Your ISP is doing the right thing. That looks like a performance problem on our side, adding 10ms of delay going through our peering router. (Note that the router itself is being particularly slow to respond to the traceroute, which is low-priority for it... if it were lightly-loaded, it would be responding quickly.) It's possible that this is something transitory, like a DDoS, or it's possible that the location is just very heavily loaded. I'll check into it. But your ISP is fine, they're handing off both Quad9 and Cloudflare on the same optimum path. This is our issue to resolve. I'll hand it off to ops now.
Quad9 has a faster idle timeout than cloudflare, so the Merlin default idle_timeout of 9000 ms is too long for Quad9 and results in conn_shuts, which isn't as graceful as Stubby closing the connection on the router end.
I was searching how to do that as well. Turns out to be impossible.....and we are still not able to get OpenVPN to work while on IPv6 correct? Not sure if there had been any recent updates on this. I would imagine that there would be additional work to rework policy rules, etc.
Sent from my iPhone using Tapatalk
I was searching how to do that as well. Turns out to be impossible.
https://www.snbforums.com/threads/asus-rt-ac86-u-no-ipv6-in-vpn-connection.56066/#post-480607
I spent hours trying to use IPV6 and VPN client, and all the IP leaks showed my VPN assigned IP. But geolocation always showed where I live and not the VPN exit point. I gave up on IPV6 for now and will stay with IPV4 until forced to change.
I opened a support request on Friday asking about an ideal timeout value for idle DoT connections. Got a response today, but I don’t think we’re on the same page yet, so still pursuing it further.Sounds like a bunch of you are seeing the same issue there. I'll check with the ops guys and see what they say about it.
Yesterday I tried Quad9 and same as you NYC is going through Miami.I thought I was seeing improved performance with IPv6 on Quad9 with DoT but now I'm getting lengthy lag in response. 9.9.9.9 is actually faster, not the other way around as I had expected. Also noticed I connect through Miami (from TX) and there are closer servers listed. Another work in progress.
When i do a tracerout I seem to get better performance from Cloudflare (ping time response) where as I get way more hops with google DNS (4 vs 10).I get so many timeouts (and even failing transactions/payments) with Quad9 that I have to revert to Cloudflare for now.
Hope to make a traceroute in the weekend or next week.
I get so many timeouts (and even failing transactions/payments) with Quad9 that I have to revert to Cloudflare for now.
Hope to make a traceroute in the weekend or next week.
I really want Quad9 to work well with DoT and be a viable competitor to CloudFlare and Google, for reasons similar to why I use Firefox instead of Chrome or Edge. But in the end it needs to work reliably, like picking up the telephone receiver or turning on a lightswitch. Growing pains are forgivable, especially for a non-profit, but this is a very juicy opportunity for Quad9 to convert a whole bunch of DoT enthusiasts here.
Yesterday I tried Quad9 and same as you NYC is going through Miami.
@Bill Woodcock, @Ryan K (Cloudflare), @RMerlin, @john9527 (take care, only when you're able to reply, of course), @sfx2000, @ColinTaylor, @thelonelycoder, @Jack Yaz and all others who may be able to contribute, referring to post 64 above,
1) Is a caching resolver the same as the 'Wan: Use local caching DNS server as system resolver (default: No)' in the Tools/Other Settings page in the Advanced Tweaks and Hacks section of RMerlin powered routers?
2) What is QNAME minimization? How can this be implemented, if possible, on our routers today?
3) Link encryption. I think this is DoT? Am I close?
4) How important is it to 'compartmentalize DNS queries' and, do our routers do that for our devices now?
5) I think all of the above points to the goal of post 67 which states exactly as I hope I'm operating my network; "Minimize the amount you have to trust anyone else.".
These may be basic steps and concepts to some here. But I want to start on the bottom and thoroughly understand each step I am taking forward towards real online security.
We also recommend against DNS-over-HTTPS, because while it's sufficient in theory, that wasn't what it was intended for in practice. HTTPS implementations are notoriously data-leaky, which means they're fingerprintable.
Anyways - I'll prefer Security/Integrity over Privacy with DNS - I just want to ensure that the Lookup Results are valid, and this plays into my background in carrier scale networks along with device development.
my 2 cents.
Thread starter | Title | Forum | Replies | Date |
---|---|---|---|---|
S | Is there good VPN tunnel plain DNS filtering software for Windows? | General Network Security | 2 | |
Microsoft plans to lock down Windows DNS - ZTDNS | General Network Security | 5 |
Welcome To SNBForums
SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.
If you'd like to post a question, simply register and have at it!
While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!