Stubby-Installer-Asuswrt-Merlin

[kvic]

lol.. maybe that only apply to my small island country Singapore. most common CDN/DNS servers/nodes are located here. And thanks to that, maybe that's why I don't notice any significant performance difference.

It's not a coincidence. It applies to my place too. I believe it applies to mega cities in general. CDN/DNS/etc are concentrated in a few data centres. So most likely they're just talking to each other in the same building.

For a situation like this, if you ISP/government isn't "evil", I would worry less about the last mile.

 

[rgnldo]

Which is why personally I believe that DoT/DoH won't be long-term solutions, unless ISPs start running such servers within their local network, so they can provide security, while still being able to resolve queries to point their customers at their own nearline caches within their network.

Solutions that need to pass through large commercial host servers are never secure. The ideal is the development of local security software. I've been organizing a solution with Unbound and Unbound-anchor. This way, I organize an authoritative DNS server + DNSSEC.

server:
    # whitespace is not necessary, but looks cleaner.

    # port to answer queries from
    port: 40

    # verbosity 1 is default
    verbosity: 1

    # Self jail Unbound with user "unbound" to /var/lib/unbound
    # The script /etc/init.d/unbound will setup the location
    username: "nobody"
    directory: "/opt/var/lib/unbound"
    chroot: "/opt/var/lib/unbound"
    root-hints: "/opt/var/lib/unbound/named.cache"
    
    # The pid file is created before privleges drop so no concern
    pidfile: "/opt/var/run/unbound.pid"

    # no threads and no memory slabs for threads
    num-threads: 2
    msg-cache-slabs: 2
    rrset-cache-slabs: 2
    infra-cache-slabs: 2
    key-cache-slabs: 2

    # don't be picky about interfaces but consider your firewall
    interface: 0.0.0.0
    interface: ::0
    access-control: 0.0.0.0/0 allow
    access-control: ::0/0 allow
    
    # this limits TCP service but uses less buffers
    outgoing-num-tcp: 1
    incoming-num-tcp: 1

    # use somewhat higher port numbers versus possible NAT issue
    outgoing-port-permit: "10240-65335"

    # uses less memory but less performance
    outgoing-range: 60
    num-queries-per-thread: 30

    # exclude large responses
    msg-buffer-size: 8192

    # tiny memory cache
    infra-cache-numhosts: 200
    msg-cache-size: 100k
    rrset-cache-size: 100k
    key-cache-size: 100k
    neg-cache-size: 10k
    val-clean-additional: yes   
    jostle-timeout: 200
    infra-host-ttl: 9000   

    # prefetch
    prefetch: yes
    prefetch-key: yes
    rrset-roundrobin: yes
    minimal-responses: yes
    use-caps-for-id: no

    # gentle on recursion
    target-fetch-policy: "2 1 0 0 0 0"
    harden-large-queries: yes
    harden-short-bufsize: yes
    harden-glue: yes
    harden-dnssec-stripped: yes
    harden-below-nxdomain: yes
    harden-referral-path: yes
    hide-identity: yes
    hide-version: yes

    # DNSSEC enable by removing comments on "module-config:" and "auto-trust-
    # -anchor-file:" The init script will copy root key to /var/lib/unbound.
    # See package documentation for crontab entry to copy RFC5011 results back.
    module-config: "validator iterator"
    auto-trust-anchor-file: "/opt/var/lib/unbound/root.key"

    # DNSSEC needs real time to validate signatures. If your device does not
    # have power off clock (reboot), then you may need this work around.
    #domain-insecure: "pool.ntp.org"

   local-zone: "localhost." static
   local-data: "localhost. 10800 IN NS localhost."
   local-data: "localhost. 10800 IN SOA localhost. nobody.invalid. 1 3600 1200 604800 10800"
   local-data: "localhost. 10800 IN A 127.0.0.1"
   local-zone: "127.in-addr.arpa." static
   local-data: "127.in-addr.arpa. 10800 IN NS localhost."
   local-data: "127.in-addr.arpa. 10800 IN SOA localhost. nobody.invalid. 2 3600 1200 604800 10800"
   local-data: "1.0.0.127.in-addr.arpa. 10800 IN PTR localhost."
 
   # Adblock blacklist
   include: /opt/etc/unbound/adservers
 
   # override for whitelisted domains to resolve normally
   local-zone: "zanox.com" transparent
   local-zone: "omguk.com" transparent
   local-zone: "pmstrk.mercadolivre.com.br" transparent
   local-zone: "googleadservices.com" transparent
 
remote-control:

   control-enable: yes
   control-interface: 0.0.0.0
   control-port: 953
   server-key-file: "/opt/var/lib/unbound/unbound_server.key"
   server-cert-file: "/opt/var/lib/unbound/unbound_server.pem"
   control-key-file: "/opt/var/lib/unbound/unbound_control.key"
   control-cert-file: "/opt/var/lib/unbound/unbound_control.pem"

 

[rgnldo]

To put it simply. If your upstream public DNS server (e.g. CF or Google) is further away from your PC in terms of network latency (read 5ms vs 50ms vs 150ms for example), IP addresses of CDN servers resolved by the upstream DNS server will not be optimal in terms of network latency.

