Unbound DNS over TLS Adblock up-to-date root.hints

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Goto page Previous  1, 2, 3, 4, 5  Next
Author Message
Redback813
DD-WRT Novice


Joined: 10 Nov 2015
Posts: 43

PostPosted: Sun Apr 26, 2020 12:50    Post subject: Reply with quote
tinkeruntilitworks wrote:
unbound does dns over tls using tcp only. possibly the issue?

i'm not familiar with the private internet access dns or your include conf

hopefully someone that has mixed a vpn and unbound see this so they could help


Top question is incorrect since one can use UDP were as TCP will slow request down with regards to DNSSEC and as for PIA, this has no bearing when this is disable as there is no differences.
Sponsor
tinkeruntilitworks
Guest





PostPosted: Sun Apr 26, 2020 14:31    Post subject: Reply with quote
i stand by my comment of unbound doing dns over tls tcp only


i've found dnssec is sped up if you enable ipv6

*
just noticed you don't have the tls cert bundle setting in your unbound conf
tls-cert-bundle: "/etc/ssl/ca-bundle.crt"
Redback813
DD-WRT Novice


Joined: 10 Nov 2015
Posts: 43

PostPosted: Mon Apr 27, 2020 0:42    Post subject: Reply with quote
tinkeruntilitworks wrote:
i stand by my comment of unbound doing dns over tls tcp only


i've found dnssec is sped up if you enable ipv6

*
just noticed you don't have the tls cert bundle setting in your unbound conf
tls-cert-bundle: "/etc/ssl/ca-bundle.crt"


When it comes to IPv6 and VPN services there is plenty of info with regards to this leaking protocol, still no go, did you disable the "Use DNSMasq for DNS"?
tinkeruntilitworks
Guest





PostPosted: Mon Apr 27, 2020 2:11    Post subject: Reply with quote
Redback813 wrote:
did you disable the "Use DNSMasq for DNS"?


no. i keep it enabled
Redback813
DD-WRT Novice


Joined: 10 Nov 2015
Posts: 43

PostPosted: Mon Apr 27, 2020 4:26    Post subject: Reply with quote
tinkeruntilitworks wrote:
Redback813 wrote:
did you disable the "Use DNSMasq for DNS"?


no. i keep it enabled


One question where did you put the finished unbound.conf file?
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Mon Apr 27, 2020 18:04    Post subject: Reply with quote
E900 wrote:
unbound.conf has to be in /jffs/etc folder or doesn't work.


E900, yeahuh that is correct --- glad you finally told'em Wink
DD-WRT default 'unbound' looks to '/jffs/etc/' for its unbound.conf ...if not there it creates its own and uses '/tmp/unbound.conf' Twisted Evil
jauch888888
DD-WRT User


Joined: 23 Apr 2020
Posts: 101

PostPosted: Mon Apr 27, 2020 23:33    Post subject: Reply with quote
Thank you for this.

In the additional DNSmasq option I have
no resolv servers, I have to remove but in DNS static in setup page, we need what?

Thanks


Last edited by jauch888888 on Tue Apr 28, 2020 13:50; edited 1 time in total
jauch888888
DD-WRT User


Joined: 23 Apr 2020
Posts: 101

PostPosted: Tue Apr 28, 2020 3:11    Post subject: Reply with quote
E900 wrote:



Pre-reqs:
[list][*]Setup -> Basic Setup
  • Recursive DNS Resolving (Unbound): Tick
  • Server IP/Name: 216.239.35.0 or 216.239.35.12 (Google NTP servers)

.


Do we really need those ntp servers or we can use closer one. I use one from pool.ntp.org

?
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Tue Apr 28, 2020 3:37    Post subject: Reply with quote
jauch888888 wrote:
E900 wrote:



Pre-reqs:
[list][*]Setup -> Basic Setup
  • Recursive DNS Resolving (Unbound): Tick
  • Server IP/Name: 216.239.35.0 or 216.239.35.12 (Google NTP servers)

.


Do we really need those ntp servers or we can use closer one. I use one from pool.ntp.org

?

Set 'Time Zone'
Leave 'Server IP/Name' blank

has always worked for me ....and I don't care what the silly DD-WRT 'unbound' wiki says. Mine has always been blank using unbound or not. DD-WRT will resort to NTP IP and do it all just fine by itself.
E900
DD-WRT Novice


Joined: 05 Mar 2018
Posts: 21
Location: In your Heart

PostPosted: Tue Apr 28, 2020 10:31    Post subject: Reply with quote
jauch888888 wrote:
Do we really need those ntp servers or we can use closer one. I use one from pool.ntp.org?

