Unbound - Authoritative Recursive Caching DNS Server

[dave14305]

I agree! Fixed

# don't be picky about interfaces but consider your firewall
interface: 0.0.0.0

access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/24 allow
access-control: 192.168.0.0/24 allow

Thanks for your collaboration


Enviado do meu iPhone usando Tapatalk

Should be a /16 to cover all 192.168.x.x cases.

 

[dave14305]

As a side-note, the installer script does not seem to account for whichever subnet you happen to use on your network under access-control (allow). It assumes 192.168.1.0/24, but in my case I use 192.168.2.0/24 - this would be nice to see auto detected as a future addition to the installer script. (No rush though! Loving this project.)

Oddly, it seems to work either way (with cache hit quite high) - but I manually added my subnet into "access-control:" in place of 192.168.1.0/24 (as this subnet is not used anywhere in my network).

Depending on your setup, if dnsmasq forwards to Unbound, it will only require localhost access. If LAN clients query Unbound directly, then the LAN subnet will matter.

 

[rgnldo]

Depending on your setup, if dnsmasq forwards to Unbound, it will only require localhost access. If LAN clients query Unbound directly, then the LAN subnet will matter.

I agree! Fixed

 # don't be picky about interfaces but consider your firewall
interface: 0.0.0.0

access-control: 0.0.0.0/0 refuse
access-control: 127.0.0.0/8 allow
access-control: 10.0.0.0/24 allow
access-control: 172.16.0.0/12 allow
access-control: 192.168.0.0/16 allow

Enviado do meu iPhone usando Tapatalk

 

[rgnldo]

Yes. Important note. This guides unbound listening to allowed networks. But you should customize if you have VLAN and want to limit access. This is a choice of each user. Be sure to disable DNS REBIND in the FW GUI. Is already configured to do this work.


Enviado do meu iPhone usando Tapatalk

 

[rgnldo]

@SolluxCaptor You launch the script unbound alias: unbound_installer, corrected and request update configuration. It's already corrected.


Enviado do meu iPhone usando Tapatalk

 

[SomeWhereOverTheRainBow]

If you’re going to override users’ firmware GUI settings, there should be a very good reason that is essential to the operation of unbound. These will “leak” local hostnames upstream for no good reason, which could be a privacy concern.

I’m happy to agree to disagree and move on. I appreciate what I’ve learned from your experience. Feliz Ano Novo!

yes this should be of concern especially if the proper private options are not enabled with unbound, and proper zones for handling look ups configured per user setup.

    # Ensure privacy of local IP ranges
    private-address: 127.0.0.0/8
    private-address: 169.254.0.0/16
    private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 192.168.0.0/16
    private-address: fd00::/8
    private-address: fe80::/10

recommend changing

    key-cache-size: 16m
    msg-cache-size: 8m
    rrset-cache-size: 16m

key cache to match rrset cache

prefetch possibilities

    # prefetch
    prefetch: yes
    prefetch-key: yes
    minimal-responses: yes

other settings

    hide-identity: yes
    hide-version: yes
    do-not-query-localhost: no
    qname-minimisation: yes
    rrset-roundrobin: yes
    harden-glue: yes
    harden-referral-path: no
    harden-below-nxdomain: yes
    harden-algo-downgrade: yes
    harden-dnssec-stripped: yes
    so-reuseport: yes
    so-rcvbuf: 1m
    use-caps-for-id: no

zone configuration would have to be done on user end , unless you add a way for the install script to intelligently pull the information needed to setup from nvram variables or something.

 

[rgnldo]

yes this should be of concern especially if the proper private options are not enabled with unbound, and proper zones for handling look ups configured per user setup.