This is the problem of DoT and DoH solutions, the dependence on external and commercial servers. The only ones for me with better latency are CludFlaire and Google.

 

[rgnldo]

DNSmasq is not that great and scripts (like Diversion) make the situation even worse.

I agree.

 

[genuine]

To make it clear to some people concerning EDNS (Geolocation=bad location routing) there is a "possible" way of impact.
But well , to come back to @Merlin Netflix, Youtube or streaming is a whole other story and off road.
why ? they also using bad routing blocking vpn and so on........ this for security and marketing.
To be total Off-road asus using vpn configuration for there routers that make it total useless.
Also implemented even what the cause, well all the fancy tools we also don't need it but some people like it.
To make my point it's all about decisions.
For people out there before choosing it there are tons of tools to test it even EDNS you can check.
For me it's a easy decision the data-center is 10 miles away from where I'm living so fast DNS responses.
Lot more secure and had no bad routing to be clear. no netfix nor youtube problems
Well I'm working a lot @t home... working with confidential documents where I'm signing for to keep it confidential.
Not always using my company VPN and so on... why because not always need it
The real threat is out there MITM or active eavesdropping is so EASY to perform and a serous problem if you now what it can do.
I you have DOT/DOH and perform a mitm can confirm that it wont work
In my country alone there are 10 million/1 year involved victims people,Business stealing there data and confidential material.
Cloudflare has make a decision for Privaty and security so no Edsn correct but your request will be sending to the closed location and cached from there.
More about EDNS cloudflare: is covering about 151 datecenters so impact will be small depending your location
Security comes always with decision need to be make and cut things indeed is it bad not always they do also a lot of stress tests to figure that out.
I'm glad there are people that are concern and more really need to
Glad to see people like @Xentrk and @john implemented DOT to make it possible Big thanks
Is it perfect DOH/DOT.....no but being aware of the treat and doing something about it that's what i like
Out there in the world there are still looking for solutions "studies"example ODNS
https://odns.cs.princeton.edu/

 

[DonnyJohnny]

I just tested recent dnscrypt-proxy v18 that states to support tls1.3
I did a simple dig test on one of my country local site domain with cloudflare.
On dot (stubby), the ping is 48-70 ms,
on doh (dnscrypt-proxy), the ping is 10-15ms.

I tried a few round without cache by restarting dnsmasq and the result is consistent. So not sure if dnscrypt-proxy v17 was the same. Anyone tested it? Is tls 1.3 working the magic?

 

[rgnldo]

I tried a few round without cache by restarting dnsmasq and the result is consistent. So not sure if dnscrypt-proxy v17 was the same. Anyone tested it? Is tls 1.3 working the magic?

For me, the performance remains the same. The advantage of DNSCrypt-proxy is its own cache service. You can add cache-size=0 in Dnsmasq which will be more interesting. I just abandoned Stubby and adopted Unbound + Unbound-anchor.

 

[skeal]

In my case, using stubby and Cloudflare when I ping dslreports or google or whatever, my ping time is 1ms different than without any dns modifications. Just 1.1.1.1 When I was using dnscrypt-proxy I couldn't get a better return time than 60ms with stubby its 26ms I have fibre and I'm told that an average ping is about 25ms. The only thing faster is using my ISP DNS which is just plain Jane at 3ms. Real world effects: NONE. I have not come across any reason to change settings. Gaming, Video and Web surfing, is as outstanding as it has always been. @DonnyJohnny points out and so does @kvic that if it isn't broke don't fix it. From an engineers view I would imagine you could see holes in a lot of stuff, I accept that and nothing as yet is perfect. If the smart guys on this forum can contribute content to the scripts at hand it would be appreciated. Your collective knowledge I dare say can solve any issue here. Keep up the great work guys.

 

[bbunge]

In my case, using stubby and Cloudflare when I ping dslreports or google or whatever, my ping time is 1ms different than without any dns modifications. Just 1.1.1.1 When I was using dnscrypt-proxy I couldn't get a better return time than 60ms with stubby its 26ms I have fibre and I'm told that an average ping is about 25ms. The only thing faster is using my ISP DNS which is just plain Jane at 3ms. Real world effects: NONE. I have not come across any reason to change settings. Gaming, Video and Web surfing, is as outstanding as it has always been. @DonnyJohnny points out and so does @kvic that if it isn't broke don't fix it. From an engineers view I would imagine you could see holes in a lot of stuff, I accept that and nothing as yet is perfect. If the smart guys on this forum can contribute content to the scripts at hand it would be appreciated. Your collective knowledge I dare say can solve any issue here. Keep up the great work guys.

I am not sure that ping is a good test for DoT/DoH. I get the same results if I ping a URL or its IP. Ping testing I thought I would be smart to ping bbc.co.uk thinking I would cross the Atlantic from USA. Turns out they have a server in San Francisco, which is on the left coast from me (10-12 ms ping with DoT/DNSSEC).
My best results with Stubby are with CF resolvers and roundrobin = 1. Am on 10 meg DSL IPV4 only.

 

[skeal]

My best results with Stubby are with CF resolvers and roundrobin = 1. Am on 10 meg DSL IPV4 only

What do you mean by roundrobin, sorry I have not heard that expression before? If its better what do I have to do to implement it, please explain . Thanks my friend!

 

[skeal]

My best results with Stubby are with CF resolvers and roundrobin = 1. Am on 10 meg DSL IPV4 only.

Got it, figured it out.

 

[rgnldo]

roundrobin

Option on Stubby.yml -> round_robin_upstreams: 1

 

[skeal]

Option on Stubby.yml -> round_robin_upstreams: 1

Wow!! Works real nice!!

 

[rgnldo]

This was my best setup at Stubby:

tls_ca_file: "/rom/cacert.pem"

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED

tls_query_padding_blocksize: 256

edns_client_subnet_private : 1

idle_timeout: 60000

round_robin_upstreams: 1

appdata_dir: "/opt/var/cache/stubby"

listen_addresses:
  - 127.0.0.1@5453
  - 0::1@5453

upstream_recursive_servers:
# IPv4 addresses
# Cloudflare
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"
# IPv6 addresses
# Cloudflare
  - address_data: 2606:4700:4700::1111
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 2606:4700:4700::1001
    tls_auth_name: "cloudflare-dns.com"

Wan DNS1: 127.0.0.1
Wan DNS2: 0.0.0.0

Dnsmasq:
strict-order

Tests:

 

[john9527]

Option on Stubby.yml -> round_robin_upstreams: 1

Just an FYI for everyone.....you should be using roundrobin right now as the 'ordered' option (roundrobin_upstreams: 0) has a bug where it may not correctly retry lookup fails.

 

[skeal]

Just an FYI for everyone.....you should be using roundrobin right now as the 'ordered' option (roundrobin_upstreams: 0) has a bug where it may not correctly retry lookup fails.

Thank you sir!!

 

[bbunge]

Just an FYI for everyone.....you should be using roundrobin right now as the 'ordered' option (roundrobin_upstreams: 0) has a bug where it may not correctly retry lookup fails.

That may explain why I was having issues with Quad9. CF seemed to be OK. Back to Ordered for now.

Sent from my SM-T380 using Tapatalk

 

[Marin]

Hi everyone,

Are there any plans to support RT-AC86U? Was curious if anyone has attempted to install this script in this router...

 

[kvic]

This was my best setup at Stubby:

tls_ca_file: "/rom/cacert.pem"

resolution_type: GETDNS_RESOLUTION_STUB
dns_transport_list:
  - GETDNS_TRANSPORT_TLS
tls_authentication: GETDNS_AUTHENTICATION_REQUIRED

tls_query_padding_blocksize: 256

edns_client_subnet_private : 1

idle_timeout: 60000

round_robin_upstreams: 1

appdata_dir: "/opt/var/cache/stubby"

listen_addresses:
  - 127.0.0.1@5453
  - 0::1@5453

upstream_recursive_servers:
# IPv4 addresses
# Cloudflare
  - address_data: 1.1.1.1
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 1.0.0.1
    tls_auth_name: "cloudflare-dns.com"
# IPv6 addresses
# Cloudflare
  - address_data: 2606:4700:4700::1111
    tls_auth_name: "cloudflare-dns.com"
  - address_data: 2606:4700:4700::1001
    tls_auth_name: "cloudflare-dns.com"

Wan DNS1: 127.0.0.1
Wan DNS2: 0.0.0.0

Dnsmasq:
strict-order

Tests:

What are the three graphs supposed to show? I only see three broken icons..

 

[kvic]

I ran into that interesting thread earlier today (pure coincidence):

https://mobile.twitter.com/PowerDNS_Bert/status/1064290946731384832

His measurements do confirm that DoH is horribly inefficient whenever either the client or the server has a broken implementation. Tons of overhead.

I would say non trivial overhead (DoT/DoH) on client and server even when properly implemented. The thread is a good read. Just got the chance to re-read in more details. Thanks for sharing.

Some commentators said that DoH advocates (in the industry) are attempts to shift power... and collect users data. I should admit I share such sentiment all along. I thought the public DNS providers are a collective coup to take users data away from their ISPs..sugar coated with security benefits of DoH/DoT. lol