WAN DNS Setting: Using different DoT servers

[Dux]

Is there any benefit or detriment to using different DNS-over-TLS servers, eg: Quad9 & Cleanbrowsing?

My issue is similar to:
https://www.snbforums.com/threads/dns-filtering-brakes-reddit.78907/post-762580

I am currently using Quad9 DoT, Opportunistic profile. In Firefox some sites randomly won't load unless I restart the browser. Using Quad9 DoH in Firefox settings (instead of DoT in Asus-Merlin) doesn't have this issue. My question is whether using different DoT servers might provide redundancy to reduce or avoid this? Are there any performance or security downsides to using different DoT servers? Thank you.

My current settings:

 

[drinkingbird]

Is there any benefit or detriment to using different DNS-over-TLS servers, eg: Quad9 & Cleanbrowsing?

My issue is similar to:
https://www.snbforums.com/threads/dns-filtering-brakes-reddit.78907/post-762580

I am currently using Quad9 DoT, Opportunistic profile. In Firefox some sites randomly won't load unless I restart the browser. Using Quad9 DoH in Firefox settings (instead of DoT in Asus-Merlin) doesn't have this issue. My question is whether using different DoT servers might provide redundancy to reduce or avoid this? Are there any performance or security downsides to using different DoT servers? Thank you.

My current settings:

When I tested it it worked fine for me. I had it set to strict, maybe that has something to do with it. However I found the latency penalty was not worth it, DOT doesn't really give you any privacy or security, if your isp is collecting stats on you they can easily see what site you visit right after your encrypted DNS request defeating the purpose.

 

[RMerlin]

Don't mix servers that provide filtering services, otherwise you might get some very weird results if one server blocks a site but the other server does not.

 

[bbunge]

I have had some issues using Quad9 DoT. I had used Cloudflare Security as my ISP routed me to Quad9 resolvers 1,000 miles away and Cloudflare was only 90 miles as the crow flies. Now, with a change in ISP, I can get to the Quad9 resolvers in the same data center as Cloudflare but for some reason I regularly experience delays in resolving addresses using DoT. Now I am using Quad9 with DNSSEC and have no complaints from the girls. I do try DoT from time to time to see if it has improved. I do not use DoH as it still uses unencrypted DNS to set up the connection.

 

[drinkingbird]

I have had some issues using Quad9 DoT. I had used Cloudflare Security as my ISP routed me to Quad9 resolvers 1,000 miles away and Cloudflare was only 90 miles as the crow flies. Now, with a change in ISP, I can get to the Quad9 resolvers in the same data center as Cloudflare but for some reason I regularly experience delays in resolving addresses using DoT. Now I am using Quad9 with DNSSEC and have no complaints from the girls. I do try DoT from time to time to see if it has improved. I do not use DoH as it still uses unencrypted DNS to set up the connection.

Common issue with the anycast DNS providers. You can contact them and show them a traceroute and sometimes they can work with the ISP to fix it. But I found that both DOT and DNSSEC added delays even to a very nearby server, and both are fairly useless from a security perspective on a recursive DNS server. So I'm just using my ISP server primary, one of the L3 as backup, all in the clear.

 

[Paliv]

Common issue with the anycast DNS providers. You can contact them and show them a traceroute and sometimes they can work with the ISP to fix it. But I found that both DOT and DNSSEC added delays even to a very nearby server, and both are fairly useless from a security perspective on a recursive DNS server. So I'm just using my ISP server primary, one of the L3 as backup, all in the clear.

Yeah it depends on the ISP. My ISP (Comcast) routes Quad9 to Chicago or LA and I’m in New Mexico. I contacted Quad9 and unfortunately despite them having closer servers they don’t have a peering agreement with Comcast, so for now it’s just those servers. They work fine, though, just gets me to farther servers for streaming services. The bigger problem was DoT. I had regular hang ups out of the blue with Quad9 and DoT as well. Every 20th site would lag really badly on the DNS request.

Now I just use my ISP DNS. Works the best.

 

[Dux]

Don't mix servers that provide filtering services, otherwise you might get some very weird results if one server blocks a site but the other server does not.

OK, thank you for clearing that up.

I have had some issues using Quad9 DoT. I had used Cloudflare Security as my ISP routed me to Quad9 resolvers 1,000 miles away and Cloudflare was only 90 miles as the crow flies. Now, with a change in ISP, I can get to the Quad9 resolvers in the same data center as Cloudflare but for some reason I regularly experience delays in resolving addresses using DoT. Now I am using Quad9 with DNSSEC and have no complaints from the girls. I do try DoT from time to time to see if it has improved. I do not use DoH as it still uses unencrypted DNS to set up the connection.

