What's new

amtm Which DNS solution do you prefer, and Why?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Which DNS solution do you prefer, and Why?


  • Total voters
    56
  • Poll closed .

SomeWhereOverTheRainBow

Part of the Furniture
Putting thoughts about DNSMASQ away for awhile. AMTM links users to three alternative DNS solutions (Unbound, Dnscrypt-Proxy, and AdGuardHome), and @RMerlin firmware has Stubby built-in. (I am not listing nextdns simply because it is not apart of the free pathways provided by the firmware and by extension AMTM) This poll is here to be unbiased so other users can look at it later to make informed decisions on which DNS solution to use. Currently, I hear too many users wanting to try each solution simultaneously to make a decision- i.e. all installed at the same time. To install all DNS solutions at the same time is ludicrous. In most cases it is unfeasible due to limited router memory space. Please after you vote, feel free to use this thread to share your opinions on why you like one or the other. However, don't use this thread to go after each others reasons.
 
I chose Stubby; however, that doesn't mean that I am against the other dns solutions. Each of them have their "selling" points and I will not stop supporting the use of any of them. The reason why I voted for stubby is because I feel like it is the under dog, when it also has many great "selling" points. For example, it integrates well with the router code environment (including custom script support). It is not overbloated with too many features, and it doesnt have a mile long user manual; essentially, it is very user friendly. (At-least it was for me when i started playing around with dns solutions.) You may ask, why would someone who maintains dnscrypt-proxy, and adguardhome installer scripts vote for stubby? The point of this poll/thread is to encourage the sharing of information to allow the next users to make better informed decisions on what DNS solution is right for them. The poll voting is just for fun! :D
 
Also Stubby.

Reasons:
  • It works
  • I use the router as an additional 'hop' for my Pihole and from the router out it's using DoT (I.e. client -> Pihole -> Router - then DoT -> Upstream DNS)
  • I also use AdguardHome on a separate network (and different router) but it's not as easy and at times seems to cut out, though much less now than on early builds
  • It just works

This doesn't mean I don't like AdguardHome, I'm going to continue to use it.

EDIT: Looks like I misunderstood, I thought once Merlin was installed stubby was the default. Changed my vote to 'None' :)
 
Last edited:
None of the above. (I don't need a "solution" to DNS because the router's DNS server works fine for me.)

If I had to choose one it would be Stubby as it is built-in and works well enough (although again, it's pointless for my needs). My priority is for the router to be reliable (so I don't get complaints from the family) and not susceptible to the multiple points of failure that USB drives and additional software packages would introduce.

That said, I would imagine that the other solutions might be more performant when used as an ad-blocker.
 
Last edited:
None of the above. (I don't need a "solution" to DNS because the router's DNS server works fine for me.)

If I had to choose one it would be Stubby as it is built-in and works well enough (although again, it's pointless for my needs). My priority is for the router to be reliable (so I don't get complaints from the family) and not susceptible to the multiple points of failure that USB drives and additional software packages would introduce.
I went a head and added "none" option to the poll incase you would like to change your vote :). Nothing wrong with keeping a stable setup with the basic dns approach. My best setup so far has been PiHole+My own custom built Unbound. But these were not used directly on the router.

The pros for unbound for some might also be considered its cons. It has a lot of features, for some novice users it requires a phone-book size manual to manage or comprehend. It is definitely not an option for someone who does not know what they are doing, or for someone who cannot adapt to learning it. It would be better to let new users run this with predetermined defaults, but even then looking at the default unbound config is filled with lists of confusing options. Another flaw, not every feature is available to users unless they compile their own version of unbound with the options enabled at compile time. Some of the options require knowledge of where certain binaries are if they are not already configured properly on the operating systems "path". This is so their path can be properly specified on compile time.

With that being said, unbound can be configured as a recursive DNS server. It also supports DoT; Also, it supports dnscrypt, and DoH, but requires additional compile options to be enabled (a.k.a. not supported by entwares version). Unbound has great caching options. With unbound, users can setup zones, and control the type of responses and servers used for certain zones. Truly a lot of pros for unbound for those who wish to read the manual and learn its secrets.

Looks like they cleaned up that manual some ;), I remember when it still listed old deprecated options. Over time unbound has added/removed/ and changed the name on options.
 
Last edited:
The pros for unbound for some might also be considered its cons. It has a lot of features, for some novice users it requires a phone-book size manual to manage or comprehend. It is definitely not an option for someone who does not know what they are doing, or for someone who cannot adapt to learning it. It would be better to let new users run this with predetermined defaults, but even then looking at the default unbound config is filled with lists of confusing options. Another flaw, not every feature is available to users unless they compile their own version of unbound with the options enabled at compile time. Some of the options require knowledge of where certain binaries are if they are not already configured properly on the operating systems "path". This is so their path can be properly specified on compile time.

With that being said, unbound can be configured as a recursive DNS server. It also supports DoT; Also, it supports dnscrypt, and DoH, but requires additional compile options to be enabled (a.k.a. not supported by entwares version). Unbound has great caching options. With unbound, users can setup zones, and control the type of responses and servers used for certain zones. Truly a lot of pros for unbound for those who wish to read the manual and learn its secrets.

I know there's alot of customize options within Unbound, however I use the default option setup (enabled DNS firewall) from the amtm installation process and I've never had any issues with it. Aside from that I have no knowledge of Unbound binaries nor setting up certain zones. I guess I'm just thankful/happy @Martineau put it together for us to use it cause I'll probably be using "none" if this wasn't the case.
 
Last edited:
There is no combined choice of the above. I ran unbound with adguard.
And tbh i wasnt aware that adguard could act as it's own dns server?
Yes adguardhome is able to pull DoT, doq, DoH, and dnscrypt from upstream. It also can act as a remote server of all encryption variants as well. It is also able to manipulate some cache options just like unbound. However not nearly as many cache manipulation options as unbound.

Unbound and adguardhome can act in concert, but it is not required since either one can pull from upstream via encryption or plaintext. The exception is unbound since it is the only solution that is able to recursively talk to authoritative dns servers by which it is able to skip getting answers from big box dns servers.

I personally recommend any one trying to combine unbound with adguardhome, to do so with the utmost care. Meaning your router only has so much memory. Use unbound with minimalist approach by only installing using unbound manager "basic". Skip the unnecessary advanced features such as statistics, and unbound adblock.
 
Last edited:
I know there's alot of customize options within Unbound, however I use the default option setup (enabled DNS firewall) from the amtm installation process and I've never had any issues with it. Aside from that I have no knowledge of Unbound binaries nor setting up certain zones. I guess I'm just thankful/happy @Martineau put it together for us to use it cause I'll probably be using "none" if this wasn't the case.
I think @Martineau did brilliant work as well. I also like @dave14305 Unbound-Merlin-Webui. Both, install methods provides Unbound in the most essential form.
 
I also vote for None for simplicity, stability and speed. Nothing else is really needed on a home router. This mostly weak power efficient hardware doesn't like extra load. Some say AX86U is a powerful router. When decorated like a Christmas Tree with TrendMicro bloatware and custom scripts, it definitely slows down. No need to measure anything, it's visible. Visible means 30% or more performance difference. In light configuration it's quick and responsive.
 
I also vote for None for simplicity, stability and speed. Nothing else is really needed on a home router. This mostly weak power efficient hardware doesn't like extra load. Some say AX86U is a powerful router. When decorated like a Christmas Tree with TrendMicro bloatware and custom scripts, it definitely slows down. No need to measure anything, it's visible. Visible means 30% or more performance difference. In light configuration it's quick and responsive.
I feel like the biggest drop in performance can be observed once trend micro is turned on. It always seems doing that makes the internet connection slower, and more prone to lag.
 
I feel like the biggest drop in performance can be observed once trend micro is turned on.

Agree. The popular on SNB Forums configuration AiProtection/AdaptiveQoS + Diversion/Skynet + DoT results in visible performance drop. Not so in maximum achievable speeds, but in overall responsiveness. If I can see it without measuring, the difference is 30% or greater. I can always tell if my test client is connected to my main Wi-Fi or to the Asus router. With TrendMicro off and no scripts + plain port 53 DNS I can't see much difference. I like websites to pop in an instant.
 
I seem to recall Stubby was deprecated in the last amtm update...because all the other options include a DoT option...I think.
 
I seem to recall Stubby was deprecated in the last amtm update...because all the other options include a DoT option...I think.
Stubby was deprecated from AMTM, but not the firmware. It was deprecated because it became apart of the official dns privacy of the firmware. I included it in the list since users still can use it as a DNS Solution since it is included in the firmware itself.

Dnscrypt-Proxy Installer was the DNS solution which was on the verge of deprecation since it had not been maintained in a while and the developer stopped maintaining it. I picked up the pieces and now maintain it. I added numerous customization features that were not present to the installer.

I still owe the biggest thanks to @Zastoff because he has sorta been my bridge with dnscrypt-proxy installer development, and he has been there to provide invaluable testing feedback whenever a new feature has been added that needed incorporation with the installer.
 
Last edited:
OpenDNS, No encryption:

1665440113142.png


OpenDNS, DNS-over-TLS:

1665440276366.png


 
OpenDNS, No encryption:

View attachment 44749

OpenDNS, DNS-over-TLS:

View attachment 44750

Can you clarify what you mean? I am trying to better understand. The biggest proponent of DoT is that it creates a directly encrypted channel per request between the provider and the requester. In comparison to DoH which relies on https to "hide" the traffic within the rest of the traffic.
 
OpenDNS, No encryption:

View attachment 44749

OpenDNS, DNS-over-TLS:

View attachment 44750

I checked my setup against this test... Exit shows a NordVPN server, and DNS resolvers show Woodynet, which are all Quad9 DoT servers... All good in this neighborhood! :)

I also really like this test: https://dnscheck.tools/#results
 
Can you clarify what you mean?

I'm getting faster response from more DNS servers available. OpenDNS has DoT servers in Toronto. Google DoT sends me to Montreal. Quad9 DoT has 1 server in Toronto and 1 in the US. The same with CleanBrowsing DoT. I can always tell with Quad9 if DoT is enabled or not. DoT is generally slower.
 
I'm getting faster response from more DNS servers available. OpenDNS has DoT servers in Toronto. Google DoT sends me to Montreal. Quad9 DoT has 1 server in Toronto and 1 in the US. The same with CleanBrowsing DoT. I can always tell with Quad9 if DoT is enabled or not. DoT is generally slower.
The only way you benefit from DoT is if the servers you are using are relatively close to your geographical location (not necessarily a flaw of the servers, but the fact the encrypted channel is over TCP). When I use cloudflare, I have gotten the best results. You should try DoT on adguardhome or unbound, they both send out more connections per request attempt. You might get better results.
 
Last edited:

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top