At the moment both guides for setting up stubby and unbound for DoT are fairly comprehensive, but I wonder if there is a pro/con comparison of using each? CPU/RAM usage?
It seems unbound has a LuCI module, which stubby lacks, although for basic DoT (+DNSSEC) usage it shouldn't be much of a problem since the default stubby config is probably good enough in most cases.
Cheers.
References:
https://openwrt.org/docs/guide-user/services/dns/dot_unbound
https://openwrt.org/docs/guide-user/services/dns/dot_dnsmasq_stubby
Using Unbound-LuCI you can cascade your DoT providers easily. For example, CloudFlare masks out privacy issues like location which doesn't help with colocated providers like Google services, Netflix, and the like. That is they often multisite clone to within your ISP data centers. So first you can send Android, Google, Youtube, Netflix to Google (8.8.8.8) and get location specific resolution, then fall through to CloudFlare (1.1.1.1). You can chose for that to fall through to recursion, or simply die on the vine. Unbound has slow acceleration when the cache is empty, but it has aggressive prefetch and refresh options if you want them (at cost of RAM/CPU). If there are lots of users in a small office or guest WiFi situation, Unbound will handle an industrial load of simultaneous queries. You won't see much performance difference with dnsmasq, stubby, Unbound, or even Bind after 5 minutes (cache fill), if your user base is mom, dad, and 2.3 kids.
2 Likes
Thanks for the detailed and informative reply!