DNS Caching Question

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

LongRangeSkeet

Regular Contributor
Does the stock firmware provide DNS caching or only Merlin?

I had to downgrade back to stock and noticed that my Pi-Hole is now faster in the DNS benchmarks than the router.

Thanks
 

dave14305

Part of the Furniture
Search in your syslog for “cachesize” and it should tell you. 150 is dnsmasq default. 1500 is Merlin default. I have no recollection of what Stock uses.
 

LongRangeSkeet

Regular Contributor
Both use dnsmasq for caching.

Thanks. It's strange though, while on Merlin the router would score a ton higher on DNS benchmark, always taking first place. Now, back on stock firmware, my pi-hole scores best, followed by the upstream 1.1.1.1, every single time.

Should AI Protection be enabled? Is it good for security or is it needed for QoS? Or should it be left OFF because it will break things? Do you have it turned ON?

Thanks again
 

LongRangeSkeet

Regular Contributor
Search in your syslog for “cachesize” and it should tell you. 150 is dnsmasq default. 1500 is Merlin default. I have no recollection of what Stock uses.

I did a Ctrl+F on the general log and couldn't find DNS caching mentioned anywhere. The only thing that came up were several lines about packet caching.
 

dave14305

Part of the Furniture
I did a Ctrl+F on the general log and couldn't find DNS caching mentioned anywhere. The only thing that came up were several lines about packet caching.
Force a change on the WAN DNS page or LAN DHCP Server page to restart dnsmasq, then check again. Or login via ssh and run:
Code:
grep cache /etc/dnsmasq.conf
 

RMerlin

Asuswrt-Merlin dev
Thanks. It's strange though, while on Merlin the router would score a ton higher on DNS benchmark, always taking first place. Now, back on stock firmware, my pi-hole scores best, followed by the upstream 1.1.1.1, every single time.

My guess is either you used different DNS servers, or you had DoT and DNSSEC enabled, which will both slow down DNS queries.

Should AI Protection be enabled? Is it good for security or is it needed for QoS? Or should it be left OFF because it will break things? Do you have it turned ON?

Personally I think at the very least Malicious Website blocking should be enabled, to protect all your LAN clients (including mobile devices) against accessing malicious websites. Enabling the two-way IPS is probably a good idea as well. I do keep Infected Devices blocking disabled however, as there has been a few reports of false positive from that one.

As for Adaptive QoS, it's a matter of choice/needs. Personally I do use it, in part because I use VoIP both for work and for home (first through an IP phone, the second through an ATA on a separate SIP account). I also like being able to track traffic types within my LAN.
 

Pak Kriss

Regular Contributor
A question related to DNS caching:

DoT strict enabled
DNS Filer - Global filter mode: Router

Is there a DNS cache expiry value (in seconds) at Merlin which can be modified?

Sent from my OnePlus 7 Pro using Asus RT-AC86U & Merlin 384.17
 

dave14305

Part of the Furniture
A question related to DNS caching:

DoT strict enabled
DNS Filer - Global filter mode: Router

Is there a DNS cache expiry value (in seconds) at Merlin which can be modified
You could create a /jffs/configs/dnsmasq.conf.add and use built-in dnsmasq parameters:
max-ttl=<time>
Set a maximum TTL value that will be handed out to clients. The specified maximum TTL will be given to clients instead of the true TTL value if it is lower. The true TTL value is however kept in the cache to avoid flooding the upstream DNS servers.
max-cache-ttl=<time>
Set a maximum TTL value for entries in the cache.
min-cache-ttl=<time>
Extend short TTL values to the time given when caching them. Note that artificially extending TTL values is in general a bad idea, do not do it unless you have a good reason, and understand what you are doing. Dnsmasq limits the value of this option to one hour, unless recompiled
What would the benefit be for you?
 

RMerlin

Asuswrt-Merlin dev
Is there a DNS cache expiry value (in seconds) at Merlin which can be modified?

Cache lifetime is based on the TTL value specified by the person managing the DNS zone you are querying. It's bad form to use a lower TTL than intended by the owner of the DNS zone, as you will be increasing the load on his DNS server beyond what was intended/planned by the manager of that DNS server. And using a longer TTL may lead to issues if the manager deliberately specified a short TTL for a specific reason. For instance when I know ahead of time that a customer will be migrating a service to a new IP, I generally reduce the TTL ahead of time to speed up propagation.

So unless you had a very valid reason and fully understood the implication, you shouldn't touch the TTL.
 

LongRangeSkeet

Regular Contributor
What was the result? 1500?

I'm not sure, but it looks to be working so far. The second result down is the pihole.
Annotation 2020-05-29 100405.png
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top