Closed pmcarrion closed 1 year ago
yegors
commented
1 year ago Can you elaborate on "DoH isn't always the best protocol for a certain network"?
DOH/2 has the highest chance of working on any network, as its TCP 443. All other protocols use uncommon ports or protos (TCP 853 and UDP 443), and are more likely to be blocked.
If this is a concern, a manual config can be crafted.
pmcarrion
commented
1 year ago By "best", I meant "fastest" which is the most important metric for DNS.
Legacy DNS is the fastest but unsecure, so it's discarded. I will only refer to secure DNS protocols.
It's true that DoH/2 (TCP 443) is the most compatible protocol, but not the fastest.
DoT (TCP 853), DoQ (UDP 853) and DoH/3 (UDP 443) are the fastest, in that order.
As you mentioned, DoT is easy to block. But this doesn’t matter for routers, where you control the network. The only drawback I observe with DoT is that the resolver ID is always exposed DoQ also has these issues.
Furthermore, DoQ is still experimental and ctrld used to crash when using it. I haven't tested DoQ with ctrld lately, so I don’t know if this issue has been resolved.
DoH/3 (UDP 443) is gaining widespread adoption, similar to DoH/2 (TCP 443) in the past. My firewall has recorded almost 750 UDP 443 connections to the services I use in the last hour.
Here are some references regarding QUIC (UDP 443): https://ma.ttias.be/googles-quic-protocol-moving-web-tcp-udp/ https://engineering.fb.com/2017/01/27/android/building-zero-protocol-for-fast-secure-mobile-connections/ https://peering.google.com/#/learn-more/quic https://infosec.theos-blog.com/googles-quic-protocol/ https://help.nextdns.io/t/x2hmvas/what-is-dns-over-tls-dot-dns-over-quic-doq-and-dns-over-https-doh-doh3#:~:text=DoT%20and%20DoQ%20use%20a,to%20block%20or%20even%20detect https://security.googleblog.com/2022/07/dns-over-http3-in-android.html
Maybe ctrld can use UDP 443 (DoH/3) as default and, if it's blocked, fall back to TCP 443 (DoH/2). This only needs to be done when the computer/router is started or woken up.
yegors
commented
1 year ago I'm not sure if this is a desired option to have. The job of the utility is to enforce your specific configuration, not decide what DNS server you should use.
ctrld uses the DoH protocol when set up with this command:
sh -c 'sh -c "$(curl -sL https://api.controld.com/dl)" -s ###### forced'However, DoH isn't always the best protocol for a certain network.
It would be very useful if ctrld had a self DNS-resolving speedtest feature, and choose other protocols (Do3, DoQ or DoT) if they are faster than DoH for the current network.