    # Ensure privacy of local IP ranges
    private-address: 127.0.0.0/8
    private-address: 169.254.0.0/16
    private-address: 10.0.0.0/8
    private-address: 172.16.0.0/12
    private-address: 192.168.0.0/16
    private-address: fd00::/8
    private-address: fe80::/10

recommend changing

    key-cache-size: 16m
    msg-cache-size: 8m
    rrset-cache-size: 16m

key cache to match rrset cache

prefetch possibilities

    # prefetch
    prefetch: yes
    prefetch-key: yes
    minimal-responses: yes

other settings

    hide-identity: yes
    hide-version: yes
    do-not-query-localhost: no
    qname-minimisation: yes
    rrset-roundrobin: yes
    harden-glue: yes
    harden-referral-path: no
    harden-below-nxdomain: yes
    harden-algo-downgrade: yes
    harden-dnssec-stripped: yes
    so-reuseport: yes
    so-rcvbuf: 1m
    use-caps-for-id: no[/QUOTE][/QUOTE]
[CODE]harden-referral-path: no
harden-below-nxdomain: yes
harden-algo-downgrade: yes
harden-dnssec-stripped: yes

I don't recommend it. This is for verification stifying only makes the appointment. This is for infrastructure with greater processing power.

 so-reuseport: yes
so-rcvbuf: 1m

It depends on kernel and libevent. I don't know how you were compiled with unbound in the entware. Better not use it.

use-caps-for-id: no

There's no need. Standard pattern is already like this.



Enviado do meu iPhone usando Tapatalk

 

[SomeWhereOverTheRainBow]

use-caps-for-id: no

is recommended for dnsmasq to properly proxy-dnssec lookups and to prevent improper NXdomain responses and promote proper resolving of
FQDNs

 

[SomeWhereOverTheRainBow]

so-rcvbuf: 1m

recommended for message not to be lost in traffic spikes (asuswrt has alot) can be adjusted higher

so-reuseport: yes

recommended so unbound doesn't have to waste resources to open new each time

 

[rgnldo]

use-caps-for-id: no

is recommended for dnsmasq to properly proxy-dnssec lookups and to prevent improper NXdomain responses and promote proper resolving of
FQDNs

Understand, by default this is no

There is no need for the proxy-dnssec option. Dnsmasq is not working DNS. Adding more options to dnsmasq will make unbound work harder.



Enviado do meu iPhone usando Tapatalk

 

[SomeWhereOverTheRainBow]

There is no need for the proxy-dnssec option. Dnsmasq is not working DNS. Adding more options to dnsmasq will make unbound work harder.

then how do you propose your dnssec validations are being properly passed off when dnsmasq hands off local dns addressing.

dhcp-option=lan,6,192.168.1.1

if a client is requesting for a validation, how is it occurring between communications with dnsmasq and unbound? this has to be considered as the end user has to be able to receive and request validations properly for lookup , if not, this can cause improper resolution.

Understand, by default this is no

There is no need for the proxy-dnssec option. Dnsmasq is not working DNS. Adding more options to dnsmasq will make unbound work harder.



Enviado do meu iPhone usando Tapatalk

maybe default is no when you are not using your own custom .conf to be the main server file.

 

[rgnldo]

then how do you propose your dnssec validations are being properly passed off when dnsmasq hands off local dns addressing.

dhcp-option=lan,6,192.168.1.1

if a client is requesting for a validation, how is it occurring between communications with dnsmasq and unbound? this has to be considered as the end user has to be able to receive and request validations properly for lookup , if not, this can cause improper resolution.






maybe default is no when you are not using your own custom .conf to be the main server file.

If you observe, I already answered that same question. I showed tests run. Everything working as expected. Dnsmasq is doing the DHCP delivery service correctly.


Enviado do meu iPhone usando Tapatalk

 

[dave14305]

Everything working as expected.

Maybe you should explain what is “expected”? You often claim it works 100% but how would we know what is expected?

 

[SomeWhereOverTheRainBow]

Maybe you should explain what is “expected”? You often claim it works 100% but how would we know what is expected?

Yea I am still not convinced that there will not be alot of random fake serverfails while loading web pages due to potential conflicts between dnsmasq and unbound.

 

[rgnldo]

Well, thanks for the comments. They are welcome. I hope this project will best contribute to FW Merlin. I am now adapting Unbound TCP/TLS and trying to compile unbound 1.9.5.


Enviado do meu iPhone usando Tapatalk

 

[SomeWhereOverTheRainBow]

Well, thanks for the comments. They are welcome. I hope this project will best contribute to FW Merlin. I am now adapting Unbound TCP/TLS and trying to compile unbound 1.9.5.


Enviado do meu iPhone usando Tapatalk

You have made great progress so far.

i just wanted to point out on one of your test earlier

; <<>> DiG 9.10.6 <<>> pir.org +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29497
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pir.org. IN A

;; ANSWER SECTION:
pir.org. 889 IN A 97.107.141.235
pir.org. 889 IN RRSIG A 5 2 300 (
20200112084004 20191229084004 12435 pir.org.
u9FBlkXxnIr9mxvDToIgr3Z4gOIbd5AXsjRWGh2pSiGf
AW91tUQWrc49CdTMDtDwCgqay2EbuXu+BRhht6e444Pm
v27acP+q94tAkFGcq/PJiqtE7E6GNh1Y1oX5bA4xezUK
DQy3duQfmIfrMBeGo5lcQUgVsrFXsK0rl21RLSM= )

;; Query time: 1 msec
;; SERVER: 2804:4474:200:8400::1#53(2804:4474:200:8400::1)
;; WHEN: Sun Dec 29 18:20:12 -03 2019
;; MSG SIZE rcvd: 219
% dig www.cloudflare-dnssec-auth.com A +dnssec

; <<>> DiG 9.10.6 <<>> www.cloudflare-dnssec-auth.com A +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22034
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.cloudflare-dnssec-auth.com. IN A

;; ANSWER SECTION:
www.cloudflare-dnssec-auth.com. 893 IN A 104.20.176.24
www.cloudflare-dnssec-auth.com. 893 IN A 104.20.177.24
www.cloudflare-dnssec-auth.com. 893 IN RRSIG A 13 3 300 20191230222106 20191228202106 34505 cloudflare-dnssec-auth.com. nHfBH/uuG4yPjY9z5PwLNmvs0ghyUD2nI/SUjxBZKFyYm7fJptc7IGUl K00jF6MZtJ64TfTc8J1zfsIk69v/YA==

;; Query time: 1 msec
;; SERVER: 2804:4474:200:8400::1#53(2804:4474:200:8400::1)
;; WHEN: Sun Dec 29 18:21:15 -03 2019
;; MSG SIZE rcvd: 213

here is what my version looks like

dig pir.org +dnssec +multi

; <<>> DiG 9.14.3 <<>> pir.org +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33021
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
; PAD (33 bytes)
;; QUESTION SECTION:
;pir.org.               IN A

;; ANSWER SECTION:
pir.org.                300 IN A 97.107.141.235
pir.org.                300 IN RRSIG A 5 2 300 (
                                20200115084004 20200101084004 12435 pir.org.
                                CCAPNQYRx/TA8Wth/J2MV2WhYTt6ILCOHgYx/Vi8puHi
                                tVAdnGBDu4JbxQbhZPXkhF99n+eKa+CIFrKY6hLUw2cc
                                IRA1MZgANVjCM/5yYyb+Tyz6amGH4Yls13tZxax4Y1gh
                                SdIamuumZ0COA12/1UiJR26n8LnBiWa4fXLZ6ME= )

;; Query time: 252 msec
;; SERVER: 192.168.1.14#53(192.168.1.14)
;; WHEN: Wed Jan 01 16:00:10 Eastern Standard Time 2020
;; MSG SIZE  rcvd: 256


dig www.cloudflare-dnssec-auth.com A +dnssec

; <<>> DiG 9.14.3 <<>> www.cloudflare-dnssec-auth.com A +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48711
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
; PAD (39 bytes)
;; QUESTION SECTION:
;www.cloudflare-dnssec-auth.com.        IN      A

;; ANSWER SECTION:
www.cloudflare-dnssec-auth.com. 300 IN  A       104.20.176.24
www.cloudflare-dnssec-auth.com. 300 IN  A       104.20.177.24
www.cloudflare-dnssec-auth.com. 300 IN  RRSIG   A 13 3 300 20200102220617 201912
31200617 34505 cloudflare-dnssec-auth.com. TVJoluQKwQoHQVAvSU2XustfAhH01MUYmjBKX
zC/XsUZU16HKfZzqUyj PpQm8OWM0ZnXJOkZDjdcvld6LigNhw==

