DNS over HTTPS with Cloudflare, an experiment, some timings, lots of promise!

OK here's a recipe for you to experiment with. I chose to use https://github.com/facebookexperimental/doh-proxy to try. I looked at a few others (e.g. https://github.com/wrouesnel/dns-over-https-proxy --> but this is only for Google DNS, and https://github.com/aarond10/https_dns_proxy, but that only does A/AAAA, no MX or SOA or TXT). Also I chose to use a proxy (converting UDP - DNS to DNS over HTTPS) rather than a stub resolver since I plan on putting this on my router in front of dnsmasq. Why in front of dnsmasq you ask? Well, I still need to integrate with adblock and dhcp, so removing dnsmasq from lede is a bit tougher.

pip3 install doh-proxy
doh-stub --level WARNING --listen-port 5053 --domain 1.1.1.1 --remote-address 1.1.1.1
dig -t mx -p 5053 @localhost donbowman.ca
time for i in $(seq 0 100); do dig -t a -p 5053 @localhost donbowman.ca; done

OK, so what does this do? First line installs. 2nd line, we run a stub UDP-DNS<->DNS over HTTPS recursive. 3rd line, we give it a try, resolve my MX record. Fourth line, we do some timing.

So, what does my unscientific test show?

$ time for i in $(seq 0 100); do dig -t a -p 53 @8.8.8.8 donbowman.ca; done

real 0m4.208s
user 0m0.782s
sys 0m0.558s

$ time for i in $(seq 0 100); do dig -t a -p 5053 @localhost donbowman.ca; done

real 0m3.603s
user 0m0.848s
sys 0m0.592s

So, we are 4.2 ms/lookup for google, and 3.6 ms/lookup for Cloudflare, not too shabby. (Note, I don't recommend any real hard benchmarks, these are public providers, that wouldn't be fair). I did try this a couple of times,

Now, lets replace 1.1.1.1 with 2606:4700:4700::1111 so we can eval ipv4 versus ipv6. Interestingly this is slightly slower, 3.9ms/lookup over several runs. Not sure why that would be, the options processing should be faster. I would guess (?) there is some load balancing in Cloudflare which is slightly pessimised? No, that should only occur on connection-level (and this is a single TCP connection), so maybe they have a TLS reverse proxy and that in turn re-routes transactions? Hmm, not sure. Its definitely slightly slower.

Well this is promising. I can see putting this on my Lede router.

Anyone else have something to share?

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*