Hi,
On 13 Dec 2018, at 06:52, ummeegge ummeegge@ipfire.org wrote:
Hi all, a little update to this comment
Am Mittwoch, den 12.12.2018, 18:44 +0100 schrieb ummeegge:
As a beneath one, Cloudflair offers TLS1.3 support since a couple of days/weeks now.
have tested now a couple of DoT servers and wanted to update some infos causing encryption but also sorted by speed:
*.quad9.net (TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA512)-(AES-256-GCM) 9.9.9.10 in 12.4 ms
*.quad9.net (TLS1.2)-(ECDHE-SECP256R1)-(ECDSA-SHA512)-(AES-256-GCM) 9.9.9.9 in 18.7 ms
rec1.dns.lightningwirelabs.com (TLS1.2)-(ECDHE-X25519)-(ECDSA-SHA512)-(CHACHA20-POLY1305) 81.3.27.54 in 24.9 ms
*.tenta.io (TLS1.2)-(ECDHE-SECP521R1)-(ECDSA-SHA256)-(CHACHA20-POLY1305) 99.192.182.200 in 28.7 ms
kaitain.restena.lu (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA512)-(AES-256-GCM) 158.64.1.29 in 29.6 ms
dnsovertls2.sinodun.com (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM) 145.100.185.17 in 45.1 ms
*.cloudflare-dns.com (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM) 1.0.0.1 in 46.1 ms
*.cloudflare-dns.com (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM) 1.1.1.1 in 47.8 ms
dot-de.blahdns.com (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) 159.69.198.101 in 61.1 ms
dns.neutopia.org (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM) 89.234.186.112 in 62.2 ms
securedns.eu (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) 146.185.167.43, 146.185.167.43 in 72.8 ms in 75.1 ms
getdnsapi.net (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM) 185.49.141.37 in 88.4 ms
dnsovertls3.sinodun.com (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) 145.100.185.18 in 91.2 ms
dns.cmrg.net (TLS1.2)-(ECDHE-SECP256R1)-(RSA-SHA256)-(AES-256-GCM) 199.58.81.218 in 100.8 ms
Lightningwirelabs is really pretty fast (@Michael, did you changed to curve25519 ? seems to be some ms faster) but also TLS1.3 seems to become more common as i thought.
This is the default cipher list of the OpenSSL version that is shipped with IPFire. We kind of prefer Curve25519 but not only for performance reasons. Mainly because it is free of any NSA cryptography.
But cool to see that this is actually quite slow. I suppose that it is crucial to use a permanent connection or TFO might help, too.
We are only fast because we might have the result cached and our hoster has actually really good peering to many locations. So, although you are travelling through half the country, it is not very far away from you on the Internet.
This will probably be super slow from America or somewhere further away because of the long TCP handshake.
Interesting too how we are standing out with our crypto :)
-Michael
Best,
Erik