;; Query time: 74 msec
;; SERVER: 192.168.1.14#53(192.168.1.14)
;; WHEN: Wed Jan 01 16:06:22 Eastern Standard Time 2020
;; MSG SIZE  rcvd: 256

 

[rgnldo]

You have made great progress so far.

i just wanted to point out on one of your test earlier




here is what my version looks like

dig pir.org +dnssec +multi

; <<>> DiG 9.14.3 <<>> pir.org +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33021
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
; PAD (33 bytes)
;; QUESTION SECTION:
;pir.org.               IN A

;; ANSWER SECTION:
pir.org.                300 IN A 97.107.141.235
pir.org.                300 IN RRSIG A 5 2 300 (
                                20200115084004 20200101084004 12435 pir.org.
                                CCAPNQYRx/TA8Wth/J2MV2WhYTt6ILCOHgYx/Vi8puHi
                                tVAdnGBDu4JbxQbhZPXkhF99n+eKa+CIFrKY6hLUw2cc
                                IRA1MZgANVjCM/5yYyb+Tyz6amGH4Yls13tZxax4Y1gh
                                SdIamuumZ0COA12/1UiJR26n8LnBiWa4fXLZ6ME= )

;; Query time: 252 msec
;; SERVER: 192.168.1.14#53(192.168.1.14)
;; WHEN: Wed Jan 01 16:00:10 Eastern Standard Time 2020
;; MSG SIZE  rcvd: 256


dig www.cloudflare-dnssec-auth.com A +dnssec

; <<>> DiG 9.14.3 <<>> www.cloudflare-dnssec-auth.com A +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48711
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
; PAD (39 bytes)
;; QUESTION SECTION:
;www.cloudflare-dnssec-auth.com.        IN      A

;; ANSWER SECTION:
www.cloudflare-dnssec-auth.com. 300 IN  A       104.20.176.24
www.cloudflare-dnssec-auth.com. 300 IN  A       104.20.177.24
www.cloudflare-dnssec-auth.com. 300 IN  RRSIG   A 13 3 300 20200102220617 201912
31200617 34505 cloudflare-dnssec-auth.com. TVJoluQKwQoHQVAvSU2XustfAhH01MUYmjBKX
zC/XsUZU16HKfZzqUyj PpQm8OWM0ZnXJOkZDjdcvld6LigNhw==

;; Query time: 74 msec
;; SERVER: 192.168.1.14#53(192.168.1.14)
;; WHEN: Wed Jan 01 16:06:22 Eastern Standard Time 2020
;; MSG SIZE  rcvd: 256

This must be done on a lan client. You should consider the result of the second attempt. I am remotely accessing my router, it is working very well and with excellent performance.


Enviado do meu iPhone usando Tapatalk

 

[SolluxCaptor]

You have made great progress so far.

i just wanted to point out on one of your test earlier




here is what my version looks like

dig pir.org +dnssec +multi

; <<>> DiG 9.14.3 <<>> pir.org +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33021
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
; PAD (33 bytes)
;; QUESTION SECTION:
;pir.org.               IN A

;; ANSWER SECTION:
pir.org.                300 IN A 97.107.141.235
pir.org.                300 IN RRSIG A 5 2 300 (
                                20200115084004 20200101084004 12435 pir.org.
                                CCAPNQYRx/TA8Wth/J2MV2WhYTt6ILCOHgYx/Vi8puHi
                                tVAdnGBDu4JbxQbhZPXkhF99n+eKa+CIFrKY6hLUw2cc
                                IRA1MZgANVjCM/5yYyb+Tyz6amGH4Yls13tZxax4Y1gh
                                SdIamuumZ0COA12/1UiJR26n8LnBiWa4fXLZ6ME= )

