DNS stops working when downloading at high speeds

[bbunge]

Apologies - I'm still learning.

So, I've disabled DoT and DNSSEC and I've successfully downloaded the game twice in a row at 450Mbps (150Mbps faster than before). This is looking promising! Now my next question is, is this a hardware limitation of the RT-AC68U not being powerful enough to handle DoT and DNSSEC at these speeds? Or is this more of an issue with the public DNS servers when using DoT?

Something you may want to try.
In Merlin Firmware DoT is managed by Stubby and DNSSEC is managed by dnsmasq. Stubby is also configured to use each of the DNS servers in the DNS-over-TLS Server list in turn. It is possible to let Stubby manage DNSSEC and set it to use the DNS servers one at a time. This is done with a stubby.postconf file in the /jffs/scripts folder with the following code:

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_replace "round_robin_upstreams: 1" "round_robin_upstreams: 0" $CONFIG
pc_insert "tls_authentication: GETDNS_AUTHENTICATION_REQUIRED" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG

Give the file 755 permissions (chmod 755 /jffs/scripts/stubby.postconf)
Disable DNSSEC (WAN/Enable DNSSEC Support - No)
Applying changes in WAN will make the changes to Stubby. To check that it is working in a terminal run: stubby -l

As a point of reference, DoT and DNSSEC in Merlin is set up the way it is so you can run DNSSEC without running DoT. I prefer to run DNSSEC with Stubby. Neither way is wrong and neither is more preferred than the other. Several of us were early DoT testers back in the good old days when we ran the Entware version add on. Early on I ran the Entware setup on an AC66U_B1 and a couple of AC68U's.
I am eternally grateful Merlin, and John, added Stubby to the compiled version of firmware.

 

[coxhaus]

Does it do it when using port 53 for DNS?

 

[ColinTaylor]

Does it do it when using port 53 for DNS?

That's what I asked him to try in post #4. He confirmed in post #13 that it worked.

 

[WuTang LAN]

Would setting up Unbound and using that as a local resolver, rather than a forwarder, circumvent this issue? Also, is it still possible to keep using DoT with Unbound in resolver mode for external lookups of domain names that aren't yet cached?

I know on the Unbound page it says

unbound does not use any encrypted traffic as a 'recursive resolver'. It can’t make 'recursive queries' using encryption. You can reconfigure unbound to become a forwarder (like dnsmasq and Stubby) and use DoT, but what’s the value of unbound then as just another forwarder? when dnsmasq+Stubby already do that well enough.

Just for clarification: I'm not wanting to set upUnbound as another forwarder such as dnsmasq, I do want to use it as a resolver with caching, but I'm confused as to why Unbound can't make queries for domain names not already cached using encryption? Please could someone be kind enough to explain this to me?

 

[ColinTaylor]

Would setting up Unbound and using that as a local resolver, rather than a forwarder, circumvent this issue?

Impossible to say because you haven't identified what is causing the issue is yet.

 

[WuTang LAN]

I'm not sure how to, which is why I'm here asking for help.

I've tested with, and without DoT. It doesn't happen without DoT regardless of download speed and it doesn't happen with DoT if I restrict download speed to 300Mbps (any faster than this and it will happen). It also happens with multiple public DoT resolvers (Cloudfare, Quad9).

Is this an issue with dnsmasq crashing? Is it an issue with the public resolvers? Why would DNS stability be tied to download speed?

 

[ColinTaylor]

I'm not sure how to, which is why I'm here asking for help.

I've tested with, and without DoT. It doesn't happen without DoT regardless of download speed and it doesn't happen with DoT if I restrict download speed to 300Mbps (any faster than this and it will happen). It also happens with multiple public DoT resolvers (Cloudfare, Quad9).

Is this an issue with dnsmasq crashing? Is it an issue with the public resolvers? Why would DNS stability be tied to download speed?

OK, so the problem appears to be connected to DoT. So rather than just randomly trying other things, try diagnosing the DoT problem (or stop using DoT). There's some suggestions in post #21.

 

[WuTang LAN]

There's some suggestions in post #21.

I'm not in the habit of making changes I don't fully understand.

In Merlin Firmware DoT is managed by Stubby and DNSSEC is managed by dnsmasq. Stubby is also configured to use each of the DNS servers in the DNS-over-TLS Server list in turn. It is possible to let Stubby manage DNSSEC and set it to use the DNS servers one at a time.

Is "use each of the DNS servers in turn" and "using the DNS servers one at a time" not the same thing? I am assuming this is being recommended as a sort of load balancer, so that no one DNS server gets hammered? But the wording to me seems like "in turn" and "one at a time" are the same thing. Also, why is it not sufficient enough to use just one public resolver? Surely Cloudflare's and Quad9's infrastructure can handle little ol' me downloading a game on Steam.

Why would DNS stability be tied to download speed?

Thoughts? Surely DNS only needs to resolve the domain name of the server to an IP address to start the download, then DNS should not be needed right?

 

[L&LD]

We begin to understand things better when we do. Not every one of us can be an Einstein.

Try some of the suggestions and see what changes for the positive. Then you can decide to research further if a possible solution is found.

 

[gerardr]

I'm kind of wondering if it isn't a memory issue. If I understood correctly, trying to download above 300Mbps with Stubby running kills both the download and DNS lookup. So, I'm thinking that above 300Mbps and Stubby being a separate process, there's enough competition for limited memory to tie things up. In an SSH session try capturing 'cat /proc/meminfo' at different points to see if anything that was non-zero is at or approaching zero.