Menu
What's new
By:
Filters Better Search

dns over tls

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

J

jim trudel

Regular Contributor
hi, I would like to know your choice about the ''best'' dns recursive for DNS over TLS ? Many use cloudflare but I've read many things on them and not sure if it is the best.... so please give me your choices, ideas, advices.... and maybe why...

thanks
 
Last edited:
jim trudel said:
hi, I would like to know your choice about the ''best'' dns recursive for DNS over TLS ? Many use cloudflare but I've read many things on them and not sure if it is the best.... so please give me your choices, ideas, advices.... and maybe why...

thanks
Click to expand...
I have been using DoT for over a year or is it two. Hard to remember. Resolver performance seems to be based on distance. For me the anycast system routes to Cloudflare are closest at just about 100 miles while Quad9 is 1000 miles. Cleanbrowsing is over 200 miles. I like to use DNS filtering so use Quad9 most of the time which results in good response. Am waiting for the Cloudflare Secure to work with DoT. Had used it without DoT and it is faster than Quad9.
 
bbunge said:
I have been using DoT for over a year or is it two. Hard to remember. Resolver performance seems to be based on distance. For me the anycast system routes to Cloudflare are closest at just about 100 miles while Quad9 is 1000 miles. Cleanbrowsing is over 200 miles. I like to use DNS filtering so use Quad9 most of the time which results in good response. Am waiting for the Cloudflare Secure to work with DoT. Had used it without DoT and it is faster than Quad9.
Click to expand...


thanks, cloudflare works with DoT not?
About DoT speed, how you know that about distance? and good response?
thanks
 
jim trudel said:
ok, do you have an idea how to compare DoT response time?
Click to expand...
I use namebench.

You're only interested in real the performance between your router and a DoT server. So I'd configure DoT on the router to use only the one server you want to test. Then setup namebench so that it only testing your router's IP address and only testing 100% cache misses.

Untitled.png
 
ColinTaylor said:
I use namebench.

You're only interested in real the performance between your router and a DoT server. So I'd configure DoT on the router to use only the one server you want to test. Then setup namebench so that it only testing your router's IP address and only testing 100% cache misses.

View attachment 23111
Click to expand...
Ok

So I can setup quad 9 and test it, after cloudflare if I want and compare etc?



Envoyé de mon SM-G960W en utilisant Tapatalk
 
ColinTaylor said:
Yes. One at a time.
Click to expand...

I tested 5.

150.66 ms - 185.228.168.9 clean browsing
183ms - 149.112.121.20 canadianshield.cira.ca
205.46 ms 1.1.1.1
237 ms 176.103.130.130 adguard
290.15 ms 9.9.9.9

clean browsing is a surprise....... ?
 
Last edited:
jim trudel said:
I tested 4.

150.66 ms - 185.228.168.9 clean browsing
205.46 ms 1.1.1.1
237 ms 176.103.130.130 adguard
290.15 ms 9.9.9.9

clean browsing is a surprise....... ?
Click to expand...
I've found CleanBrowsing to perform fairly fast in my area. In testing on another forum it had some of the better results for filtering malware sites. Though the same person testing found that DNS based filtering for malware and phishing IPs can be pretty hit or miss. It can be additive, but not always comprehensive. If they are the best performer it is definitely worth trying, they have a decent privacy policy as well.
 
jim trudel said:
I tested 5.

150.66 ms - 185.228.168.9 clean browsing
183ms - 149.112.121.20 canadianshield.cira.ca
205.46 ms 1.1.1.1
237 ms 176.103.130.130 adguard
290.15 ms 9.9.9.9

clean browsing is a surprise....... ?
Click to expand...
I take it those are the maximum values. Maximum values are unrepresentative of the server because they usually reflect another upstream server that is slow. It's better to look at the averages. In fact it's better to look at the graphs and understand what the "typical" response time is and what the distribution looks like.

chart70M1YAP6.png
 
ColinTaylor said:
I take it those are the maximum values. Maximum values are unrepresentative of the server because they usually reflect another upstream server that is slow. It's better to look at the averages. In fact it's better to look at the graphs and understand what the "typical" response time is and what the distribution looks like.

View attachment 23112
Click to expand...
The ms I've put is the average

Envoyé de mon SM-G960W en utilisant Tapatalk
 
ColinTaylor said:
With an internet connection that bad I expect you'll see a lot of variation between servers from day to day making it difficult to say definitely that one is better than the other.
Click to expand...
That bad?
I have 120mbps

Envoyé de mon SM-G960W en utilisant Tapatalk
 
jim trudel said:
That bad?
I have 120mbps
Click to expand...
But if the best DoT response time is 150 ms your latency looks horrible. Or there's some other factor coming into play. Are you on some sort of rural internet connection?

As a comparison try turning off DoT on the router and using your ISP's "normal" DNS servers. Test those and see how they respond.
 
ColinTaylor said:
But if the best DoT response time is 150 ms your latency looks horrible. Or there's some other factor coming into play. Are you on some sort of rural internet connection?

As a comparison try turning off DoT on the router and using your ISP's "normal" DNS servers. Test those and see how they respond.
Click to expand...


my isp, ms average is : 44.13

I did not know that doT was so much slow vs normal dns
 
Last edited:
jim trudel said:
my isp, ms average is : 44.13

I did not know that doT was so much slow vs normal dns
Click to expand...
The encryption involved in DoT adds some overhead. But also a provider's DoT and non-DoT servers may have different priorities, loads, etc. They may even be completely different servers. That's why I said "You can't infer one from the other".

In most cases your ISP's server's should be the fastest because they are closer to you.

But things change all the time. When I tested NextDNS's server earlier the response time average was about 40 ms. Two and a half hours later the average is 100 ms.
 
You must log in or register to reply here.

Similar threads

V
DNS server vs DNS-over TLS server list
Replies
3
Views
446
Tech9
Tech9
jixiangyuan
BE98 DNS over TLS Problem
Replies
11
Views
719
Plak
P
PAPPL
Solved TUF-AX5400: DNS-over-TLS over Port 853 not working?
Replies
3
Views
703
PAPPL
PAPPL
colourofsound
Diversion Odd DNS issues
2 3
Replies
42
Views
2K
SomeWhereOverTheRainBow
SomeWhereOverTheRainBow
P
Threat protection / DNS filtering / Router security (on home network)
Replies
1
Views
748
Tech9
Tech9
Similar threads
Thread starter Title Forum Replies Date
sfx2000 Microsoft, DNS, and 192.168.1.0 General Network Security 4
B Which 3rd party dns filters do you use? General Network Security 19
P Threat protection / DNS filtering / Router security (on home network) General Network Security 1
C DNS changes General Network Security 8
tomasm Cloudflare DNS problems caused by Comcast? General Network Security 23
RMerlin How do malware-blocking DNS providers compare? General Network Security 67

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 869 (members: 29, guests: 840)
Top