ControlD with Merlin

[sfx2000]

AT&T is redirecting port 53 to own servers?

As far as I know, they don't... this is one of those things where I can't say how I know...

Generally though - it's not worth their time to intercept DNS to off-network hosts if someone wants to do this...

 

[tnpapa]

Yes, I understand anycast. I feel we are drifting off topic though. I ran several DNS tests today using Gibson Research and WhatRoute apps. ControlD for me is the slowest by a wide margin. (bad routing) ATT is the fastest (6ms) The other major public DNS providers all come in about the same (20ms). With ECS on I see video streams loading faster and no ramping up of bitrate of the stream. TVE feeds are almost instantaneous. Same if I use ATT DNS. I really wanted ATT DNS to suck, but page loads and streaming do clearly work better using a DNS server that points to on-network resources.

 

[sfx2000]

"DOH is prone to fewer issues than DOT, and native DOT performance on Asus is pretty wonky to begin with"

Seems like a pretty bold and unqualified statement. I prefer DOT because I can see its presence and activity on my network.

Look at things from a tech support perspective...

AsusWRT has a rich community of third-parties that modify the factory firmware configurations - they have zero ideas of what your router has, and how it's configured... It's their polite way of saying "not my problem" as soon as you mention AsusWRT-RMerlin - bonus points if you mention Entware or any of the third-party scripts being involved...

It's the reputation that is at risk... but Asus doesn't seem to have a big interest there...

 

[tnpapa]

My latency to the various public DNS servers is good. The real question is, which one routes me to the best CDN PoP. I would suspect it is the server from AT&T, and its latency is crazy fast, but I have read that many people on ATT say their server is not reliable. Google at least supports ECS, so they could be good too. But with either of those I know my data is being logged and sold.

Some screen grabs of what I see. The DNS test is in order of average latency. AT&T 1 server is prone to lookup failures and fails many times.

 

[Paliv]

My latency to the various public DNS servers is good. The real question is, which one routes me to the best CDN PoP. I would suspect it is the server from AT&T, and its latency is crazy fast, but I have read that many people on ATT say their server is not reliable. Google at least supports ECS, so they could be good too. But with either of those I know my data is being logged and sold.

Some screen grabs of what I see. The DNS test is in order of average latency. AT&T 1 server is prone to lookup failures and fails many times.

I don’t have AT&T. But, I use Comcast DNS because streaming devices work way better with it. Lots of people say Comcast’s DNS are unreliable and serve ads on redirects instead of NXDOMAIN. All of this is old information. Redirecting DNS breaks DNSSEC which they implemented years ago and stopped redirects. Also I have found it’s uptime to be just as good as any third party these days and actually have fewer failed lookups for sites than with something like Quad9. So you may not be getting info that is relevant today.

 

[tnpapa]

I ma going to try ATT servers for a few days and see how it goes.

 

[yegor]

Not to me. What are they smoking?

Smoker here, likely the one that responded to the OP.

As someone else said already, DOT doesn't work on quite a few networks in many countries due to a bespoke port that it uses. If it works on your network, and you prefer "native" method, by all means use stock Merlin. The performance difference / HTTP overhead is essentially irrelevant as far as human use is concerned. We've actually performed tests on this, and the average difference in performance is measured in microseconds (not milliseconds).

Additionally, when our DNS daemon is installed (which is quite lightweight), it offers a myriad of features and integrations with Asus Merlin. Not everyone's cup of tea, if all you want is to send DNS queries to the upstream, you can use whatever you want, including native DoT support.

Cheers!

 

[tnpapa]

Sorry but I just tested again and latency to Control D servers is still very high. They come in dead last in every DNS test I run. It may just be for me that my ISP has poor peering to the network Control D is on. But that is out of my control so I have to use servers that perform better.

 

[bluzfanmr1]

ControlD worked really well for me when I lived in a city of 90k that was somewhat of a dns island if you will. Always had the fastest scores. Now that I'm back in a major metro area there is a lot more competition.

@GT-AX6000:/tmp/mnt/asususb/syno.dnsperftest# cat dnstest.sh.sorted.log
Provider        t1  t2  t3  t4  t5  t6  t7  t8  t9  t10 t11 t12 t13 Median ms
--------------- --- --- --- --- --- --- --- --- --- --- --- --- --- ---------
Router          1   1   1   1   1   1   1   1   1   1   1   1   1     1.00 ms
nameserver/1    10  10  10  11  10  10  11  10  10  10  11  11  10   10.31 ms
Cloudflare/1    20  11  12  10  11  13  11  11  10  13  10  10  10   11.69 ms
nameserver/2    21  11  11  11  10  11  9   12  11  11  11  10  13   11.69 ms
Cloudflare/2    14  11  11  11  24  12  11  11  11  11  23  10  10   13.08 ms
Quad9/1         16  15  15  15  16  15  16  15  15  15  15  23  14   15.77 ms
DNSFilter/1     15  17  15  17  16  15  16  17  15  16  15  17  16   15.92 ms
DNSFilter/2     16  16  18  17  16  17  17  16  17  17  16  16  16   16.54 ms
CleanBrowsing/1 16  16  16  16  24  18  16  19  16  16  17  16  15   17.00 ms
NortonCS/2      35  16  19  15  15  15  16  14  15  16  15  15  15   17.00 ms
Quad9/2         15  13  16  19  17  15  15  16  17  14  20  14  32   17.15 ms
ControlD/2      16  15  16  16  21  16  18  18  16  17  17  19  19   17.23 ms
ControlD/1      19  17  18  19  17  16  20  25  20  24  18  20  16   19.15 ms
NextDNS/1       66  17  17  17  15  17  15  17  15  16  17  15  17   20.08 ms
Google/1        25  37  27  15  17  15  14  14  15  15  43  15  26   21.38 ms
OpenDNS/2       15  17  25  43  85  32  17  17  15  15  35  14  15   26.54 ms
Neustar/1       26  25  27  26  26  25  30  26  25  27  26  30  32   27.00 ms
OpenDNS/1       13  17  26  33  97  16  17  16  14  14  38  15  36   27.08 ms
nameserver/3    118 99  11  11  11  11  12  12  11  22  11  12  12   27.15 ms
Google/2        16  37  25  52  61  14  15  25  15  15  44  16  24   27.62 ms
Verisign/1      134 26  27  27  28  27  28  26  26  27  25  26  27   34.92 ms
NortonCS/1      41  43  42  44  41  42  42  43  40  42  42  43  42   42.08 ms
Verisign/2      41  42  41  43  47  40  43  47  41  40  43  40  42   42.31 ms
Neustar/2       43  43  45  43  43  40  44  43  42  58  42  43  41   43.85 ms
OracleDyn/2     47  45  47  45  47  47  46  46  47  46  46  46  46   46.23 ms
dnsmasq         61  1   41  1   1   1   1   1   1   1   440 69  1    47.69 ms
OracleDyn/1     70  46  47  46  46  46  46  51  47  47  46  46  47   48.54 ms
AdGuard/2       57  57  56  85  62  55  57  56  56  56  55  56  56   58.77 ms
AdGuard/1       80  83  57  55  56  57  56  56  55  54  57  54  56   59.69 ms
SafeDNS/2       64  64  62  64  63  68  63  63  63  62  67  63  65   63.92 ms
SafeDNS/1       74  62  64  64  65  63  63  89  67  64  68  62  63   66.77 ms
Freenom/2       61  34  54  284 53  34  37  118 56  48  178 253 36   95.85 ms
Yandex/2        162 166 164 165 166 165 165 163 167 168 215 161 165 168.62 ms
Yandex/1        166 167 164 172 176 167 172 201 162 160 164 164 165 169.23 ms
NextDNS/2       264 196 201 196 197 200 193 196 197 198 197 197 196 202.15 ms
CleanBrowsing/2 309 289 298 298 300 287 266 302 289 313 326 282 265 294.15 ms
Pogoplug2       956 123 66  506 586 165 68  389 87  156 643 242 171 319.85 ms
PogoplugPro2    *   122 66  406 585 143 84  380 127 185 402 517 168 999  1-to
Pogoplugv4      436 143 96  413 *   147 75  399 66  140 385 485 139 999  1-to
Level3/1        15  16  15  *   18  17  15  15  16  14  *   *   *   999  4-to
Level3/2        17  15  *   *   *   *   18  15  *   17  15  *   15  999  6-to
AlternateDNS/1  *   834 *   *   831 24  25  101 *   *   *   *   23  999  7-to
AlternateDNS/2  33  *   *   *   23  *   *   24  *   34  43  *   23  999  7-to
Freenom/1       *   *   *   *   *   *   *   *   *   *   *   *   *   999 13-to

 

[yegor]

Sorry but I just tested again and latency to Control D servers is still very high. They come in dead last in every DNS test I run. It may just be for me that my ISP has poor peering to the network Control D is on. But that is out of my control so I have to use servers that perform better.

Can you provide a traceroute to dns.controld.com, 1.1.1.1 and 8.8.8.8?

When it comes to global average latency, Control D is in the top 3: https://www.dnsperf.com/#!dns-resolvers (YMMV)

 

[tnpapa]

Trace routes

 

[yegor]

Trace routes

Thanks, appears to be 2x of Cloudflare and Google, which is of course a higher absolute number, but in reality would have zero human noticeable difference. Once we add a POP in Atlanta, it should decrease latency to approx the same range.

 

[tnpapa]

Will have to see, but that makes sense since it seems all trace routes for me go through Atlanta. I am amazed that Nashville has so little direct peering with other major carriers, even though I know there are a few large exchanges here.

 

[sfx2000]

Will have to see, but that makes sense since it seems all trace routes for me go through Atlanta. I am amazed that Nashville has so little direct peering with other major carriers, even though I know there are a few large exchanges here.

something to consider - Cloudflare and Google will usually have CDN endpoints inside the operators network, so in Tier 1 and 2 markets, they're pretty well covered actually...

Fun tip - I've got a linux box that uses NTP for Google and Cloudflare public NTP - why is this relevant, because those are cloud deployments just like DNS, you have to do the lookups, and both DNS and NTP are UDP, and NTP stats can actually track performance because of that...

See below - we're tracking NTP over Cloudflare at the moment on this host, and you can see things vary due to network activity...

Tracking NTP is a great way of tracking network latency and jitter overall - whether it's Ping Time or DNS lookups - NTP has some great logging and visualization tools...

Ping perhaps isn't a good of a tool there... that being said, NTP will give a better view of latency as it hits things at a higher layer.

 

[tnpapa]

In my case Google performs worse than Control D. My ISP is the fastest but they don't meet my prime requirement, Encrypted DNS. I like Cloudflare but they have very limited filtering options. That left me with NextDNS or ControlD. So for now its NextDNS, even though I paid for year of ControlD service before I gave up using them.

 

[sfx2000]

In my case Google performs worse than Control D. My ISP is the fastest but they don't meet my prime requirement, Encrypted DNS. I like Cloudflare but they have very limited filtering options

Just note that DNS filtering will add latency to the lookups just because it does...

 

[tnpapa]

Just note that DNS filtering will add latency to the lookups just because it does...

My problem with Control D was more than just the raw latency, which the human mind cant really perceive. It was actual pauses in lookups, pages taking 30 seconds to load or just giving up. Each time it happened I would go back to another DNS to test and it was fine. Go back to CD and after some time again lookups would just come to a crawl.

My fiber provider is changing soon so I will have a new opportunity to test out how it works.

 

[SkippyP]

FWIW, I’ll add my two cents based on my experience. My ISP’s DNS is the fastest but much like you, OP, I was looking for a resolver that did proper DNSSEC validation and also offered encryption.

After trying several public resolvers, I settled on Cloudflare (their 1.1.1.1 unfiltered service) with DoT. I find their performance better than all other public resolvers, and they’re almost as good as my ISP in terms of speed/latency. There’s only a slight performance hit stemming from DoT, which is expected.

Even though Cloudflare doesn’t use ECS (I doubt they ever will because they claim to be a “privacy first” resolver), I’m always routed to my local POP. I’ve never been bounced to non-local POPs with Cloudflare, which is something I can’t say about other resolvers, even those with ECS. For example, when I used Quad9 with ECS, I was still routed to servers in New York, Virginia, and a few others instead of my local Toronto POP. With Cloudflare, it’s always Toronto. Everything just works extremely well and very fast…websites, apps, my IPTV service from my ISP, etc.

 

[tnpapa]

FWIW, I’ll add my two cents based on my experience. My ISP’s DNS is the fastest but much like you, OP, I was looking for a resolver that did proper DNSSEC validation and also offered encryption.

After trying several public resolvers, I settled on Cloudflare (their 1.1.1.1 unfiltered service) with DoT. I find their performance better than all other public resolvers I tested, and for me, they’re almost as good as my ISP in terms of speed/latency. There’s only a slight performance hit stemming from DoT, which is expected.

Even though Cloudflare doesn’t use ECS, I’m always routed to my local POP. Everything works extremely well and fast…websites, apps, my IPTV service from my ISP, etc.

I agree. Cloudflare would be my number one choice if they had ECS and filtering. NextDNS performs almost as well, I can do DoH using a CLI on my router and I get filtering options, and I put their profile on my iPhones and iPads so when they leave my house they stay on NextDNS.

 

[maghuro]

My problem with Control D was more than just the raw latency, which the human mind cant really perceive. It was actual pauses in lookups, pages taking 30 seconds to load or just giving up. Each time it happened I would go back to another DNS to test and it was fine. Go back to CD and after some time again lookups would just come to a crawl.

My fiber provider is changing soon so I will have a new opportunity to test out how it works.

I can relate with that.
Most of people I know which use controld, says the same thing.