[SOLVED] Public upstream DNS Resolvers for EXTERNAL FQDN: CloudFlare, Quad9, ...

Sergei_Shablovsky

@ler762 said in Adding extra repo for easy install 3rd party tool (like smokeping, zsh, BpyTop, LibreNMS...):

@sergei_shablovsky

What possible issue ...

• they have a list of every site your pfsense users visit.
  Is that an issue for you?

EACH public DNS service doing this, because of nature.
Like ALMOST OF ALL VPN providers sing cross-country laws.
And all of them selling users data.
So, no any illusions about privacy.

The difference are that common well-known public DNS providers need to care about their reputation and

• have a fast and stable physical network structure;
• selling less data;

• do they do DNSSEC? in other words, can you trust their answers?

All of them doing DNSSEC.
We have no choice: or You have a VERY fast DNS reply from well-known and reputable DNS service, or - pay for using own server (dedicated or shared, or VM) and have increasing delays, jitter and need to monitoring server and reliable alerting...

• are you forwarding to a DoH or DoT server?
  if no, your ISP and whoever else is in the path also gets to record every DNS name lookup pfsense forwards.. along with anyone in the path getting to play MITM

Yes. Using DoT/DoH are common standard nowadays.

Sergei_Shablovsky

UPDATE:

Recently I remind that CloudFlare have public DNSs servers for against malware content filtering and against malware and adult content, here the article in blog Set up 1.1.1.1 for Families.

So the hands-up for CloudFlare, because have the same filtering capabilities as Quad9, but 5x TIMES FASTER
(in reality approx. 3-5 times faster depend on Your country)

bwoodcock

@sergei_shablovsky

I wouldn't say Cloudflare has the same filtering capabilities as Quad9... Plenty of independent lab tests have shown that Quad9 is about 97% effective, while Cloudflare is about 55% effective. That's a significant difference. I would speculate that Cloudflare will never DNS block their own malware customers, which puts them at a significant structural disadvantage, and explains a significant portion of their blocking deficiency.

The latency is just a question of how efficiently your ISP is choosing routes to anycast instances, and can be fixed. Quad9 and Cloudflare have similar anycast footprints, albeit Quad9 is stronger in Africa and Cloudflare is stronger in Latin America. If one or the other is slower, that can be fixed by sending traceroutes to your ISP.

Besides, there's a growing body of work showing that anything under 200ms or so is undetectable to end users anyway, so differences of less than 30ms, that you're citing, aren't even worth the time to fix. There are bigger fish to fry.

johnpoz

@bwoodcock said in [SOLVED] Public DNS Resolvers for EXTERNAL FQDN: CloudFlare, Quad9, ...:

so differences of less than 30ms, that you're citing, aren't even worth the time to fix. There are bigger fish to fry.

If only more people would understand this concept ;)

bwoodcock

@johnpoz

Alec Muffett has been publishing really interesting work on this recently:

https://blog.apnic.net/2021/09/28/dohot-better-security-privacy-and-integrity-via-load-balanced-dns-over-https-over-tor/

Sergei_Shablovsky

@bwoodcock said in [SOLVED] Public DNS Resolvers for EXTERNAL FQDN: CloudFlare, Quad9, ...:

I wouldn't say Cloudflare has the same filtering capabilities as Quad9... Plenty of independent lab tests have shown that Quad9 is about 97% effective, while Cloudflare is about 55% effective. That's a significant difference. I would speculate that Cloudflare will never DNS block their own malware customers, which puts them at a significant structural disadvantage, and explains a significant portion of their blocking deficiency.

Thank You for information.

In this topic I try to point on DSN resolving time (because establishing TCP connection - the biggest time part of whole request-answer procedure for end user) much more that on malware filtering capabilities of common DNS services.

The latency is just a question of how efficiently your ISP is choosing routes to anycast instances, and can be fixed. Quad9 and Cloudflare have similar anycast footprints, albeit Quad9 is stronger in Africa and Cloudflare is stronger in Latin America. If one or the other is slower, that can be fixed by sending traceroutes to your ISP.

As SysAdmins most of us not able to push on ISP, so the choose of right quick external DNS is only one way to impact on whole time “request-answer” in establishing connection.

