Use UDP instead of TLS for failover DNS servers

[fenichelar]

This will allow the requests to be redirected and will reduce the performance impact caused by Home Assistant losing connectivity to Cloudflare's DNS servers due to internet loss, blocking, etc.

[Zixim]

closed in ... 1..2..

[frenck]

Originally it used UDP and was replaced by TLS because of enhanced privacy reasons (community-driven/requested for good reasons).

This is reducing security for a custom workaround, I don't think this is solving anything to be honest.

[fenichelar]

@frenck

This is reducing security for a custom workaround, I don't think this is solving anything to be honest.

This isn't a custom workaround. The issue with TLS is that if connectivity to the internet is lost, HA constantly tries to open a TLS connection. By constantly, I mean many times a second. This overloads HA on low powered devices.

[frenck]

I understand, however, this PR has a different side effect (privacy) which is more important.

This PR cannot be accepted in its current format for that reason. Please note, TLS here has been added because of the community (originally we didn't use it).

Nevertheless, thanks for willing to contribute 👍

[alexdelprete]

I don't think this is solving anything to be honest.

I agree with you Frenck, it doesn't address the real issue: HA should never rely on a hard-coded fallback server.

Changing TLS to UDP would only help raspberry users who see high loads when external DNS traffic from clients is blocked.

[fenichelar]

@frenck

I understand, however, this PR has a different side effect (privacy) which is more important.

I don't understand this comment. TLS is only used for the fallback servers, not the primary servers. This only improves privacy when there is a DNS failure. If the focus was privacy, wouldn't you want to use TLS on the primary servers?

[frenck]

If the focus was privacy, wouldn't you want to use TLS on the primary servers?

Partly agree, yet, it would be external communication that would be encrypted instead of not (even in a fallback situation). However, that doesn't change the fact this was changed to what it is for the above-given reasoning; which we are not willing to revert again.

[bentasker]

@frenck When DoT is used, coredns can cause packet storms, whilst with UDP it does not (see #64 for more info) - there are tangible side effects to the decision to use DoT rather than UDP.

I think you should revisit the decision to use DoT, at least until a better way to mitigate the issue can be identified.

I'm more than happy to create a PR for it, but having stumbled across this one figured better to flag up than to submit what'll essentially be a duplicate.