You need to use an IP address for the NTP server instead of the domain name.
http://www.pool.ntp.org/zone/@
Pick your zone and then look up the ip for that domain.

Use PingInfoView to find best server
https://www.nirsoft.net/utils/pinginfoview.zip
Input all the ip addresses, ping them and use the one with lowest ping time.


mrjcd wrote:
Set 'Time Zone'
Leave 'Server IP/Name' blank

has always worked for me ....and I don't care what the silly DD-WRT 'unbound' wiki says. Mine has always been blank using unbound or not. DD-WRT will resort to NTP IP and do it all just fine by itself.

In DNSCrypt v2 (DoH) if you do not use the IP address of the NTP server and use the domain name, DNSCrypt v2 does not work and you cannot surf the Internet, that's why I always use the IP address of the NTP server, to avoid problems.
mrjcd
DD-WRT Guru


Joined: 31 Jan 2015
Posts: 6268
Location: Texas

PostPosted: Tue Apr 28, 2020 10:56    Post subject: Reply with quote
E900 wrote:
if you do not use the IP address of the NTP server and use your domain name
that is NOT what I said Rolling Eyes
I wrote:
Set 'Time Zone'
Leave 'Server IP/Name' blank

DD-WRT has built-in NTP by IP address
E900
DD-WRT Novice


Joined: 05 Mar 2018
Posts: 21
Location: In your Heart

PostPosted: Tue Apr 28, 2020 11:21    Post subject: Reply with quote
mrjcd wrote:
DD-WRT has built-in NTP by IP address

But it is not bad to be cautious to avoid problems, like the one I mentioned earlier.
jauch888888
DD-WRT User


Joined: 23 Apr 2020
Posts: 101

PostPosted: Tue Apr 28, 2020 16:34    Post subject: Reply with quote
the best is to use 2 dns servers from the same provider? and I guess two is enough, dont need to add 3 or 4?

btw, a big difference in latency, I tested with namebench, cache latency bench, no DoT (my isp dns servers vs 4 dns servers (DoT) one at the time.

my isp - 44 ms average vs 150 to 300ms for clean browsing, adguard, quad9, cloudflare etc..

thanks
Alozaros
DD-WRT Guru


Joined: 16 Nov 2015
Posts: 6410
Location: UK, London, just across the river..

PostPosted: Thu Apr 30, 2020 7:17    Post subject: Reply with quote
jauch888888 wrote:
the best is to use 2 dns servers from the same provider? and I guess two is enough, dont need to add 3 or 4?

btw, a big difference in latency, I tested with namebench, cache latency bench, no DoT (my isp dns servers vs 4 dns servers (DoT) one at the time.

my isp - 44 ms average vs 150 to 300ms for clean browsing, adguard, quad9, cloudflare etc..

thanks


encrypted vs non-encrypted - it takes resources and time...
ISP vs public DNS - witch is close ??
so what you expect...?
ISP DNS is it safe and they do not collect logs ??
Public Encrypted DNS (DoT), how did you test it... what did you use, any settings to share expose, otherwise how could we guess?
When you need help, be more specific...what did you do, what settings you had, different try's and so on...

_________________
Atheros
TP-Link WR740Nv1 ---DD-WRT 55179 WAP
TP-Link WR1043NDv2 -DD-WRT 55303 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55460 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55460 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55363 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
jauch888888
DD-WRT User


Joined: 23 Apr 2020
Posts: 101

PostPosted: Thu Apr 30, 2020 11:43    Post subject: Reply with quote
Alozaros wrote:
jauch888888 wrote:
the best is to use 2 dns servers from the same provider? and I guess two is enough, dont need to add 3 or 4?

btw, a big difference in latency, I tested with namebench, cache latency bench, no DoT (my isp dns servers vs 4 dns servers (DoT) one at the time.

my isp - 44 ms average vs 150 to 300ms for clean browsing, adguard, quad9, cloudflare etc..

thanks


encrypted vs non-encrypted - it takes resources and time...
ISP vs public DNS - witch is close ??
so what you expect...?
ISP DNS is it safe and they do not collect logs ??
Public Encrypted DNS (DoT), how did you test it... what did you use, any settings to share expose, otherwise how could we guess?
When you need help, be more specific...what did you do, what settings you had, different try's and so on...


As I wrote, I used namebench and I tested the cache latency.


the performance between router and a DoT server. So I configured DoT on the router to use only the one server i want to test. Then setup namebench so that it only testing router's IP address and only testing 100 % cache misses.

I have R7800 and last build.

EDIT: finaly I found the fastest, is the new one, next DNS... impressive.
40ms latency, stubby
Goto page Previous  1, 2, 3, 4, 5  Next Display posts from previous:    Page 3 of 5
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum