Is there a way to set DNS-server priority in Dnsmasq when using DoT?!

[iJorgen]

I have setup the two NextDNS servers under WAN with DNS-over-TLS.

If looking at "/etc/resolv.conf" it now points to localhost with the entry "nameserver 127.0.0.1". All good so far and it seems to be using Round Robin.

I then tried adding these two lines in "dnsmasq.postconf" and with the option "strict-order" (already in place) Dnsmasq should resolve with the last one prioritized.

nameserver=45.90.28.0
nameserver=45.90.30.0 (<--My fastest server I want to prioritize)

It does work, but adding these two servers disables DoT (writes over /etc/resolv.conf) and resolving with unencrypted DNS.

Is there a way to keep using DoT and specify DNS-server priority in some way?!

 

[ColinTaylor]

I don't get it. If you're prioritising the regular NextDNS servers over their DoT servers why bother with DoT at all. If everything is working as you want it to you'll never hit the DoT servers.

 

[Zastoff]

I have setup the two NextDNS servers under WAN with DNS-over-TLS.

View attachment 41442

If looking at "/etc/resolv.conf" it now points to localhost with the entry "nameserver 127.0.0.1". All good so far and it seems to be using Round Robin.

I then tried adding these two lines in "dnsmasq.postconf" and with the option "strict-order" (already in place) Dnsmasq should resolve with the last one prioritized.

nameserver=45.90.28.0
nameserver=45.90.30.0 (<--My fastest server I want to prioritize)

It does work, but adding these two servers disables DoT (writes over /etc/resolv.conf) and resolving with unencrypted DNS.

Is there a way to keep using DoT and specify DNS-server priority in some way?!

Think if you set round_robin=0 it will use the first configured server until it becomes unresponsive and then move to the next DoT server in the list.
Think you have a stubby.yaml with the settings for stubby(DoT)
Have not used DoT for a long time so i am not 100% sure on this..
And undo the changes made in dnsmasq to avoid using regular dns.

 

[iJorgen]

I don't get it. If you're prioritising the regular NextDNS servers over their DoT servers why bother with DoT at all. If everything is working as you want it to you'll never hit the DoT servers.

I want to use DoT, but can't find a way to tell Dnsmasq how to prioritize between them. That's why I tried to add the "server=" lines, but that didn't work.

Think if you set round_robin=0 it will use the first configured server until it becomes unresponsive and then move to the next DoT server in the list.
Think you have a stubby.yaml with the settings for stubby(DoT)
Have not used DoT for a long time so i am not 100% sure on this..
And undo the changes made in dnsmasq to avoid using regular dns.

Thanks for your tips!! Will try around a bit more... I see you are using DNSCrypt. Is that maybe a better option than the built in DoT?!

 

[dave14305]

I want to use DoT, but can't find a way to tell Dnsmasq how to prioritize between them. That's why I tried to add the "server=" lines, but that didn't work.


Thanks for your tips!! Will try around a bit more... I see you are using DNSCrypt. Is that maybe a better option than the built in DoT?!

dnsmasq doesn’t control the DoT server selection. Stubby does.

 

[Zastoff]

Thanks for your tips!! Will try around a bit more... I see you are using DNSCrypt. Is that maybe a better option than the built in DoT?!

DNSCrypt-proxy have a bit more options, It sort servers by fastest and have 4 options on how the servers configured will be used Link to wiki
And DNSCrypt support DoH and DNSCrypt protocol not DoT, But NextDNS have DoH servers that can be used i guess, But if you want to use them with a nextdns account you need to add them as static servers in dnscrypt, Made a guide on it link

 

[ColinTaylor]

dnsmasq doesn’t control the DoT server selection. Stubby does.

As Dave said.

You probably need to look at this Stubby parameter, but it won't work the way you said you wanted it to:

round_robin_upstreams 0 or 1

If 1, round robin queries across all the configured upstream servers. Without this option stubby will use each upstream server sequentially until it becomes unavailable and then move on to use the next.

EDIT: So the existing value of 1 would already seem to do what you want.

 

[iJorgen]

DNSCrypt-proxy have a bit more options, It sort servers by fastest and have 4 options on how the servers configured will be used Link to wiki
And DNSCrypt support DoH and DNSCrypt protocol not DoT, But NextDNS have DoH servers that can be used i guess, But if you want to use them with a nextdns account you need to add them as static servers in dnscrypt, Made a guide on it link

Nice one!! That's seems definitely like an option. Think I know what to do this weekend...

As Dave said.
You probably need to look at this Stubby parameter, but it won't do what you hope it will:

Didn't know Stubby also was involved, but now I read Stubby documentation. Don't seem to do exactly what I want, since it can switch over and only use the "slower" server. Maybe will try DNSCrypt instead...

 

[ColinTaylor]

Didn't know Stubby also was involved, but now I read Stubby documentation. Don't seem to do exactly what I want, since it can switch over and only use the "slower" server. Maybe will try DNSCrypt instead...

See the EDIT to my previous post.

The Stubby config already has that value set to 1 so in theory it should be querying all servers and using the fastest response.

I misinterpreted the description of this parameter. It doesn't simultaneously query all upstream servers. It does, as the name suggests, alternate between servers in a round robin manner.

I confused myself by remembering dnsmasq's all-servers option which does simultaneously query all upstream servers.

 

[iJorgen]

dnsmasq doesn’t control the DoT server selection. Stubby does.

Thanks Dave!! Didn't know Stubby was involved behind the scenes...

 

[iJorgen]

See the EDIT to my previous post.

The Stubby config already has that value set to 1 so in theory it should be querying all servers and using the fastest response.

I saw that too now, but it still seems to spread the queries between the servers and quite obvious when sniffing DNS-traffic.
One slow, one fast, one slow, one fast... Still good performance, but every millisecond counts

 

[bbunge]

stubby.postconfig

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_replace "round_robin_upstreams: 1" "round_robin_upstreams: 0" $CONFIG
pc_insert "tls_authentication: GETDNS_AUTHENTICATION_REQUIRED" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG

The pc_insert line above tells Stubby to use DNSSEC. If you use this, which I do, do not enable DNSSEC in the GUI as this enables DNSSEC in dnsmasq.

 

[iJorgen]

stubby.postconfig

#!/bin/sh
CONFIG=$1
source /usr/sbin/helper.sh
pc_replace "round_robin_upstreams: 1" "round_robin_upstreams: 0" $CONFIG
pc_insert "tls_authentication: GETDNS_AUTHENTICATION_REQUIRED" "dnssec_return_status: GETDNS_EXTENSION_TRUE" $CONFIG

The pc_insert line above tells Stubby to use DNSSEC. If you use this, which I do, do not enable DNSSEC in the GUI as this enables DNSSEC in dnsmasq.

Thanks for the "warning"! Quite complex with several components working together and some config shared/inherited...

 

[ColinTaylor]

I saw that too now, but it still seems to spread the queries between the servers and quite obvious when sniffing DNS-traffic.
One slow, one fast, one slow, one fast... Still good performance, but every millisecond counts
View attachment 41446

Are you sure you're sniffing the DoT (port 853) traffic and not regular DNS (port 53).

 

[iJorgen]

Are you sure you're sniffing the DoT (port 853) traffic and not regular DNS (port 53).

I sniff on a PC also making the DNS-queries, so it shows the response times to the client.

 

[dave14305]

I sniff on a PC also making the DNS-queries, so it shows the response times to the client.

How do you differentiate cached and uncached responses from the router?

 

[iJorgen]

How do you differentiate cached and uncached responses from the router?

My AnyCast servers are quite far apart. Anycast 1 is 400 miles from me and Anycast 2 is just 20 miles away. The servers probably performs identically, but the distance adds latency.

■ anexia-cph    4 ms  (anycast2, ultralow1)
  edis-cph      4 ms  (ultralow2)
  anexia-osl   11 ms
  zepto-osl    12 ms
  anexia-sto   12 ms
  zepto-sto    14 ms  (anycast1)

How do you differentiate cached and uncached responses from the router?

Good point... I clean all DNS-caches (PC/router) and/or keeping a low TTL to clients when testing.
I can also see in the sniffing software if a response is cached as it shows as 1 ms response time.