What's new

Will Merlin support the faster DoH3 standard or just DoT?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

treeskygrass

Regular Contributor
With the performance advantages of DoH/DoH3 vs. DoT will Merlin be adding support? Seems like a pretty big difference?

"replacing DoT with DoH3 reduces median query time by 24%, and 95th percentile query time by 44%"

 
Last edited:
I think your question should be "Does anyone know if ASUS will support DoH3 standard ? "

 
With the performance advantages of DoH/DoH3 vs. DoT will Merlin be adding support? Seems like a pretty big difference?

"replacing DoT with DoH3 reduces median query time by 24%, and 95th percentile query time by 44%"

Do not think it is faster then DoT, not that many servers that support DoH3 yet, from the testing i have done it is about the same.
Can be used/installed via amtm (dnscrypt installer or adguard home installer i think)
 
Last edited:
With the performance advantages of DoH/DoH3 vs. DoT

When you hit an overloaded server any encryption method may be way slower. It happens quite often with popular free filtering DNS service in my area. Your router encrypts few Kb only, but the server >100K times few Kb. When you see 10ms response time on 53 and 45ms on 853 you know what's going on already.
 
With the performance advantages of DoH/DoH3 vs. DoT will Merlin be adding support? Seems like a pretty big difference?

"replacing DoT with DoH3 reduces median query time by 24%, and 95th percentile query time by 44%"

I bet that in a blind test, you'd be totally unable to tell which DNS resolver method is being used by a client.
It is definitely something you would have to train yourself to catch; the real question would remain is it worth all the effort.
 
Do not think it is faster then DoT, not that many servers that support DoH3 yet, from the testing i have done it is about the same.
Can be used/installed via amtm (dnscrypt installer or adguard home installer i think)
Yep people don't have to go very far to try it out via dnscrypt-proxy or AdGuardHome. From my understanding the actual support for DoH3(DoQ) hangs more on the fact of if the servers being used support it. If they don't, then the dns resolver typically falls back to using older DoH protocols.

Screenshot_20220921_041331.jpg


To that end, how can we be sure the integrity of the encryption when using such on a dedicated setup?

On the contrary, I don't think @RMerlin has plans to jump on the horn with the stubby development team to really sell this new found zeal for DoH3(DoQ) when https/3 is still so relatively new.
 
Last edited:
My current setup uses unbound with DNS over TLS with DNSSEC. And it's fine.

What I got the biggest bang for my buck was using this tool to help select DNS servers to forward to along with running my own cache server locally.


What problem are you trying to solve?
 
Yep people don't have to go very far to try it out via dnscrypt-proxy or AdGuardHome. From my understanding the actual support for DoH3(DoQ) hangs more on the fact of if the servers being used support it. If they don't, then the dns resolver typically falls back to using older DoH protocols.

View attachment 44332

To that end, how can we be sure the integrity of the encryption when using such on a dedicated setup?

On the contrary, I don't think @RMerlin has plans to jump on the horn with the stubby development team to really sell this new found zeal for DoH3(DoQ) when https/3 is still so relatively new.
Isn’t AdGuard Russian though?

Edit: They apparently got a PO Box in Cypress to look less Russian.
 
All this fragmentation of having five competing standards (and not-so-standard protocols) only serves in confusing the end users. Seriously, DNS server managers aren`t going to start offering support for five different protocols. This is getting ridiculous.

These are turning into lab experiments that are being unleashed in the wild. QUIC already existed two years ago when DoH was pushed, so why didn`t they start with it from the start?
 
Isn’t AdGuard Russian though?

Edit: They apparently got a PO Box in Cypress to look less Russian.
Well I was hoping everyone brought ambiguity, but if you require something more geographically acceptable, you can try dnscrypt-proxy. They have a pretty good reputation and have been up and running for a long time.
 
All this fragmentation of having five competing standards (and not-so-standard protocols) only serves in confusing the end users. Seriously, DNS server managers aren`t going to start offering support for five different protocols. This is getting ridiculous.

These are turning into lab experiments that are being unleashed in the wild. QUIC already existed two years ago when DoH was pushed, so why didn`t they start with it from the start?
You know how everything starts as a whisper, that is how QUIC started. I think they wanted a protocol that had humble beginnings to make the acquisition to the DoH standard more palatable. Even still, they should have known they would not fool people of your caliber.
 
Most network traffic is regular data and not DNS lookups, so shaving off milliseconds here and there has minimal effect on overall network performance!
 
Most network traffic is regular data and not DNS lookups, so shaving off milliseconds here and there has minimal effect on overall network performance!
Also, DNS queries are often very bursty, and with DoT persistent connections, that RTT benefit that they claim for DoH3 becomes irrelevant. Typically, your browser will send 15-20 queries as you connect to a website, so all of these will go over the same DoT connection. That means over the, say, 5 seconds load time for a complex page, you will be saving maybe 3-5 ms total. Unless you were on a very high latency satellite connection or something like that.
 
You know how everything starts as a whisper, that is how QUIC started. I think they wanted a protocol that had humble beginnings to make the acquisition to the DoH standard more palatable. Even still, they should have known they would not fool people of your caliber.
It just shows lack of planning. A group of people at OpenDNS worked on dnscrypt. Another group of people worked on DoT. A third group worked on DoH. And now Google works on DoH3.

Meanwhile, the elephant in the room is that less than 10% of domains are signed with a DNSSEC key - which is a much bigger security issue than lack of TLS on a DNS query.
 
All this fragmentation of having five competing standards (and not-so-standard protocols) only serves in confusing the end users. Seriously, DNS server managers aren`t going to start offering support for five different protocols. This is getting ridiculous.

These are turning into lab experiments that are being unleashed in the wild. QUIC already existed two years ago when DoH was pushed, so why didn`t they start with it from the start?
Follow the dollar!
 
It just shows lack of planning. A group of people at OpenDNS worked on dnscrypt. Another group of people worked on DoT. A third group worked on DoH. And now Google works on DoH3.

Meanwhile, the elephant in the room is that less than 10% of domains are signed with a DNSSEC key - which is a much bigger security issue than lack of TLS on a DNS query.
Yea I completely agree. DNS shouldn't be so darn complicated that we need so many different protocols that all claim to achieve the same type of security.
 
It just shows lack of planning. A group of people at OpenDNS worked on dnscrypt. Another group of people worked on DoT. A third group worked on DoH. And now Google works on DoH3.

Meanwhile, the elephant in the room is that less than 10% of domains are signed with a DNSSEC key - which is a much bigger security issue than lack of TLS on a DNS query.

Amen...

Like many things - answers perhaps looking for questions...


dnscrypt, dnssec, DoT, DoH, etc...
 
dnscrypt, dnssec, DoT, DoH, etc...

I'll go on record that I do support DNSSEC and DNS over TLS - I think these are great additions to DNS, and these are fully supported by IETF, which helps with interoperability.

DNSCrypt - proprietary - so not a bit fan there... along with it's proxy kin... lot of good ideas, but the group that did the work failed hard at actual implementation and evangelism of their solution - time has passed on with other/better alternatives...

DNS over HTTP(S) - spawn of hell I tell you... minor point is enterprise, big point is malware opportunity...
 
With the performance advantages of DoH/DoH3 vs. DoT will Merlin be adding support? Seems like a pretty big difference?

"replacing DoT with DoH3 reduces median query time by 24%, and 95th percentile query time by 44%"

You can mark this thread as solved. Judging by all the responses, the answer is no.
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Staff online

Top