From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject:
 DNS over TLS performance and query randomisation across multiple forwarders
Date: Wed, 19 Feb 2020 21:17:00 +0000
Message-ID: <a647c20e-dffb-8a0c-c994-fd6225ae5dfe@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6567248269157175582=="
List-Id: <development.lists.ipfire.org>

--===============6567248269157175582==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Hello *,

while DNS over TLS is operational in upcoming Core Update 140/141, we
already discovered some performance issues due to missing TLS connection
reuse and similar optimisations.

Further, Unbound performs some measurements to determine response times
of given forwarders and submits all queries to the fastest one - which
obviously is a bad thing with a view to DNS privacy.

Stubby (https://dnsprivacy.org/wiki/display/DP/About+Stubby), which is
also written by NLnet Labs, aims to fix both issues.

Personally, I do not like the idea of putting another software before
Unbound in case the user decides to enable DNS over TLS. However, to discuss
this matter and further steps, mentioning it did sound reasonable to me. :-)

Thoughts/comments/opinions?

Thanks, and best regards,
Peter Müller

--===============6567248269157175582==--