DNS Caching Question

[LongRangeSkeet]

Does the stock firmware provide DNS caching or only Merlin?

I had to downgrade back to stock and noticed that my Pi-Hole is now faster in the DNS benchmarks than the router.

Thanks

 

[dave14305]

Search in your syslog for “cachesize” and it should tell you. 150 is dnsmasq default. 1500 is Merlin default. I have no recollection of what Stock uses.

 

[RMerlin]

Does the stock firmware provide DNS caching or only Merlin?

Both use dnsmasq for caching.

 

[LongRangeSkeet]

Both use dnsmasq for caching.

Thanks. It's strange though, while on Merlin the router would score a ton higher on DNS benchmark, always taking first place. Now, back on stock firmware, my pi-hole scores best, followed by the upstream 1.1.1.1, every single time.

Should AI Protection be enabled? Is it good for security or is it needed for QoS? Or should it be left OFF because it will break things? Do you have it turned ON?

Thanks again

 

[LongRangeSkeet]

Search in your syslog for “cachesize” and it should tell you. 150 is dnsmasq default. 1500 is Merlin default. I have no recollection of what Stock uses.

I did a Ctrl+F on the general log and couldn't find DNS caching mentioned anywhere. The only thing that came up were several lines about packet caching.

 

[dave14305]

I did a Ctrl+F on the general log and couldn't find DNS caching mentioned anywhere. The only thing that came up were several lines about packet caching.

Force a change on the WAN DNS page or LAN DHCP Server page to restart dnsmasq, then check again. Or login via ssh and run:

grep cache /etc/dnsmasq.conf

 

[LongRangeSkeet]

Force a change on the WAN DNS page or LAN DHCP Server page to restart dnsmasq, then check again. Or login via ssh and run:

grep cache /etc/dnsmasq.conf

Thank you brother! Making a change on the WAN DNS page is all it took.

 

[dave14305]

Thank you brother! Making a change on the WAN DNS page is all it took.

What was the result? 1500?

 

[RMerlin]

Thanks. It's strange though, while on Merlin the router would score a ton higher on DNS benchmark, always taking first place. Now, back on stock firmware, my pi-hole scores best, followed by the upstream 1.1.1.1, every single time.

My guess is either you used different DNS servers, or you had DoT and DNSSEC enabled, which will both slow down DNS queries.

Should AI Protection be enabled? Is it good for security or is it needed for QoS? Or should it be left OFF because it will break things? Do you have it turned ON?

Personally I think at the very least Malicious Website blocking should be enabled, to protect all your LAN clients (including mobile devices) against accessing malicious websites. Enabling the two-way IPS is probably a good idea as well. I do keep Infected Devices blocking disabled however, as there has been a few reports of false positive from that one.

As for Adaptive QoS, it's a matter of choice/needs. Personally I do use it, in part because I use VoIP both for work and for home (first through an IP phone, the second through an ATA on a separate SIP account). I also like being able to track traffic types within my LAN.

 

[Pak Kriss]

A question related to DNS caching:

DoT strict enabled
DNS Filer - Global filter mode: Router

Is there a DNS cache expiry value (in seconds) at Merlin which can be modified?

Sent from my OnePlus 7 Pro using Asus RT-AC86U & Merlin 384.17

 

[dave14305]

A question related to DNS caching:

DoT strict enabled
DNS Filer - Global filter mode: Router

Is there a DNS cache expiry value (in seconds) at Merlin which can be modified

You could create a /jffs/configs/dnsmasq.conf.add and use built-in dnsmasq parameters:

max-ttl=<time>
Set a maximum TTL value that will be handed out to clients. The specified maximum TTL will be given to clients instead of the true TTL value if it is lower. The true TTL value is however kept in the cache to avoid flooding the upstream DNS servers.
max-cache-ttl=<time>
Set a maximum TTL value for entries in the cache.
min-cache-ttl=<time>
Extend short TTL values to the time given when caching them. Note that artificially extending TTL values is in general a bad idea, do not do it unless you have a good reason, and understand what you are doing. Dnsmasq limits the value of this option to one hour, unless recompiled

What would the benefit be for you?

 

[RMerlin]

Is there a DNS cache expiry value (in seconds) at Merlin which can be modified?

Cache lifetime is based on the TTL value specified by the person managing the DNS zone you are querying. It's bad form to use a lower TTL than intended by the owner of the DNS zone, as you will be increasing the load on his DNS server beyond what was intended/planned by the manager of that DNS server. And using a longer TTL may lead to issues if the manager deliberately specified a short TTL for a specific reason. For instance when I know ahead of time that a customer will be migrating a service to a new IP, I generally reduce the TTL ahead of time to speed up propagation.

So unless you had a very valid reason and fully understood the implication, you shouldn't touch the TTL.

 

[LongRangeSkeet]

What was the result? 1500?

I'm not sure, but it looks to be working so far. The second result down is the pihole.