Common issue with the anycast DNS providers. You can contact them and show them a traceroute and sometimes they can work with the ISP to fix it. But I found that both DOT and DNSSEC added delays even to a very nearby server, and both are fairly useless from a security perspective on a recursive DNS server. So I'm just using my ISP server primary, one of the L3 as backup, all in the clear.

Yeah it depends on the ISP. My ISP (Comcast) routes Quad9 to Chicago or LA and I’m in New Mexico. I contacted Quad9 and unfortunately despite them having closer servers they don’t have a peering agreement with Comcast, so for now it’s just those servers. They work fine, though, just gets me to farther servers for streaming services. The bigger problem was DoT. I had regular hang ups out of the blue with Quad9 and DoT as well. Every 20th site would lag really badly on the DNS request.

Now I just use my ISP DNS. Works the best.

OK, thank you all for your insights. It looks like I'll just forget about DoT via the router for now. DoH at the browser or device level doesn't cause these hangups or noticeable latency issues for my usage, but does it provide any benefit at all for home usage? Or is it really pointless?

 

[drinkingbird]

OK, thank you for clearing that up.




OK, thank you all for your insights. It looks like I'll just forget about DoT via the router for now. DoH at the browser or device level doesn't cause these hangups or noticeable latency issues for my usage, but does it provide any benefit at all for home usage? Or is it really pointless?

Pretty pointless. There are 999 other ways to track you. They implemented DOH in browsers because they don't like the competition from your ISP for ad revenue and data collection.

 

[Amplifier]

Is there any benefit or detriment to using different DNS-over-TLS servers, eg: Quad9 & Cleanbrowsing?

but does it provide any benefit at all for home usage?

By default, DNS queries are sent in plain text to your ISP and DOT is not enabled.
Should be fine for average users.

1. Why use an ISP or other DNS provider in the first place?
A popular misconception is to hide from your ISP. But you can't. Instead of your ISP resolve/translate a Domain Name and send you to the proper IP address, you just have another DNS provider translate the Domain Name and ISP still knows to which IP address it will send you to.
With a VPN, you just replace your trust with another source. ISP's and VPN providers likely to have different laws and regulations to follow.

2. If using a DNS as an additional layer (Swiss cheese model - Wikipedia) for mitigating against malicious host names (malware, phishing, spyware, and botnets, etc.).
If you get lag from Quad9 at your location, options are
a. Default settings (with UblockOrigin in browser and/or AiProtection by Trend Micro will still do some filtering for you)
b. Try a different DNS provider (point should be to balance your layered protections without impeding your workflow)

Understanding security features.
Tools supposed to match your threat model. Just like you match your clothes for the weather. Mismatch winter and summer, and you'll forget about comfort and start to do harm, suffering as a result.

Data collection for ad revenue.
Sure it is, until it shows its true colors.
When on one beautiful day, "the state" decides your thought's and actions are now deemed "unholy" thus no longer legal.
Mitigating the risk at home will greatly depend on where your home is and what your values are.
Home locations: US, China, Russia, Ukraine, Middle East, France, etc.
Values: Just a worry about phishing scams, public figure, activist, strong political/religious beliefs, honor my father and my mother (mediator between two grand's, grandparents and grandchildren), etc.

 

[drinkingbird]

By default, DNS queries are sent in plain text to your ISP and DOT is not enabled.
Should be fine for average users.

1. Why use an ISP or other DNS provider in the first place?
A popular misconception is to hide from your ISP. But you can't. Instead of your ISP resolve/translate a Domain Name and send you to the proper IP address, you just have another DNS provider translate the Domain Name and ISP still knows to which IP address it will send you to.
With a VPN, you just replace your trust with another source. ISP's and VPN providers likely to have different laws and regulations to follow.

2. If using a DNS as an additional layer (Swiss cheese model - Wikipedia) for mitigating against malicious host names (malware, phishing, spyware, and botnets, etc.).
If you get lag from Quad9 at your location, options are
a. Default settings (with UblockOrigin in browser and/or AiProtection by Trend Micro will still do some filtering for you)
b. Try a different DNS provider (point should be to balance your layered protections without impeding your workflow)

Understanding security features.
Tools supposed to match your threat model. Just like you match your clothes for the weather. Mismatch winter and summer, and you'll forget about comfort and start to do harm, suffering as a result.

