DNS over HTTPS with Cloudflare, an experiment, some timings, lots of promise!
OK here's a recipe for you to experiment with. I chose to use https://github.com/facebookexperimental/doh-proxy to try. I looked at a few others (e.g. https://github.com/wrouesnel/dns-over-https-proxy --> but this is only for Google DNS, and https://github.com/aarond10/https_dns_proxy, but that only does A/AAAA, no MX or SOA or TXT). Also I chose to use a proxy (converting UDP - DNS to DNS over HTTPS) rather than a stub resolver since I plan on putting this on my router in front of dnsmasq. Why in front of dnsmasq you ask? Well, I still need to integrate with adblock and dhcp, so removing dnsmasq from lede is a bit tougher.
pip3 install doh-proxy doh-stub --level WARNING --listen-port 5053 --domain 126.96.36.199 --remote-address 188.8.131.52 dig -t mx -p 5053 @localhost donbowman.ca time for i in $(seq 0 100); do dig -t a -p 5053 @localhost donbowman.ca; done
OK, so what does this do? First line installs. 2nd line, we run a stub UDP-DNS<->DNS over HTTPS recursive. 3rd line, we give it a try, resolve my MX record. Fourth line, we do some timing.
So, what does my unscientific test show?
$ time for i in $(seq 0 100); do dig -t a -p 53 @184.108.40.206 donbowman.ca; done real 0m4.208s user 0m0.782s sys 0m0.558s $ time for i in $(seq 0 100); do dig -t a -p 5053 @localhost donbowman.ca; done real 0m3.603s user 0m0.848s sys 0m0.592s
So, we are 4.2 ms/lookup for google, and 3.6 ms/lookup for Cloudflare, not too shabby. (Note, I don't recommend any real hard benchmarks, these are public providers, that wouldn't be fair). I did try this a couple of times,
Now, lets replace 220.127.116.11 with 2606:4700:4700::1111 so we can eval ipv4 versus ipv6. Interestingly this is slightly slower, 3.9ms/lookup over several runs. Not sure why that would be, the options processing should be faster. I would guess (?) there is some load balancing in Cloudflare which is slightly pessimised? No, that should only occur on connection-level (and this is a single TCP connection), so maybe they have a TLS reverse proxy and that in turn re-routes transactions? Hmm, not sure. Its definitely slightly slower.
Well this is promising. I can see putting this on my Lede router.
Anyone else have something to share?