;; Query time: 252 msec
;; SERVER: 192.168.1.14#53(192.168.1.14)
;; WHEN: Wed Jan 01 16:00:10 Eastern Standard Time 2020
;; MSG SIZE  rcvd: 256


dig www.cloudflare-dnssec-auth.com A +dnssec

; <<>> DiG 9.14.3 <<>> www.cloudflare-dnssec-auth.com A +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48711
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1452
; PAD (39 bytes)
;; QUESTION SECTION:
;www.cloudflare-dnssec-auth.com.        IN      A

;; ANSWER SECTION:
www.cloudflare-dnssec-auth.com. 300 IN  A       104.20.176.24
www.cloudflare-dnssec-auth.com. 300 IN  A       104.20.177.24
www.cloudflare-dnssec-auth.com. 300 IN  RRSIG   A 13 3 300 20200102220617 201912
31200617 34505 cloudflare-dnssec-auth.com. TVJoluQKwQoHQVAvSU2XustfAhH01MUYmjBKX
zC/XsUZU16HKfZzqUyj PpQm8OWM0ZnXJOkZDjdcvld6LigNhw==

;; Query time: 74 msec
;; SERVER: 192.168.1.14#53(192.168.1.14)
;; WHEN: Wed Jan 01 16:06:22 Eastern Standard Time 2020
;; MSG SIZE  rcvd: 256

Hey there, for what it's worth here is my result with the default config from this project:

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> pir.org +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1644
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pir.org. IN A

;; ANSWER SECTION:
pir.org. 900 IN A 97.107.141.235
pir.org. 900 IN RRSIG A 5 2 300 (
20200116084003 20200102084003 12435 pir.org.
zthZdC8mu0MX/vBfFOjzWyMBq62ozEv4REe1xK2vLBEV
frQEvGP7Cv4uaHrxG2qAqwfjj755iy4Bbmi2VUp9bE99
+fCmY3H6Ar8BZn9N2Q20MXyVgy/gBi483CZ98qDuJD3n
97ElMG8G65vC8ATtjbxtVuL086MT0GyJ46ye0mk= )

;; Query time: 286 msec
;; SERVER: 2600:6c5e:d7f:7237::1#53(2600:6c5e:d7f:7237::1)
;; WHEN: Thu Jan 02 09:38:13 EST 2020
;; MSG SIZE rcvd: 219

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> www.cloudflare-dnssec-auth.com A +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55127
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.cloudflare-dnssec-auth.com. IN A

;; ANSWER SECTION:
www.cloudflare-dnssec-auth.com. 900 IN A 104.20.176.24
www.cloudflare-dnssec-auth.com. 900 IN A 104.20.177.24
www.cloudflare-dnssec-auth.com. 900 IN RRSIG A 13 3 300 20200103153942 20200101133942 34505 cloudflare-dnssec-auth.com. 2bVsrX/A+WjyZzC0WwWu24u/Y5Iin2JjHXd6Ct9fEbY0wOvh65bGbMhi h8CoatT2taEbILdyX582e9IAMYGFaQ=
=

;; Query time: 77 msec
;; SERVER: 2600:6c5e:d7f:7237::1#53(2600:6c5e:d7f:7237::1)
;; WHEN: Thu Jan 02 09:39:42 EST 2020
;; MSG SIZE rcvd: 213

If you run either of these commands again, you will hit the Unbound cache (as intended) getting ~1ms response:

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> www.cloudflare-dnssec-auth.com A +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55127
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.cloudflare-dnssec-auth.com. IN A

;; ANSWER SECTION:
www.cloudflare-dnssec-auth.com. 900 IN A 104.20.176.24
www.cloudflare-dnssec-auth.com. 900 IN A 104.20.177.24
www.cloudflare-dnssec-auth.com. 900 IN RRSIG A 13 3 300 20200103153942 20200101133942 34505 cloudflare-dnssec-auth.com. 2bVsrX/A+WjyZzC0WwWu24u/Y5Iin2JjHXd6Ct9fEbY0wOvh65bGbMhi h8CoatT2taEbILdyX582e9IAMYGFaQ=
=

