From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [Fwd: Re: request for info: unbound via https / tls]
Date: Thu, 13 Dec 2018 16:26:20 +0000 [thread overview]
Message-ID: <D919B799-C1F2-48AF-9947-510D0C6C6EAE@ipfire.org> (raw)
In-Reply-To: <9a4143e8cc1adb0ef9bba22a540e325678a3d4e5.camel@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 3435 bytes --]
Hi,
> On 13 Dec 2018, at 06:52, ummeegge <ummeegge(a)ipfire.org> wrote:
>
> Hi all,
> a little update to this comment
>
> Am Mittwoch, den 12.12.2018, 18:44 +0100 schrieb ummeegge:
>>
>> As a beneath one, Cloudflair offers TLS1.3 support since a couple of
>> days/weeks now.
>>
>
> have tested now a couple of DoT servers and wanted to update some infos
> causing encryption but also sorted by speed:
>
> *.quad9.net (TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA512)-(AES-256-GCM)
> 9.9.9.10 in 12.4 ms
>
> *.quad9.net (TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA512)-(AES-256-GCM)
> 9.9.9.9 in 18.7 ms
>
> rec1.dns.lightningwirelabs.com (TLS1.2)-(ECDHE-X25519)-(ECDSA-SHA512)-(CHACHA20-POLY1305)
> 81.3.27.54 in 24.9 ms
>
> *.tenta.io (TLS1.2)-(ECDHE-SECP521R1)-(ECDSA-SHA256)-(CHACHA20-POLY1305)
> 99.192.182.200 in 28.7 ms
>
> kaitain.restena.lu (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM)
> 158.64.1.29 in 29.6 ms
>
> dnsovertls2.sinodun.com (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
> 145.100.185.17 in 45.1 ms
>
> *.cloudflare-dns.com (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
> 1.0.0.1 in 46.1 ms
>
> *.cloudflare-dns.com (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
> 1.1.1.1 in 47.8 ms
>
> dot-de.blahdns.com (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
> 159.69.198.101 in 61.1 ms
>
> dns.neutopia.org (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
> 89.234.186.112 in 62.2 ms
>
> securedns.eu (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
> 146.185.167.43, 146.185.167.43
> in 72.8 ms in 75.1 ms
>
> getdnsapi.net (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
> 185.49.141.37 in 88.4 ms
>
> dnsovertls3.sinodun.com (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
> 145.100.185.18 in 91.2 ms
>
> dns.cmrg.net (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM)
> 199.58.81.218 in 100.8 ms
>
>
>
> Lightningwirelabs is really pretty fast (@Michael, did you changed to curve25519 ? seems to be some ms faster)
> but also TLS1.3 seems to become more common as i thought.
This is the default cipher list of the OpenSSL version that is shipped with IPFire. We kind of prefer Curve25519 but not only for performance reasons. Mainly because it is free of any NSA cryptography.
But cool to see that this is actually quite slow. I suppose that it is crucial to use a permanent connection or TFO might help, too.
We are only fast because we might have the result cached and our hoster has actually really good peering to many locations. So, although you are travelling through half the country, it is not very far away from you on the Internet.
This will probably be super slow from America or somewhere further away because of the long TCP handshake.
Interesting too how we are standing out with our crypto :)
-Michael
>
> Best,
>
> Erik
>
>
>
>
>
>
>
>
>
next prev parent reply other threads:[~2018-12-13 16:26 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1525184928.3530.13.camel@gmail.com>
2018-05-01 14:33 ` Paul Simmons
2018-05-01 14:40 ` Peter Müller
2018-05-01 17:16 ` Paul Simmons
2018-05-03 16:03 ` Michael Tremer
2018-12-02 19:10 ` ummeegge
2018-12-02 20:23 ` Paul Simmons
2018-12-04 14:01 ` ummeegge
2018-12-04 16:19 ` Peter Müller
2018-12-05 7:35 ` ummeegge
2018-12-09 20:08 ` ummeegge
2018-12-10 0:21 ` Michael Tremer
2018-12-10 11:30 ` ummeegge
2018-12-10 0:21 ` Michael Tremer
2018-12-10 12:14 ` ummeegge
2018-12-10 12:32 ` ummeegge
2018-12-10 13:26 ` Michael Tremer
2018-12-10 14:37 ` ummeegge
2018-12-11 19:22 ` Michael Tremer
2018-12-11 19:43 ` ummeegge
2018-12-11 19:54 ` Michael Tremer
2018-12-12 13:42 ` ummeegge
2018-12-12 15:25 ` Michael Tremer
2018-12-12 17:44 ` ummeegge
2018-12-13 6:52 ` ummeegge
2018-12-13 16:26 ` Michael Tremer [this message]
2018-12-10 13:37 ` Michael Tremer
2018-12-11 2:01 ` Paul Simmons
2018-12-11 20:09 ` ummeegge
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D919B799-C1F2-48AF-9947-510D0C6C6EAE@ipfire.org \
--to=michael.tremer@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox