.1.1.1
options timeout:1 attempts:2 rotate
This cuts the maximum wait from the default 15s (5s × 3 attempts) to 4s (2s × 2 attempts).
Prevention
- Deploy a local caching resolver (unbound or systemd-resolved with caching enabled) to serve repeated lookups in <1ms
- Monitor DNS query latency with a synthetic check — alert if p95 exceeds 200ms
- Ensure IPv6 is either fully functional end-to-end or cleanly disabled; half-working IPv6 that silently drops packets is the single most common cause of 5-second DNS delays
- Place DNS resolvers in the same network region as the clients they serve — cross-region resolver queries add unnecessary round-trip time
- Use
options timeout:2 attempts:2in/etc/resolv.confto cap worst-case lookup time at 4 seconds instead of the 15-second default