Besides, there's a growing body of work showing that anything under 200ms or so is undetectable to end users anyway, so differences of less than 30ms, that you're citing, aren't even worth the time to fix. There are bigger fish to fry.

Sum of small fractions give You a big numbers. ;)

Anyway, the end users who using TikTok/Instagram only, and end users in financial/health/gov organization - are very different end users.

And part of our obligations as SysAdmins are take as much as possible from existed equipment/applience. Isn’t ?

Sergei_Shablovsky

@bwoodcock said in [SOLVED] Public upstream DNS Resolvers for EXTERNAL FQDN: CloudFlare, Quad9, ...:

@johnpoz

Alec Muffett has been publishing really interesting work on this recently:

https://blog.apnic.net/2021/09/28/dohot-better-security-privacy-and-integrity-via-load-balanced-dns-over-https-over-tor/

Recently I have a time to read more about exactly this project ”load-balanced secured DNS over HTTPS over Tor”. Let’s to put my 5th cents here.

To understanding exactly the perspectives of an technology we need to understand what is motivation for the dev team or person behind this technology. So the author say

My work for the past few years has largely consisted of disrupting people's prejudices about Tor and its performance and usability, where that document says "Tor significantly increases the latency of DNS responses", I am coming from the perspective of "can we make it 'good enough for most people'?" In truth any extra "hop" is going to add latency to my DNS resolutions, and I am willing to trade a little latency for some extra privacy.

So, for Mr. Alec adding extra latency for end user is not a problem.
And I personally agree with him in case when this “technology hamburger” used personally by peoples who place the security on the first place (for example independent journalists, activists in non-democracy country like russia/Iraq/North Korea, independent security and investigation services) and the same time have no special software or hardware.

But this “technology hamburger” dramatically impact on whole ability to processing traffic if we try to using it in core Firewall like pfSense in most cases are.

And let’s to look on this “technology hamburger” from end user point of view: most of users need this level of anonymity right on a devices which they working every day and every hour, mostly notebooks, smartphones and iPads. And installing and configuring of this “technology hamburger” would be too much complicated for them.
Even end user configure all of this on a own home router,- this working only at home. But the end users of this profession work mostly “on the road”.

So I make conclusion, this technology interesting more as R&D, but no as for using in pfSense world.

Sergei_Shablovsky

I just live this here for anyone who interested in “measurements of internet speed”:

Fundamentals of Internet Measurement: A Tutorial
Nevil Brownlee, CAIDA (Cooperative Association for Internet Data Analysis)
Chris Loosley, CMG (Computer Measurement Group)

Many Internet users need to understand how to measure Internet traffic and performance. The primary focus of this tutorial is the global Internet, and ways of measuring, analyzing, and reporting the services provided to a user's network via the Internet. Some sections apply to measuring any network that uses the TCP/IP protocol suite, including a private network, or intranet.

First published in the
CMG Journal of Computer Resource Management, Issue 102, Spring 2001

johnpoz

@sergei_shablovsky none of which has anything to do with your dns taking 30ms to resolve or 60ms or even 200 ms..

Resolve how you want, point to what you want for your dns - but sorry a difference in a 20 or 30 ms, or again even 200ms for resolving of some fqdn isn't going to be even noticeable to a user..

Trying to find the fastest NS to use is pretty pointless endeavor. You are always going to see fluctuations in time to resolve something. Sure some public dns might resolve some fqdn in 10 ms when its 10ms away from you. But then again resolving something else it does not have cached might take 300ms..

Also ping or traceroute times to such NS is not always indicative to time to resolve..

Sergei_Shablovsky

@johnpoz said in [SOLVED] Public upstream DNS Resolvers for EXTERNAL FQDN: CloudFlare, Quad9, ...:

@sergei_shablovsky none of which has anything to do with your dns taking 30ms to resolve or 60ms or even 200 ms..

Resolve how you want, point to what you want for your dns - but sorry a difference in a 20 or 30 ms, or again even 200ms for resolving of some fqdn isn't going to be even noticeable to a user..

Trying to find the fastest NS to use is pretty pointless endeavor. You are always going to see fluctuations in time to resolve something. Sure some public dns might resolve some fqdn in 10 ms when its 10ms away from you. But then again resolving something else it does not have cached might take 300ms..

Also ping or traceroute times to such NS is not always indicative to time to resolve..

Thank You for reply! Sounds reasonably;)