Menu
What's new
By:
Filters Better Search

Will Merlin support the faster DoH3 standard or just DoT?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

T

treeskygrass

Regular Contributor
With the performance advantages of DoH/DoH3 vs. DoT will Merlin be adding support? Seems like a pretty big difference?

"replacing DoT with DoH3 reduces median query time by 24%, and 95th percentile query time by 44%"

security.googleblog.com

DNS-over-HTTP/3 in Android

Posted by Matthew Maurer and Mike Yu, Android team To help keep Android users’ DNS queries private, Android supports encrypted DNS. I...
security.googleblog.com security.googleblog.com
 
Last edited:
I think your question should be "Does anyone know if ASUS will support DoH3 standard ? "

 
treeskygrass said:
With the performance advantages of DoH/DoH3 vs. DoT will Merlin be adding support? Seems like a pretty big difference?

"replacing DoT with DoH3 reduces median query time by 24%, and 95th percentile query time by 44%"

security.googleblog.com

DNS-over-HTTP/3 in Android

Posted by Matthew Maurer and Mike Yu, Android team To help keep Android users’ DNS queries private, Android supports encrypted DNS. I...
security.googleblog.com security.googleblog.com
Click to expand...
Do not think it is faster then DoT, not that many servers that support DoH3 yet, from the testing i have done it is about the same.
Can be used/installed via amtm (dnscrypt installer or adguard home installer i think)
 
Last edited:
treeskygrass said:
With the performance advantages of DoH/DoH3 vs. DoT
Click to expand...

When you hit an overloaded server any encryption method may be way slower. It happens quite often with popular free filtering DNS service in my area. Your router encrypts few Kb only, but the server >100K times few Kb. When you see 10ms response time on 53 and 45ms on 853 you know what's going on already.
 
treeskygrass said:
With the performance advantages of DoH/DoH3 vs. DoT will Merlin be adding support? Seems like a pretty big difference?

"replacing DoT with DoH3 reduces median query time by 24%, and 95th percentile query time by 44%"

security.googleblog.com

DNS-over-HTTP/3 in Android

Posted by Matthew Maurer and Mike Yu, Android team To help keep Android users’ DNS queries private, Android supports encrypted DNS. I...
security.googleblog.com security.googleblog.com
Click to expand...
RMerlin said:
I bet that in a blind test, you'd be totally unable to tell which DNS resolver method is being used by a client.
Click to expand...
It is definitely something you would have to train yourself to catch; the real question would remain is it worth all the effort.
 
Zastoff said:
Do not think it is faster then DoT, not that many servers that support DoH3 yet, from the testing i have done it is about the same.
Can be used/installed via amtm (dnscrypt installer or adguard home installer i think)
Click to expand...
Yep people don't have to go very far to try it out via dnscrypt-proxy or AdGuardHome. From my understanding the actual support for DoH3(DoQ) hangs more on the fact of if the servers being used support it. If they don't, then the dns resolver typically falls back to using older DoH protocols.

Screenshot_20220921_041331.jpg


To that end, how can we be sure the integrity of the encryption when using such on a dedicated setup?

On the contrary, I don't think @RMerlin has plans to jump on the horn with the stubby development team to really sell this new found zeal for DoH3(DoQ) when https/3 is still so relatively new.
 
Last edited:
My current setup uses unbound with DNS over TLS with DNSSEC. And it's fine.

What I got the biggest bang for my buck was using this tool to help select DNS servers to forward to along with running my own cache server locally.

GRC's | DNS Nameserver Performance Benchmark

DNS Nameserver Performance Benchmark
www.grc.com www.grc.com

What problem are you trying to solve?
 
SomeWhereOverTheRainBow said:
Yep people don't have to go very far to try it out via dnscrypt-proxy or AdGuardHome. From my understanding the actual support for DoH3(DoQ) hangs more on the fact of if the servers being used support it. If they don't, then the dns resolver typically falls back to using older DoH protocols.

View attachment 44332

To that end, how can we be sure the integrity of the encryption when using such on a dedicated setup?

On the contrary, I don't think @RMerlin has plans to jump on the horn with the stubby development team to really sell this new found zeal for DoH3(DoQ) when https/3 is still so relatively new.
Click to expand...
Isn’t AdGuard Russian though?

Edit: They apparently got a PO Box in Cypress to look less Russian.
 
All this fragmentation of having five competing standards (and not-so-standard protocols) only serves in confusing the end users. Seriously, DNS server managers aren`t going to start offering support for five different protocols. This is getting ridiculous.

These are turning into lab experiments that are being unleashed in the wild. QUIC already existed two years ago when DoH was pushed, so why didn`t they start with it from the start?
 
treeskygrass said:
Isn’t AdGuard Russian though?

Edit: They apparently got a PO Box in Cypress to look less Russian.
Click to expand...
Well I was hoping everyone brought ambiguity, but if you require something more geographically acceptable, you can try dnscrypt-proxy. They have a pretty good reputation and have been up and running for a long time.
 
RMerlin said:
All this fragmentation of having five competing standards (and not-so-standard protocols) only serves in confusing the end users. Seriously, DNS server managers aren`t going to start offering support for five different protocols. This is getting ridiculous.

These are turning into lab experiments that are being unleashed in the wild. QUIC already existed two years ago when DoH was pushed, so why didn`t they start with it from the start?
Click to expand...
You know how everything starts as a whisper, that is how QUIC started. I think they wanted a protocol that had humble beginnings to make the acquisition to the DoH standard more palatable. Even still, they should have known they would not fool people of your caliber.
 
Most network traffic is regular data and not DNS lookups, so shaving off milliseconds here and there has minimal effect on overall network performance!
 
Crimliar said:
Most network traffic is regular data and not DNS lookups, so shaving off milliseconds here and there has minimal effect on overall network performance!
Click to expand...
Also, DNS queries are often very bursty, and with DoT persistent connections, that RTT benefit that they claim for DoH3 becomes irrelevant. Typically, your browser will send 15-20 queries as you connect to a website, so all of these will go over the same DoT connection. That means over the, say, 5 seconds load time for a complex page, you will be saving maybe 3-5 ms total. Unless you were on a very high latency satellite connection or something like that.
 
SomeWhereOverTheRainBow said:
You know how everything starts as a whisper, that is how QUIC started. I think they wanted a protocol that had humble beginnings to make the acquisition to the DoH standard more palatable. Even still, they should have known they would not fool people of your caliber.
Click to expand...
It just shows lack of planning. A group of people at OpenDNS worked on dnscrypt. Another group of people worked on DoT. A third group worked on DoH. And now Google works on DoH3.

Meanwhile, the elephant in the room is that less than 10% of domains are signed with a DNSSEC key - which is a much bigger security issue than lack of TLS on a DNS query.
 
RMerlin said:
All this fragmentation of having five competing standards (and not-so-standard protocols) only serves in confusing the end users. Seriously, DNS server managers aren`t going to start offering support for five different protocols. This is getting ridiculous.

These are turning into lab experiments that are being unleashed in the wild. QUIC already existed two years ago when DoH was pushed, so why didn`t they start with it from the start?
Click to expand...
Follow the dollar!
 
RMerlin said:
It just shows lack of planning. A group of people at OpenDNS worked on dnscrypt. Another group of people worked on DoT. A third group worked on DoH. And now Google works on DoH3.

Meanwhile, the elephant in the room is that less than 10% of domains are signed with a DNSSEC key - which is a much bigger security issue than lack of TLS on a DNS query.
Click to expand...
Yea I completely agree. DNS shouldn't be so darn complicated that we need so many different protocols that all claim to achieve the same type of security.
 
RMerlin said:
It just shows lack of planning. A group of people at OpenDNS worked on dnscrypt. Another group of people worked on DoT. A third group worked on DoH. And now Google works on DoH3.

Meanwhile, the elephant in the room is that less than 10% of domains are signed with a DNSSEC key - which is a much bigger security issue than lack of TLS on a DNS query.
Click to expand...

Amen...

Like many things - answers perhaps looking for questions...

xkcd.com

Standards

xkcd.com xkcd.com

dnscrypt, dnssec, DoT, DoH, etc...
 
sfx2000 said:
dnscrypt, dnssec, DoT, DoH, etc...
Click to expand...

I'll go on record that I do support DNSSEC and DNS over TLS - I think these are great additions to DNS, and these are fully supported by IETF, which helps with interoperability.

DNSCrypt - proprietary - so not a bit fan there... along with it's proxy kin... lot of good ideas, but the group that did the work failed hard at actual implementation and evangelism of their solution - time has passed on with other/better alternatives...

DNS over HTTP(S) - spawn of hell I tell you... minor point is enterprise, big point is malware opportunity...
 
treeskygrass said:
With the performance advantages of DoH/DoH3 vs. DoT will Merlin be adding support? Seems like a pretty big difference?

"replacing DoT with DoH3 reduces median query time by 24%, and 95th percentile query time by 44%"

security.googleblog.com

DNS-over-HTTP/3 in Android

Posted by Matthew Maurer and Mike Yu, Android team To help keep Android users’ DNS queries private, Android supports encrypted DNS. I...
security.googleblog.com security.googleblog.com
Click to expand...
You can mark this thread as solved. Judging by all the responses, the answer is no.
 
You must log in or register to reply here.

Similar threads

iJorgen
Anyone using DOH3 or DOQ for DNS-queries on ASUS Merlin?
Replies
19
Views
5K
iJorgen
iJorgen
Gary_Dexter
OpenDNS now supports DoT - tested and working on Merlin!
Replies
1
Views
6K
Tech9
Tech9
Viktor Jaep
BACKUPMON BACKUPMON v1.5.10 -Mar 1, 2024- Backup/Restore your Router: JFFS + NVRAM + External USB Drive! (**Thread closed due to age**)
48 49 50
Replies
987
Views
133K
Viktor Jaep
Viktor Jaep
Similar threads
Thread starter Title Forum Replies Date
J Does Asuswrt-Merlin support AiMesh over Wifi? Asuswrt-Merlin 4
W Long Term Support - Asuswrt-Merlin Router List Asuswrt-Merlin 17
O Firmware version check for RT-AX58U Merlin support Asuswrt-Merlin 14
F Asus RT-BE88U support in AsusWrt Merlin Asuswrt-Merlin 12
RMerlin ANNOUNCEMENT: Asuswrt-Merlin support underway for 3 Wifi 7 routers Asuswrt-Merlin 130
B Asus Merlin OpenVPN CloudConnexa Support Asuswrt-Merlin 1
H RT-AX88U Merlin Parental Control not working Asuswrt-Merlin 3
A Duckdns on Asus merlin router Asuswrt-Merlin 1
P Accessing remotly Server While Using VPN on Asus Router with Merlin Firmware Asuswrt-Merlin 9
M RT-AX86U Pro - Merlin: can't get p2p cameras available to wan. Asuswrt-Merlin 3

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 705 (members: 41, guests: 664)
Top