trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.96k stars 2.32k forks source link

Consider using harddns over dnscrypt-proxy #1524

Open dguido opened 5 years ago

dguido commented 5 years ago

https://github.com/stealth/harddns

It might be smaller and faster than dnscrypt-proxy

jackivanov commented 5 years ago

Some restrictions currently:

Benchmark:

Overall dnscrypt-proxy is faster and no additional effort needed to get it running

Benchmark Results:

Fastest individual response (in milliseconds): SYS-127.0.0.53 ###################### 0.51498 algo-harddns-net ################################### 0.84686 algo-dnscrypt-ne ####################################### 0.94891 Google Public DN ##################################################### 1.29795

Mean response (in milliseconds): algo-dnscrypt-ne ############ 43.59 Google Public DN #################### 73.97 algo-harddns-net ##################### 77.08 SYS-127.0.0.53 ##################################################### 202.56

Response Distribution Chart for 200ms

![Response Distribution Chart for 200ms](http://chart.apis.google.com/chart?cht=lxy&chs=720x415&chxt=x,y&chg=10,20&chxr=0,0,200|1,0,100&chd=t:0,0,1,2,2,5,8,9,11,14,15,17,21,25,29,37,48,63,82,109|0,0,14,19,24,28,32,36,40,44,48,52,55,59,63,66,70,74,77,81|0,1,1,9,10,12,13,13,15,16,18,20,28,82,164|0,0,5,33,40,46,54,60,66,70,78,82,86,89,93|0,0,1,8,9,10,14,18,25,55,131|0,0,37,54,69,75,81,85,88,92,96|0,0,1,3,3,4,9,12,17,22,53,67,116|0,0,14,46,57,62,67,71,75,80,83,87,91&chco=ff9900,1a00ff,ff00e6,80ff00&chxt=x,y,x,y&chxl=2:||Duration+in+ms||3:||%25|&chdl=SYS-127.0.0.53|Google+Public+DNS|algo-dnscrypt-network|algo-harddns-network)

Response Distribution Chart Full

![Response Distribution Chart Full](http://chart.apis.google.com/chart?cht=lxy&chs=720x415&chxt=x,y&chg=10,20&chxr=0,0,3500|1,0,100&chd=t:0,0,0,0,0,0,0,1,1,1,1,1,1,1,2,2,3,4,5,6,7,11,18,26,94,100|0,0,14,19,24,28,32,36,40,44,48,52,55,59,63,66,70,74,77,81,84,88,92,95,99,100|0,0,0,1,1,1,1,1,1,1,1,1,2,5,9,17,30|0,0,5,33,40,46,54,60,66,70,78,82,86,89,93,96,100|0,0,0,0,0,1,1,1,1,3,8,17,29|0,0,37,54,69,75,81,85,88,92,96,99,100|0,0,0,0,0,0,0,1,1,1,3,4,7,9,23,57|0,0,14,46,57,62,67,71,75,80,83,87,91,94,98,100&chco=ff9900,1a00ff,ff00e6,80ff00&chxt=x,y,x,y&chxl=2:||Duration+in+ms||3:||%25|&chdl=SYS-127.0.0.53|Google+Public+DNS|algo-dnscrypt-network|algo-harddns-network)

