The best package to encrypt your DNS traffic

This post is not to know which one is better for privacy, it is only to know which one offers the best performance in OpenWrt when it is used together with the Adblock (luci-app-adblock) and banIP (luci-app-banip) packages.

I tested these 4 packages that are used to Encrypt your DNS traffic:

When you install the packages Adblock (luci-app-adblock) and banIP (luci-app-banip) and use has more than 100-200 thousand Blocked Domains between the two packages (and EVEN WITHOUT THEM), pages open slowly (with lag), navigation is mediocre, even pages stuck a bit and this only happens when you use these 3 methods to encrypt your DNS traffic and it has nothing to do with hardware:

I came to the conclusion that the best is DNS over TLS with Unbound

Why is Unbound the best and how do you confirm it?

You have to do these tests with the Adblock (luci-app-adblock) and banIP (luci-app-banip) packages installed and enabled, to get your own conclusions and use the same DNS provider (example cloudflare 1.1.1.1) and the same block list sources in Adblock and banIP, when testing, so there are no variables affecting the results.


First method:
Open those 3 web pages and do the 3 tests at the at the same time and see how you get stuck a bit and the navigation slows down and the tests take much longer than normal (It does not happen in Unbound):

  1. https://www.grc.com/dns/dns.htm (scroll down and click on Initiate Standard DNS Spoofability Test)
  2. https://ipleak.net/ (Reload the page to start the test again)
  3. https://www.dnsleaktest.com/ (use Extended test)
  4. Do the 3 tests at the same time and observe how the DNS queries are slow and even stop.
    (These tests finish quickly only with Unbound and without problems)


Second method:

  1. Download this DNS Speed Benchmark program: Namebench v1.3.1
  2. Disable DNS traffic interception (DNS Hijacking) on OpenWrt. (Just to do this test)
  3. Configure the program in this way and click on Start Benchmark:
    (use the "100% miss" option)
    Cache Latency Test (100% miss)
  4. Wait for the results and compare the (ms) them between the 4 packages that are used to Encrypt your DNS traffic.
  5. Observe how the DNS queries are slow.
    (This test ends quickly only with Unbound and without problems)

Conclusion

Love yourself and switch to Unbound because it's the best package to encrypt DNS traffic, it offers the best performance and all the web pages will load super fast (no lag), does not have any network slowdown problem when you use Unbound with other packages like Adblock (luci-app-adblock) and banIP (luci-app-banip).

Note: I have replaced dnsmasq with odhcpd and Unbound, as the guide recommends.

Test to know if DoH or DoT is working:


Static leases in Unbound:

uci add dhcp host
uci set dhcp.@host[-1].name="mydesktop"
uci set dhcp.@host[-1].ip="192.168.1.22"
uci set dhcp.@host[-1].mac="00:11:22:33:44:55"
uci commit dhcp
/etc/init.d/odhcpd restart


More information:


I also tried this recommendation in Adblock and I still have network slowdown problems (excluding Unbound) with any of the 3 packages used above to encrypt DNS traffic.

WaLLy3K:

The address directive of dnsmasq is horribly inefficient. > The best option is addn-hosts:

Additional hosts file. Read the specified file as well as /etc/hosts. If --no-hosts is given, read only the specified file. This option may be repeated for more than one additional hosts file. If a directory is given, then read all the files contained in that directory.

Pi-hole uses a slightly modified fork of dnsmasq as its backend, and can easily handle 3m domains on RPi-like hardware using this method.

iio7:

I am running dnsmasq on a quad core Intel Celeron 2GHz CPU with 2 GB of memory.

UPDATE: I tried converting the list to Unbound and run with that. Unbound timed out loading the list. I then decreased the list to about 250.000 entries, then Unbound started, but answered the above query in 3376 msec. So that's a LOT slower than dnsmasq. Perhaps expecting better response times with dnsmasq is too much with such a big list?

UPDATE: With the addn-hosts directive suggested by @WaLLy3K Dnsmasq now blows through the roof! Amazing!

I will repeat it again, Unbound is the best.

TL;DR: Myth BUSTED.

With the ad-blocking lists you're essentially testing how fast dnsmasq and unbound work with the large stored lists of domains. I'm not saying that this speed isn't important, but it's a far departure from the post topic: "the best package to encrypt your DNS traffic".

I don't use adblock, so I've done similar tests with the simple-adblock package.

Test 1: dnsmasq + https-dns-proxy (Cloudflare + CIRA) + simple-adblock (dnsmasq.servers setting with ~ 500k records in the final list) -- AVG: 223.19, MIN: 160.1, MAX: 514.4
Test 2: unbound (built-in DoT: Cloudflare + Google) + simple-adblock (unbound.adb_list setting with ~ 500k records in the final list) -- AVG: 140.19, MIN: 32.9, MAX: 532.2
Test 3: dnsmasq + https-dns-proxy (Cloudflare + CIRA) + simple-adblock (dnsmasq.addnhosts setting with ~ 1.5M records in the final list) -- AVG: 16.33, MIN: 12.6, MAX: 110.4

As you can see, depending on what type of block-list you use, dnsmasq + https-dns-proxy AVG time (16.33) can be about ten times faster than the unbound/DoT time (140.19). In reality tho, we're just testing efficiency of dnsmasq/unbound with different types of large block-lists.

I wouldn't be surprised if Unbound still pulls a bit ahead of the combination of dnsmasq + https-dns-proxy without any adblocking/banip but I'd be surprised if the difference is not negligible.

UPDATE: since OP still wants to live in denial, here's the log for Test 3:

2021-03-26 20:40:28.861533: Running...
2021-03-26 20:40:28.861873: Started thread
2021-03-26 20:40:28.862664: Generating tests from Cache Latency Test (100% miss) (2500 records, selecting 250 automatic)
2021-03-26 20:40:28.913283: Selecting 250 out of 2500 sanitized records (chunk mode).
2021-03-26 20:40:28.915885: Checking query interception status...
2021-03-26 20:40:28.922777: Checking connection quality... [1/3]
2021-03-26 20:40:29.161954: Checking connection quality... [2/3]
2021-03-26 20:40:29.403068: Checking connection quality... [3/3]
2021-03-26 20:40:29.653596: Congestion level is 0.44X (check duration: 17.65ms)
2021-03-26 20:40:29.654213: Checking latest sanity reference
2021-03-26 20:40:29.705772: Sending 250 queries to 1 servers... [0/250]
2021-03-26 20:40:30.207133: Sending 250 queries to 1 servers... [30/250]
2021-03-26 20:40:30.713632: Sending 250 queries to 1 servers... [63/250]
2021-03-26 20:40:31.213910: Sending 250 queries to 1 servers... [91/250]
2021-03-26 20:40:31.715387: Sending 250 queries to 1 servers... [123/250]
2021-03-26 20:40:32.217140: Sending 250 queries to 1 servers... [152/250]
2021-03-26 20:40:32.718565: Sending 250 queries to 1 servers... [176/250]
2021-03-26 20:40:33.219388: Sending 250 queries to 1 servers... [206/250]
2021-03-26 20:40:33.724697: Sending 250 queries to 1 servers... [238/250]
2021-03-26 20:40:34.227859: Sending 250 queries to 1 servers... [250/250]
2021-03-26 20:40:34.228148: Saving report to /tmp/namebench_2021-03-26_2040.html
2021-03-26 20:40:34.316162: Saving detailed results to /tmp/namebench_2021-03-26_2040.csv
2021-03-26 20:40:34.323276: Opening /tmp/namebench_2021-03-26_2040.html
2021-03-26 20:40:34.362326: Complete! 192.168.***.1 [192.168.***.1] is the best.
4 Likes

I have both AdBlock and BanIP and I don’t know what you are talking about. With 100/100Mbit and Gbit router nothing ever goes slow.
I guess/hope you did’t activate all the lists in AdBlock and BanIP or did you?
But encryption in all forms will have a speed impact because it is a lot of computing required to do the math involved.

But the whole post as the way it is written really feels more like spam or a commercial for Unbound, or something!?

3 Likes

I test HTTPS DNS Proxy + Simple AdBlock + with / without DNSMASQ Additional Hosts setting (dnsmasq.addnhosts), thinking it would be different than Adblock (luci-app-adblock), but I'm sorry to tell you that Simple AdBlock works the same as Adblock, but you lose options extras that come included in Adblock that are very good and Simple AdBlock is more complicated to install and I think it does not allow you to use it together with Unbound.

The setting addnhosts is just SMOKE, because it does not work in the real world.


As I already mentioned in my previous post, there is no difference in using that setting or not, because the pages always open slowly (with lag), navigation is mediocre, even pages stuck a bit with any of the 3 packages mentioned above along with Simple AdBlock (luci-app-simple-adblock) or Adblock (luci-app-adblock) and it has nothing to do with hardware.

From the moment you install Unbound, there is an improvement like night and day and all the web pages will load super fast (no lag).

I recommend that you install Unbound and use it for a day, so that you can get your own conclusions.

It works if you meet 3 conditions:

  • Intercept DNS and block DoH/DoT.
  • Rebind both IPv4 and IPv6.
  • Use list instead of option.
cat << "EOF" > /etc/addnhosts
0.0.0.0 example.org
:: example.org
EOF
uci -q delete dhcp.@dnsmasq[0].addnhosts
uci add_list dhcp.@dnsmasq[0].addnhosts="/etc/addnhosts"
uci commit dhcp
/etc/init.d/dnsmasq restart

# nslookup example.org ::1
Server:		::1
Address:	::1#53

Name:      example.org
Address 1: 0.0.0.0
Address 2: ::
1 Like

I will repeat it again, the setting addnhosts is just SMOKE, because it does not work in the real world.

In the First method you can see how the DNS queries are slow and even stop, but this does not happen with Unbound.

In the Second method, when you use the (100% MISS) option, you can see how the DNS queries are slow and the (ms) is worse than Unbound.

Even if you don't want to accept it, Unbound is better in the real world than any other package to encrypt DNS traffic.

It could be a result of the fact that this user (which has left the forum) used a non standard install of OWRT on a device without support that made the Unbound result in the first place?

Well.. it's bit funny, as unbund .. the sole definition of that is ... cache. So doing 3-4-45345345 test will sure result in faster speed than the first time. Usually and lot of time the 'slow' appear with the dns server selected being slow. Dnscrypt-pr2 do test all and connect to the fastest.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.