;; Query time: 1 msec
;; SERVER: 2600:6c5e:d7f:7237::1#53(2600:6c5e:d7f:7237::1)
;; WHEN: Thu Jan 02 09:45:59 EST 2020
;; MSG SIZE rcvd: 213

Also, run DNS Leak test, you will see yourself as the resolver if all is well. As Unbound is your fully recursive DNS server + cache. You can also run DNSSEC tests, especially try: https://rootcanary.org/test.html for verification of DNSSEC signatures. GHOST is depreciated, so expect it to be missing. As well as DSA and MD5, as those were shown to be less secure as well. If I am missing something that is out of place in the above, please let me know. This all looks good to me.

 

[Martineau]

If you run either of these commands again, you will hit the Unbound cache (as intended) getting ~1ms response:

I don't use IPv6 so I get 0ms response....should I be concerned?

Spoiler: dig response times

dig www.cloudflare-dnssec-auth.com A +dnssec

; <<>> DiG 9.14.4 <<>> www.cloudflare-dnssec-auth.com A +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1761
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.cloudflare-dnssec-auth.com. IN A
;; ANSWER SECTION:
www.cloudflare-dnssec-auth.com. 900 IN A 104.20.177.24
www.cloudflare-dnssec-auth.com. 900 IN A 104.20.176.24
www.cloudflare-dnssec-auth.com. 900 IN RRSIG A 13 3 300 20200103120717 20200101100717 34505 cloudflare-dnssec-auth.com. ql3b+fGmgXDXLvdAR1FcBAyK87yXxskJTvNZFtI/G49WZ58Kwzzxa/pj iHebSA5qCWYHQkD06LtCtM141SGv1A==

;; Query time: 217 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 02 11:07:17 GMT 2020
;; MSG SIZE  rcvd: 213


dig www.cloudflare-dnssec-auth.com A +dnssec

; <<>> DiG 9.14.4 <<>> www.cloudflare-dnssec-auth.com A +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31332
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.cloudflare-dnssec-auth.com. IN A
;; ANSWER SECTION:
www.cloudflare-dnssec-auth.com. 846 IN A 104.20.177.24
www.cloudflare-dnssec-auth.com. 846 IN A 104.20.176.24
www.cloudflare-dnssec-auth.com. 846 IN RRSIG A 13 3 300 20200103120717 20200101100717 34505 cloudflare-dnssec-auth.com. ql3b+fGmgXDXLvdAR1FcBAyK87yXxskJTvNZFtI/G49WZ58Kwzzxa/pj iHebSA5qCWYHQkD06LtCtM141SGv1A==

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 02 11:08:11 GMT 2020
;; MSG SIZE  rcvd: 213

 pir.org +dnssec +multi

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49672
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pir.org.  IN A
;; ANSWER SECTION:
pir.org.  900 IN A 97.107.141.235
pir.org.  900 IN RRSIG A 5 2 300 (
    20200116084003 20200102084003 12435 pir.org.
    zthZdC8mu0MX/vBfFOjzWyMBq62ozEv4REe1xK2vLBEV
    frQEvGP7Cv4uaHrxG2qAqwfjj755iy4Bbmi2VUp9bE99
    +fCmY3H6Ar8BZn9N2Q20MXyVgy/gBi483CZ98qDuJD3n
    97ElMG8G65vC8ATtjbxtVuL086MT0GyJ46ye0mk= )

;; Query time: 590 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 02 11:11:19 GMT 2020
;; MSG SIZE  rcvd: 219

dig pir.org +dnssec +multi

; <<>> DiG 9.14.4 <<>> pir.org +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38340
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pir.org.  IN A
;; ANSWER SECTION:
pir.org.  893 IN A 97.107.141.235
pir.org.  893 IN RRSIG A 5 2 300 (
    20200116084003 20200102084003 12435 pir.org.
    zthZdC8mu0MX/vBfFOjzWyMBq62ozEv4REe1xK2vLBEV
    frQEvGP7Cv4uaHrxG2qAqwfjj755iy4Bbmi2VUp9bE99
    +fCmY3H6Ar8BZn9N2Q20MXyVgy/gBi483CZ98qDuJD3n
    97ElMG8G65vC8ATtjbxtVuL086MT0GyJ46ye0mk= )

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 02 11:11:26 GMT 2020
;; MSG SIZE  rcvd: 219

 

[SolluxCaptor]

I don't use IPv6 so I get 0ms response....should I be concerned?

Spoiler: dig response times

dig www.cloudflare-dnssec-auth.com A +dnssec

; <<>> DiG 9.14.4 <<>> www.cloudflare-dnssec-auth.com A +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1761
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.cloudflare-dnssec-auth.com. IN A
;; ANSWER SECTION:
www.cloudflare-dnssec-auth.com. 900 IN A 104.20.177.24
www.cloudflare-dnssec-auth.com. 900 IN A 104.20.176.24
www.cloudflare-dnssec-auth.com. 900 IN RRSIG A 13 3 300 20200103120717 20200101100717 34505 cloudflare-dnssec-auth.com. ql3b+fGmgXDXLvdAR1FcBAyK87yXxskJTvNZFtI/G49WZ58Kwzzxa/pj iHebSA5qCWYHQkD06LtCtM141SGv1A==

;; Query time: 217 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 02 11:07:17 GMT 2020
;; MSG SIZE  rcvd: 213


dig www.cloudflare-dnssec-auth.com A +dnssec

; <<>> DiG 9.14.4 <<>> www.cloudflare-dnssec-auth.com A +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31332
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.cloudflare-dnssec-auth.com. IN A
;; ANSWER SECTION:
www.cloudflare-dnssec-auth.com. 846 IN A 104.20.177.24
www.cloudflare-dnssec-auth.com. 846 IN A 104.20.176.24
www.cloudflare-dnssec-auth.com. 846 IN RRSIG A 13 3 300 20200103120717 20200101100717 34505 cloudflare-dnssec-auth.com. ql3b+fGmgXDXLvdAR1FcBAyK87yXxskJTvNZFtI/G49WZ58Kwzzxa/pj iHebSA5qCWYHQkD06LtCtM141SGv1A==

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 02 11:08:11 GMT 2020
;; MSG SIZE  rcvd: 213

 pir.org +dnssec +multi

;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49672
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pir.org.  IN A
;; ANSWER SECTION:
pir.org.  900 IN A 97.107.141.235
pir.org.  900 IN RRSIG A 5 2 300 (
    20200116084003 20200102084003 12435 pir.org.
    zthZdC8mu0MX/vBfFOjzWyMBq62ozEv4REe1xK2vLBEV
    frQEvGP7Cv4uaHrxG2qAqwfjj755iy4Bbmi2VUp9bE99
    +fCmY3H6Ar8BZn9N2Q20MXyVgy/gBi483CZ98qDuJD3n
    97ElMG8G65vC8ATtjbxtVuL086MT0GyJ46ye0mk= )

;; Query time: 590 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 02 11:11:19 GMT 2020
;; MSG SIZE  rcvd: 219

dig pir.org +dnssec +multi

; <<>> DiG 9.14.4 <<>> pir.org +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38340
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pir.org.  IN A
;; ANSWER SECTION:
pir.org.  893 IN A 97.107.141.235
pir.org.  893 IN RRSIG A 5 2 300 (
    20200116084003 20200102084003 12435 pir.org.
    zthZdC8mu0MX/vBfFOjzWyMBq62ozEv4REe1xK2vLBEV
    frQEvGP7Cv4uaHrxG2qAqwfjj755iy4Bbmi2VUp9bE99
    +fCmY3H6Ar8BZn9N2Q20MXyVgy/gBi483CZ98qDuJD3n
    97ElMG8G65vC8ATtjbxtVuL086MT0GyJ46ye0mk= )

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jan 02 11:11:26 GMT 2020
;; MSG SIZE  rcvd: 219

Ah! But you used the resolver itself, cheater (side note tho, IPv6 is usually faster via WAN due to routing design, assuming providers do it right!) lol