How many of you bother with DNSSEC/DNSCrypt? Impact to DNS resolution speed?

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › How many of you bother with DNSSEC/DNSCrypt? Impact to DNS resolution speed?

Aaroona

3204 posts

Uber Geek
+1 received by user: 169

#195474 21-Apr-2016 10:54

I'm currently using it on my router- it was installed by default, but I'm thinking about removing it and seeing if it speeds up DNS resolution.

I'm on fiber (100/20), and even local sites appear to be less snappy than what I would expect.

Is anyone else using dnscrypt or similar? Would be interested to know what your performance is like?

Off the back of that, even whether its worth it- how many people actually use it?

1 | 2

2199 posts

Uber Geek
+1 received by user: 294

Subscriber

#1537318 21-Apr-2016 11:22

I know @michaelmurfy does and recently posted about it here http://www.geekzone.co.nz/forums.asp?forumid=66&topicid=195079

I have looked into it but don't understand it enough to get it working on my setup (Untangle acting as a router on UFB connection).

What are the reasons for it?

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41025

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#1537323 21-Apr-2016 11:24

I don't because there's no support in my current router, but it should. And if your ISP supports it then use the ISP DNS.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

timbosan

2199 posts

Uber Geek
+1 received by user: 294

Subscriber

#1537326 21-Apr-2016 11:29

Also, how does this relate to unblockers and using their DNS?

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#1537337 21-Apr-2016 11:40

I have 2 DNS Resolvers here (1x Raspberry Pi, 1x VM on my server) both running dnscrypt and configuration kept in sync too. I use CloudNS for my nameservers (https://cloudns.com.au/) and latency is around 24ms which is not enough to worry about, my ISP is BigPipe who have no transparent proxies etc. I have suffered no loss of speed or "snappiness" from my internet since both DNS servers are set to cache DNS queries and keep their cache in sync.

If you're on a particular "red" ISP you'll note that using a third party DNS really makes their transparent proxy angry causing your internet to not appear snappy.

But, I run it for security - my network is overkill and I am on a 200/200Mbit plan. If you don't understand how DNS servers work (and how to set up a caching resolver) then you're best to stick with your ISP's DNS. If you're on an ISP like BigPipe who do nothing funky with your traffic then play around. But, my recommendation is to ensure that your resolver is caching queries locally and you should be fine. Also, ensure your device is powerful enough since dnscrypt uses encryption it can bog down the CPU if you're running it on lets say your router.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

mdf

3566 posts

Uber Geek
+1 received by user: 1519

Trusted

#1537339 21-Apr-2016 11:40

timbosan:

I know @michaelmurfy does and recently posted about it here http://www.geekzone.co.nz/forums.asp?forumid=66&topicid=195079

I have looked into it but don't understand it enough to get it working on my setup (Untangle acting as a router on UFB connection).

What are the reasons for it?

We've been promised a tutorial!

There's a few reasons for it (as I understand it - I'm sure Michael will correct anything I've got wrong):

- Running your own DNS server (e.g. dnsmasq) is a much faster was of resolving domain names, particularly if you run it on a companion device, like an RPi

- This also leads to some potential "smart" DNS stuff - like blocking ads (pi-hole) and/or geographic jiggery pokery

- DNScrypt endeavours to provide some additional protections against things like DNS spoofing

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#1537340 21-Apr-2016 11:42

Hmm yes you were promised a tutorial however I have been incredibly busy lately so have not got around to it :) I have a test-bed VM ready to write one at some point however I am thinking of doing it on my blog.

Dyson

Shop now for Dyson appliances (affiliate link).

timbosan

2199 posts

Uber Geek
+1 received by user: 294

Subscriber

#1537341 21-Apr-2016 11:42

mdf:

timbosan:

I know @michaelmurfy does and recently posted about it here http://www.geekzone.co.nz/forums.asp?forumid=66&topicid=195079

I have looked into it but don't understand it enough to get it working on my setup (Untangle acting as a router on UFB connection).

What are the reasons for it?

We've been promised a tutorial!

There's a few reasons for it (as I understand it - I'm sure Michael will correct anything I've got wrong):

- Running your own DNS server (e.g. dnsmasq) is a much faster was of resolving domain names, particularly if you run it on a companion device, like an RPi

- This also leads to some potential "smart" DNS stuff - like blocking ads (pi-hole) and/or geographic jiggery pokery

- DNScrypt endeavours to provide some additional protections against things like DNS spoofing

Thanks @mdf - BTW your link is broken, gets a 404.

I run Untangle on a BigPipe UFB connection and that does local DNS so will look into this more.

