From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: DNS over TLS performance and query randomisation across multiple forwarders
Date: Thu, 20 Feb 2020 14:37:47 +0000 [thread overview]
Message-ID: <15108BB5-2BC1-4B04-B5C9-FAA8D7E5B3D8@ipfire.org> (raw)
In-Reply-To: <a647c20e-dffb-8a0c-c994-fd6225ae5dfe@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 2229 bytes --]
Hi,
> On 19 Feb 2020, at 21:17, Peter Müller <peter.mueller(a)ipfire.org> wrote:
>
> Hello *,
>
> while DNS over TLS is operational in upcoming Core Update 140/141, we
> already discovered some performance issues due to missing TLS connection
> reuse and similar optimisations.
>
> Further, Unbound performs some measurements to determine response times
> of given forwarders and submits all queries to the fastest one - which
> obviously is a bad thing with a view to DNS privacy.
>
> Stubby (https://dnsprivacy.org/wiki/display/DP/About+Stubby), which is
> also written by NLnet Labs, aims to fix both issues.
>
> Personally, I do not like the idea of putting another software before
> Unbound in case the user decides to enable DNS over TLS. However, to discuss
> this matter and further steps, mentioning it did sound reasonable to me. :-)
>
> Thoughts/comments/opinions?
No. No. No. No. No.
Thanks for bringing this up on the list.
I think that this would be the worst implementation that someone could come up with.
We already have daisy-chained the stub resolvers in our clients to the resolver inside IPFire, which then connects to other resolvers which then connect to the authoritative DNS servers. If something goes wrong in that chain, it is a lot of hassle to figure out where the problem is.
Adding another proxy just to have a re-usable TCP connection is madness.
Unbound clearly seems to be mis-designed if this is not easy to add into the implementation. Dnsmasq used to be the same when it had to fork() another process to open a TCP connection. Responses coming through that connection therefore could not be cached. A nightmare when we enabled DNSSEC.
DNS has always been specified for TCP - as well as UDP obviously. If your implementation cannot handle TCP, you have not implemented DNS. You have implemented a subset of it.
I guess that is beyond obvious that performance matters for people who write DNS software. And this isn’t rocket science.
Unbound seems to have some trouble here. A forward-proxy is not a solution that I would support. I would rather move to another DNS proxy.
-Michael
> Thanks, and best regards,
> Peter Müller
prev parent reply other threads:[~2020-02-20 14:37 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-19 21:17 Peter Müller
2020-02-20 14:37 ` Michael Tremer [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=15108BB5-2BC1-4B04-B5C9-FAA8D7E5B3D8@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox