This post is not to know which one is better for privacy, it is only to know which one offers the best performance in OpenWrt when it is used together with the Adblock (luci-app-adblock) and banIP (luci-app-banip) packages.
I tested these 4 packages that are used to Encrypt your DNS traffic:
When you install the packages Adblock (luci-app-adblock) and banIP (luci-app-banip) and use has more than 100-200 thousand Blocked Domains between the two packages (and EVEN WITHOUT THEM), pages open slowly (with lag), navigation is mediocre, even pages stuck a bit and this only happens when you use these 3 methods to encrypt your DNS traffic and it has nothing to do with hardware:
Why is Unbound the best and how do you confirm it?
You have to do these tests with the Adblock (luci-app-adblock) and banIP (luci-app-banip) packages installed and enabled, to get your own conclusions and use the same DNS provider (example cloudflare 22.214.171.124) and the same block list sources in Adblock and banIP, when testing, so there are no variables affecting the results.
⠀ First method:
Open those 3 web pages and do the 3 tests at the at the same time and see how you get stuck a bit and the navigation slows down and the tests take much longer than normal (It does not happen in Unbound):
Configure the program in this way and click on Start Benchmark:
(use the "100% miss" option)
Wait for the results and compare the (ms) them between the 4 packages that are used to Encrypt your DNS traffic.
Observe how the DNS queries are slow.
(This test ends quickly only with Unbound and without problems)
Love yourself and switch to Unbound because it's the best package to encrypt DNS traffic, it offers the best performance and all the web pages will load super fast (no lag), does not have any network slowdown problem when you use Unbound with other packages like Adblock (luci-app-adblock) and banIP (luci-app-banip).
Note: I have replaced dnsmasq with odhcpd and Unbound, as the guide recommends.
The address directive of dnsmasq is horribly inefficient. > The best option is addn-hosts:
Additional hosts file. Read the specified file as well as /etc/hosts. If --no-hosts is given, read only the specified file. This option may be repeated for more than one additional hosts file. If a directory is given, then read all the files contained in that directory.
Pi-hole uses a slightly modified fork of dnsmasq as its backend, and can easily handle 3m domains on RPi-like hardware using this method.
I am running dnsmasq on a quad core Intel Celeron 2GHz CPU with 2 GB of memory.
UPDATE: I tried converting the list to Unbound and run with that. Unbound timed out loading the list. I then decreased the list to about 250.000 entries, then Unbound started, but answered the above query in 3376 msec. So that's a LOT slower than dnsmasq. Perhaps expecting better response times with dnsmasq is too much with such a big list?
UPDATE: With the addn-hosts directive suggested by @WaLLy3K Dnsmasq now blows through the roof! Amazing!
With the ad-blocking lists you're essentially testing how fast dnsmasq and unbound work with the large stored lists of domains. I'm not saying that this speed isn't important, but it's a far departure from the post topic: "the best package to encrypt your DNS traffic".
I don't use adblock, so I've done similar tests with the simple-adblock package.
Test 1: dnsmasq + https-dns-proxy (Cloudflare + CIRA) + simple-adblock (dnsmasq.servers setting with ~ 500k records in the final list) -- AVG: 223.19, MIN: 160.1, MAX: 514.4
Test 2: unbound (built-in DoT: Cloudflare + Google) + simple-adblock (unbound.adb_list setting with ~ 500k records in the final list) -- AVG: 140.19, MIN: 32.9, MAX: 532.2
Test 3: dnsmasq + https-dns-proxy (Cloudflare + CIRA) + simple-adblock (dnsmasq.addnhosts setting with ~ 1.5M records in the final list) -- AVG: 16.33, MIN: 12.6, MAX: 110.4
As you can see, depending on what type of block-list you use, dnsmasq + https-dns-proxy AVG time (16.33) can be about ten times faster than the unbound/DoT time (140.19). In reality tho, we're just testing efficiency of dnsmasq/unbound with different types of large block-lists.
I wouldn't be surprised if Unbound still pulls a bit ahead of the combination of dnsmasq + https-dns-proxy without any adblocking/banip but I'd be surprised if the difference is not negligible.
UPDATE: since OP still wants to live in denial, here's the log for Test 3:
2021-03-26 20:40:28.861533: Running...
2021-03-26 20:40:28.861873: Started thread
2021-03-26 20:40:28.862664: Generating tests from Cache Latency Test (100% miss) (2500 records, selecting 250 automatic)
2021-03-26 20:40:28.913283: Selecting 250 out of 2500 sanitized records (chunk mode).
2021-03-26 20:40:28.915885: Checking query interception status...
2021-03-26 20:40:28.922777: Checking connection quality... [1/3]
2021-03-26 20:40:29.161954: Checking connection quality... [2/3]
2021-03-26 20:40:29.403068: Checking connection quality... [3/3]
2021-03-26 20:40:29.653596: Congestion level is 0.44X (check duration: 17.65ms)
2021-03-26 20:40:29.654213: Checking latest sanity reference
2021-03-26 20:40:29.705772: Sending 250 queries to 1 servers... [0/250]
2021-03-26 20:40:30.207133: Sending 250 queries to 1 servers... [30/250]
2021-03-26 20:40:30.713632: Sending 250 queries to 1 servers... [63/250]
2021-03-26 20:40:31.213910: Sending 250 queries to 1 servers... [91/250]
2021-03-26 20:40:31.715387: Sending 250 queries to 1 servers... [123/250]
2021-03-26 20:40:32.217140: Sending 250 queries to 1 servers... [152/250]
2021-03-26 20:40:32.718565: Sending 250 queries to 1 servers... [176/250]
2021-03-26 20:40:33.219388: Sending 250 queries to 1 servers... [206/250]
2021-03-26 20:40:33.724697: Sending 250 queries to 1 servers... [238/250]
2021-03-26 20:40:34.227859: Sending 250 queries to 1 servers... [250/250]
2021-03-26 20:40:34.228148: Saving report to /tmp/namebench_2021-03-26_2040.html
2021-03-26 20:40:34.316162: Saving detailed results to /tmp/namebench_2021-03-26_2040.csv
2021-03-26 20:40:34.323276: Opening /tmp/namebench_2021-03-26_2040.html
2021-03-26 20:40:34.362326: Complete! 192.168.***.1 [192.168.***.1] is the best.
I have both AdBlock and BanIP and I don’t know what you are talking about. With 100/100Mbit and Gbit router nothing ever goes slow.
I guess/hope you did’t activate all the lists in AdBlock and BanIP or did you?
But encryption in all forms will have a speed impact because it is a lot of computing required to do the math involved.
But the whole post as the way it is written really feels more like spam or a commercial for Unbound, or something!?
I test HTTPS DNS Proxy + Simple AdBlock + with / without DNSMASQ Additional Hosts setting (dnsmasq.addnhosts), thinking it would be different than Adblock (luci-app-adblock), but I'm sorry to tell you that Simple AdBlock works the same as Adblock, but you lose options extras that come included in Adblock that are very good and Simple AdBlock is more complicated to install and I think it does not allow you to use it together with Unbound.
The setting addnhosts is just SMOKE, because it does not work in the real world.
As I already mentioned in my previous post, there is no difference in using that setting or not, because the pages always open slowly (with lag), navigation is mediocre, even pages stuck a bit with any of the 3 packages mentioned above along with Simple AdBlock (luci-app-simple-adblock) or Adblock (luci-app-adblock) and it has nothing to do with hardware.
From the moment you install Unbound, there is an improvement like night and day and all the web pages will load super fast (no lag).
I recommend that you install Unbound and use it for a day, so that you can get your own conclusions.
Well.. it's bit funny, as unbund .. the sole definition of that is ... cache. So doing 3-4-45345345 test will sure result in faster speed than the first time. Usually and lot of time the 'slow' appear with the dns server selected being slow. Dnscrypt-pr2 do test all and connect to the fastest.