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#1537344 21-Apr-2016 11:44

timbosan:

Thanks @mdf - BTW your link is broken, gets a 404.

I run Untangle on a BigPipe UFB connection and that does local DNS so will look into this more.

That link is in the unblocker forums which is a private forum - many people around here have access so if you want access then PM me.

mdf

3566 posts

Uber Geek
+1 received by user: 1519

Trusted

#1537345 21-Apr-2016 11:45

Sorry Michael, wasn't having a go. I am looking forward to it when you have sufficient time though.

@timbosan Link is to the private forums. Michael will hook you up if you need access.

Aaroona

3204 posts

Uber Geek
+1 received by user: 169

#1537427 21-Apr-2016 13:18

michaelmurfy:

I have 2 DNS Resolvers here (1x Raspberry Pi, 1x VM on my server) both running dnscrypt and configuration kept in sync too. I use CloudNS for my nameservers (https://cloudns.com.au/) and latency is around 24ms which is not enough to worry about, my ISP is BigPipe who have no transparent proxies etc. I have suffered no loss of speed or "snappiness" from my internet since both DNS servers are set to cache DNS queries and keep their cache in sync.

If you're on a particular "red" ISP you'll note that using a third party DNS really makes their transparent proxy angry causing your internet to not appear snappy.

But, I run it for security - my network is overkill and I am on a 200/200Mbit plan. If you don't understand how DNS servers work (and how to set up a caching resolver) then you're best to stick with your ISP's DNS. If you're on an ISP like BigPipe who do nothing funky with your traffic then play around. But, my recommendation is to ensure that your resolver is caching queries locally and you should be fine. Also, ensure your device is powerful enough since dnscrypt uses encryption it can bog down the CPU if you're running it on lets say your router.

Interesting - I am on bigpipe too.
I just changed my DNS over to cloudns and its actually seems to be a bit quicker. Will monitor it over the next couple of days and see how it goes.

The provider I was using before was the dnscrypt.eu one (it was configured by default). I think the ping was around 100+ms to it, which is likely what caused the feeling of the slow down.

dnscrypt is running on my router- should be plenty of power for running a network of maybe 3 concurrent clients- (800mhz cpu)

Aaroona

3204 posts

Uber Geek
+1 received by user: 169

#1537485 21-Apr-2016 14:12

freitasm:

I don't because there's no support in my current router, but it should. And if your ISP supports it then use the ISP DNS.

Do you mean DNSSEC?

I don't know any ISP's that support dnscrypt in NZ from the get go, AFAIK.

I suppose I could just go down the route of using DNSSEC only. Does mean I'm trusting my ISP a bit more, but I think I could probably live with that.
I will check what the performance is with not having DNSCrypt running on the router, if the performance is negligible, then I'll just leave it as is, with the new DNS provider I'm using.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

jnimmo

1098 posts

Uber Geek
+1 received by user: 255

#1537515 21-Apr-2016 14:52

The best setup, is to have your router send through the ISP's DNS servers on DHCP

So that when you run an ipconfig /all you see public IP addresses under DNS servers (rather than your router's IP address).

This will let clients determine the best DNS server, handle DNSsec themselves etc

Unfortunately some routers don't let you do this (looking at you Fritz!Box!)

mentalinc

3384 posts

Uber Geek
+1 received by user: 1023

Trusted

#1537522 21-Apr-2016 14:57

But if no NZ ISPs offer DNSsec then how is that the "best setup"/\?

CPU: AMD 5900x | RAM: GSKILL Trident Z Neo RGB F4-3600C16D-32GTZNC-32-GB | MB: Asus X570-E | GFX: EVGA FTW3 Ultra RTX 3080Ti| Monitor: LG 27GL850-B 2560x1440

Quic: https://account.quic.nz/refer/473833 R473833EQKIBX

jnimmo

1098 posts

Uber Geek
+1 received by user: 255

#1537576 21-Apr-2016 15:57

Sorry mentalinc yeah slightly off topic. I got distracted and meant to say I don't agree with the comment about running your own DNS resolver being faster than using 3rd party or ISP DNS.
I think some ISPs may have DNSsec now, but probably a lot of routers won't support it (or do so badly) - so trying to use ISP DNS directly in Windows may produce better results than going through router.

Worth testing out the GRC DNS benchmarking tool and see how it compares using ISP vs the Australia one mentioned earlier

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#1537579 21-Apr-2016 16:03

mentalinc:
But if no NZ ISPs offer DNSsec then how is that the "best setup"/\?

The BigPipe default nameservers support dnssec. Not dnscrypt.

1 | 2