Hi all,

recently I tried to set up my Unbound Server to resolve queries by recursive DoT resolvers. This works Pretty well with the following configuration:

forward-zone:
name: “.”
forward-tls-upstream: yes

Quad9

forward-addr: 9.9.9.9@853#dns.quad9.net

Cloudflare DNS

forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com

Google

forward-addr: 8.8.8.8@853#dns.google
forward-addr: 8.8.4.4@853#dns.google

DNS Privacy

forward-addr: 94.130.110.185@853#ns1.dnsprivacy.at
forward-addr: 94.130.110.178@853#ns2.dnsprivacy.at

Uncensored

forward-addr: 89.233.43.71@853#unicast.censurfridns.dk

But the Problem arises when it Comes to Resolution times. With my initial configuration I have an average resolution time of < 100ms. For that I am using this configuration:

auth-zone:
name: “.”
master: b.root-servers.net
master: d.root-servers.net
master: i.root-servers.net
master: f.root-servers.net
master: j.root-servers.net
master: k.root-servers.net
url: https://www.internic.net/domain/root.zone
#fallback-enabled: yes
for-downstream: no
#for-upstream: yes
zonefile: /var/lib/unbound/root.zone

With the TLS way the Resolution time increases to > 200ms. When I query one of those TLS DNS Servers directly via kdig, I get results in approx. 30-60ms.

Is this something that one has to live with when using TLS or do I have a configuration Problem on my end?

Thanks!

Bye

Gesendet von Mail für Windows 10

Hey,

Hi Joe,

thanks for your answer!

I am Aware that the „delay“ is only noticable when a host is actually not cached, but I was wondering why DoT (DNS over TLS) is bringing such a performance decrease.

I have tested both the configurations based on a few static Domains where I can clearly see, that using DoT is much slower.The strange Thing is that querying one particular resolver for one Domain with and without TLS (without unbound inbetween) give very similar Timings. So there must be something on Unbound side making the difference. My Question was whether this is a configuration issue or a given fact when using Unbound with TLS.

Bye

Gesendet von Mail für Windows 10

Hi Talkabout,

With the TLS way the Resolution time increases to > 200ms. When I query
one of those TLS DNS Servers directly via kdig, I get results in approx.
30-60ms.

Is this something that one has to live with when using TLS or do I have
a configuration Problem on my end?

I'm not sure if the following explains the difference between Unbound
and kdig (with +tls option?) performance. However, with the latest
release, Unbound has implemented TCP connection resuse/TLS session
resumption for downstream (Unbound clients), but not yet for upstream
connections (to authoritative name servers or as a forwarder to Quad9,
Google Public DNS, Cloudflare DNS, etc.).

This is something we expect to be supported in an Unbound release in the
coming months.

Best regards,

-- Benno

Forgot to mention in the previous email:

I'm not sure if the following explains the difference between Unbound
and kdig (with +tls option?) performance. However, with the latest
release, Unbound has implemented TCP connection resuse/TLS session
resumption for downstream (Unbound clients), but not yet for upstream
connections (to authoritative name servers or as a forwarder to Quad9,
Google Public DNS, Cloudflare DNS, etc.).

This is something we expect to be supported in an Unbound release in the
coming months.

You might want to test DNS-over-TLS performance with getdns Stubby. The
Stubby stub resolver does support TCP connection reuse/TLS session
resumption to upstream connections.

For downloading and installing Stubby, see
https://github.com/getdnsapi/stubby and https://getdnsapi.net.

Cheers,

-- Benno

Hi Benno,

thank you for the Information!

I have tried to set up stubby with my unbound Installation but failed due to issues with DNSSEC. I have decided to wait for the next unbound Version supporting Connection reuse. Do you have a Rough estimation for when it will be available?

Thanks!

Bye

Gesendet von Mail für Windows 10