Data collection for ad revenue.
Sure it is, until it shows its true colors.
When on one beautiful day, "the state" decides your thought's and actions are now deemed "unholy" thus no longer legal.
Mitigating the risk at home will greatly depend on where your home is and what your values are.
Home locations: US, China, Russia, Ukraine, Middle East, France, etc.
Values: Just a worry about phishing scams, public figure, activist, strong political/religious beliefs, honor my father and my mother (mediator between two grand's, grandparents and grandchildren), etc.

Agreed (even to a certain extent with the tin foil hat part ). A lot of people are just enabling DOT/DOH/DNSSEC etc not realizing it is really not doing anything for you when using a recursive DNS server (whether it be your ISP or one like Quad9 etc). All it is doing is slowing you down.

Using cleanbrowsing, quad9, adblock etc is a perfectly useful tool, in my case it added too much latency for little benefit, but by all means, use one of those if you have a reason to, but don't bother enabling DOT/DNSSEC with them.

My ISP knows what sites I'm visiting even if I don't use their DNS. And considering their DNS is the best performer in all the benchmarks I do, I use theirs as primary (though I do use the optional one that doesn't redirect you to a search page if you mistype a URL, both because I find that annoying, and because hardly anyone else uses it so it is very fast and responsive). Backup server is Level 3's tertiary server as it is fast and rarely under any load.

I also try to explain to people that VPN is protecting only one portion of your connection, and in reality exposing yourself to potential risk should that VPN provider be compromised (say by an employee looking to collect your data). Now you're funneling all of your internet traffic through that single point, a point which is not just an ISP router but a layer 4/5 device that can see every bit of data you send through. So yes, use a VPN when on public wifi or to hide yourself from the RIAA, or to get around geolocation, etc. But don't just assume that makes everything safe, still make sure you're using HTTPS for everything possible, not telnetting to something with clear text username/pass, etc etc.

Security is a multi layered approach, and sometimes adding one layer can do more harm than good - a false sense of security can actually be worse than no security.

 

[Amplifier]

One should also verify their settings work as intended.

e. g.
Firefox > Enable secure DNS using: Increased Protection
1.1.1.1 — Debug Information

Connected to 1.1.1.1        Yes
Using DNS over HTTPS (DoH)  Yes
Using DNS over TLS (DoT)    Yes

Then you see Max Protection, sounds pretty good, but maybe not what you intend.
Firefox > Enable secure DNS using: Max Protection

Connected to 1.1.1.1        Yes
Using DNS over HTTPS (DoH)  Yes
Using DNS over TLS (DoT)    No

Protocol Test - Confirm on which Protocol Quad9 received your query: DNS over HTTPS, DNS over TLS, DNSCrypt, or Plaintext – Quad9 Internet Security & Privacy

dnscheck.tools - test your dns resolvers

 

[Dux]

A lot of people are just enabling DOT/DOH/DNSSEC etc not realizing it is really not doing anything for you when using a recursive DNS server (whether it be your ISP or one like Quad9 etc). All it is doing is slowing you down.

Using cleanbrowsing, quad9, adblock etc is a perfectly useful tool, in my case it added too much latency for little benefit, but by all means, use one of those if you have a reason to, but don't bother enabling DOT/DNSSEC with them.

Drinkingbird: Your advice has been very helpful. It looks like just using the ISP or a fast public DNS at the router and avoiding non-essential router features like DoT, DNSSEC, IPv6 etc. will cause the least friction.

I do have a somewhat related question, I'm using DNS Director + Diversion to filter a few dozen domains (no big block lists) from some streaming devices, this allows use of the ISP DNS for streaming. Alternatively, I can get the same filtering by routing the streaming devices through OpenDNS custom, which would relieve the router from running the Diversion scripts. Do you have any thoughts approach might more reliable/performant long term?

Thank you.

 

[drinkingbird]

Drinkingbird: Your advice has been very helpful. It looks like just using the ISP or a fast public DNS at the router and avoiding non-essential router features like DoT, DNSSEC, IPv6 etc. will cause the least friction.

I do have a somewhat related question, I'm using DNS Director + Diversion to filter a few dozen domains (no big block lists) from some streaming devices, this allows use of the ISP DNS for streaming. Alternatively, I can get the same filtering by routing the streaming devices through OpenDNS custom, which would relieve the router from running the Diversion scripts. Do you have any thoughts approach might more reliable/performant long term?

Thank you.

Honestly I'm not a diversion expert, but if it is running fine without slowing anything down, that's probably still going to be faster.

You can try DNS benchmarking both setups (using namebench from google and/or GRC's DNS Benchmark to see which performs better overall). I suspect if your blacklist is not very big your router is probably still the better place to do it. OpenDNS does seem to have pretty fast/responsive servers but it depends where you are. In my case, I believe they were not too far behind my ISPs servers as far as performance on the several occasions i've run them through those tools.

Obviously depends on how powerful your router is, my old AC-1900 may have more impact from Diversion than a newer one. What model are you running? Either way, try it and see, only way to know for sure.

Or, if it ain't broke and is working fine for you, don't fix it

 

[Dux]

Honestly I'm not a diversion expert, but if it is running fine without slowing anything down, that's probably still going to be faster.

You can try DNS benchmarking both setups (using namebench from google and/or GRC's DNS Benchmark to see which performs better overall). I suspect if your blacklist is not very big your router is probably still the better place to do it. OpenDNS does seem to have pretty fast/responsive servers but it depends where you are. In my case, I believe they were not too far behind my ISPs servers as far as performance on the several occasions i've run them through those tools.

Obviously depends on how powerful your router is, my old AC-1900 may have more impact from Diversion than a newer one. What model are you running? Either way, try it and see, only way to know for sure.

Or, if it ain't broke and is working fine for you, don't fix it

RT-AX86S, 512 MB RAM. Both approaches are subjectively the same performance wise for now, but I've seen a number of arguments against using the router for anything but routing. If I was using a huge blocklist I'd just use NextDNS or Control D, but with streaming devices blocking more than you have to = breakage.

 

[drinkingbird]

RT-AX86S, 512 MB RAM. Both approaches are subjectively the same performance wise for now, but I've seen a number of arguments against using the router for anything but routing. If I was using a huge blocklist I'd just use NextDNS or Control D, but with streaming devices blocking more than you have to = breakage.

If no significant difference and your router is handling it fine, stick with that.

That router is perfectly capable and it is already doing a lot more than routing. Serving DNS requests with a relatively small black list is not putting much load on it at all. General rule with DNS, keep your recursive caching server (your router in this case) as close to the clients as possible.

I suppose if you're already subscribing to one of the filtering services you can remove diversion from your router and instead point your router WAN DNS to one of those services. I guess whichever you find to be easier (and best performance). If what you have now is working and not that cumbersome to administer, stick with it.

 

[Dux]

If no significant difference and your router is handling it fine, stick with that.

That router is perfectly capable and it is already doing a lot more than routing. Serving DNS requests with a relatively small black list is not putting much load on it at all. General rule with DNS, keep your recursive caching server (your router in this case) as close to the clients as possible.

I suppose if you're already subscribing to one of the filtering services you can remove diversion from your router and instead point your router WAN DNS to one of those services. I guess whichever you find to be easier (and best performance). If what you have now is working and not that cumbersome to administer, stick with it.

Thank you.

 

[bbunge]

The issue here is not hiding from your ISP but adding a level of security to DNS which was never designed to be secure. None of you above who say DoT and DNSSEC are not worth it would turn of https! Same issue. Verifying the connection with DNSSEC and preventing tampering with DoT.
Some of us have spent a good deal of time getting Stubby to work on Asus routers and Merlin and Asus did incorporate the functions into production firmware.
Yes, it is your choice to use DoT and DNSSEC. But, choose wisely...

 

[drinkingbird]

The issue here is not hiding from your ISP but adding a level of security to DNS which was never designed to be secure. None of you above who say DoT and DNSSEC are not worth it would turn of https! Same issue. Verifying the connection with DNSSEC and preventing tampering with DoT.
Some of us have spent a good deal of time getting Stubby to work on Asus routers and Merlin and Asus did incorporate the functions into production firmware.
Yes, it is your choice to use DoT and DNSSEC. But, choose wisely...

Doing DNSSEC to a recursive 3rd party DNS server is not adding any security.

 

[bbunge]

Doing DNSSEC to a recursive 3rd party DNS server is not adding any security.

Wrong again...

DoT, DoH and DNSSEC: Secure DNS communication

www.unibesecure.unibe.ch

 

[drinkingbird]

Wrong again...

DoT, DoH and DNSSEC: Secure DNS communication

www.unibesecure.unibe.ch

Nope, DNSSEC is done between the recursive name server and the Authoritative name server. Doing DNSSEC between two recursive servers (such as the Asus and your ISP or 3rd party), best you can expect is to re-authenticate what they have already authenticated for you (assuming they even pass that field/hash to you which they don't necessarily). If that recursive server becomes compromised (or there is a MITM attack) they can very easily spoof the DNSSEC as well or remove it completely. There is little to no benefit to doing it from your Asus router to an ISP or 3rd party DNS server. It is a false sense of security.

DOT and DOH pretty much just hides your lookups from your ISP but they can still see what you looked up based on the site you then visit right after the encrypted DNS request.