Namebench Output

``` namebench 1.3.1 - best source (automatic) on 2019-07-27 09:01:54.410446 threads=40/2 queries=250 runs=1 timeout=3.5 health_timeout=3.75 servers=4 ------------------------------------------------------------------------------ - Reading Top 2,000 Websites (Alexa): /usr/share/namebench/data/alexa-top-2000-domains.txt (0.7MB) - Reading Cache Latency Test (100% hit): /usr/share/namebench/data/cache-hit.txt (0.1MB) - Reading Cache Latency Test (100% miss): /usr/share/namebench/data/cache-miss.txt (0.1MB) - Reading Cache Latency Test (50% hit, 50% miss): /usr/share/namebench/data/cache-mix.txt (0.1MB) - Generating tests from Top 2,000 Websites (Alexa) (33575 records, selecting 250 automatic) - Selecting 250 out of 33542 sanitized records (weighted mode). - Checking query interception status... - Checking connection quality: 1/3...3/3 - Congestion level is 0.26X (check duration: 10.49ms) - Checking latest sanity reference - Checking nameserver availability (4 threads): 0/4..4/4 - 4 of 4 servers are available (duration: 0:00:00.502363) - Running initial health checks on 4 servers (4 threads): 0/4 * SYS-127.0.0.53 [127.0.0.53] failed test #1/7: static.ak.fbcdn.net.: No answer (NXDOMAIN): static.ak.fbcdn.net. * Google Public DNS [8.8.8.8] failed test #1/5: static.ak.fbcdn.net.: No answer (NXDOMAIN): static.ak.fbcdn.net. * algo-dnscrypt-network [172.29.234.200] failed test #1/5: static.ak.fbcdn.net.: No answer (NXDOMAIN): static.ak.fbcdn.net. .. * algo-harddns-network [172.16.168.50] failed test #1/5: static.ak.fbcdn.net.: No answer (NXDOMAIN): static.ak.fbcdn.net. .4/4 - 4 of 4 tested name servers are healthy - Waiting for wildcard cache queries from 4 servers (4 threads): 0/4..4/4 - Waiting 4s for TTL's to decrement. - Running cache-sharing checks on 4 servers (12 threads): 0/12......12/12 - Running final health checks on 4 servers (4 threads): 0/4....4/4 - All nameservers have warning: No answer (NXDOMAIN): static.ak.fbcdn.net. (likely a false positive) - All nameservers have warning: www.paypal.com is hijacked: www.glb.paypal.com (likely a false positive) - All nameservers have warning: www.facebook.com appears incorrect: star-mini.c10r.facebook.com (likely a false positive) Final list of nameservers considered: ------------------------------------------------------------------------------ 172.29.234.200 algo-dnscrypt-netw 388 ms | windowsupdate.microsoft.com is hijacked: windowsupdate.redir.update.microsoft.com.nsatc.net, twitter.com appears incorrect: 104.244.42.65, www.google.com is hijacked: 74.125.193.104, 74.125.193.105, 74.125.193.106, 74.125.193.147, 74.125.193.99, 74.125.193.103 8.8.8.8 Google Public DNS 395 ms | twitter.com appears incorrect: 104.244.42.65, 104.244.42.129, windowsupdate.microsoft.com is hijacked: windowsupdate.redir.update.microsoft.com.nsatc.net, www.google.com is hijacked: 74.125.193.99, 74.125.193.147, 74.125.193.103, 74.125.193.104, 74.125.193.106, 74.125.193.105 127.0.0.53 SYS-127.0.0.53 514 ms | twitter.com appears incorrect: 104.244.42.65, 104.244.42.1, windowsupdate.microsoft.com is hijacked: windowsupdate.redir.update.microsoft.com.nsatc.net, www.google.com is hijacked: 74.125.193.106, 74.125.193.147, 74.125.193.99, 74.125.193.103, 74.125.193.104, 74.125.193.105 172.16.168.50 algo-harddns-netwo 1137ms | twitter.com appears incorrect: 104.244.42.193, windowsupdate.microsoft.com is hijacked: redir.update.microsoft.com.nsatc.net, www.google.com is hijacked: 74.125.193.99, 74.125.193.103, 74.125.193.104, 74.125.193.105, 74.125.193.106, 74.125.193.147 - Sending 250 queries to 4 servers: 0/1000...........................................................................................................202........................................................................................................404..............................................................................................................613..........................................................................................................815................................................................................................1000/1000 - Error querying SYS-127.0.0.53 [127.0.0.53]: zhidao.baidu.com.: Timeout The DNS operation timed out. - Error querying SYS-127.0.0.53 [127.0.0.53]: city.tianya.cn.: Timeout The DNS operation timed out. - Error querying SYS-127.0.0.53 [127.0.0.53]: www.orkut.co.in.: Timeout The DNS operation timed out. Fastest individual response (in milliseconds): ---------------------------------------------- SYS-127.0.0.53 ###################### 0.51498 algo-harddns-net ################################### 0.84686 algo-dnscrypt-ne ####################################### 0.94891 Google Public DN ##################################################### 1.29795 Mean response (in milliseconds): -------------------------------- algo-dnscrypt-ne ############ 43.59 Google Public DN #################### 73.97 algo-harddns-net ##################### 77.08 SYS-127.0.0.53 ##################################################### 202.56 Response Distribution Chart URL (200ms): ---------------------------------------- http://chart.apis.google.com/chart?cht=lxy&chs=720x415&chxt=x,y&chg=10,20&chxr=0,0,200|1,0,100&chd=t:0,0,1,2,2,5,8,9,11,14,15,17,21,25,29,37,48,63,82,109|0,0,14,19,24,28,32,36,40,44,48,52,55,59,63,66,70,74,77,81|0,1,1,9,10,12,13,13,15,16,18,20,28,82,164|0,0,5,33,40,46,54,60,66,70,78,82,86,89,93|0,0,1,8,9,10,14,18,25,55,131|0,0,37,54,69,75,81,85,88,92,96|0,0,1,3,3,4,9,12,17,22,53,67,116|0,0,14,46,57,62,67,71,75,80,83,87,91&chco=ff9900,1a00ff,ff00e6,80ff00&chxt=x,y,x,y&chxl=2:||Duration+in+ms||3:||%25|&chdl=SYS-127.0.0.53|Google+Public+DNS|algo-dnscrypt-network|algo-harddns-network Response Distribution Chart URL (Full): --------------------------------------- http://chart.apis.google.com/chart?cht=lxy&chs=720x415&chxt=x,y&chg=10,20&chxr=0,0,3500|1,0,100&chd=t:0,0,0,0,0,0,0,1,1,1,1,1,1,1,2,2,3,4,5,6,7,11,18,26,94,100|0,0,14,19,24,28,32,36,40,44,48,52,55,59,63,66,70,74,77,81,84,88,92,95,99,100|0,0,0,1,1,1,1,1,1,1,1,1,2,5,9,17,30|0,0,5,33,40,46,54,60,66,70,78,82,86,89,93,96,100|0,0,0,0,0,1,1,1,1,3,8,17,29|0,0,37,54,69,75,81,85,88,92,96,99,100|0,0,0,0,0,0,0,1,1,1,3,4,7,9,23,57|0,0,14,46,57,62,67,71,75,80,83,87,91,94,98,100&chco=ff9900,1a00ff,ff00e6,80ff00&chxt=x,y,x,y&chxl=2:||Duration+in+ms||3:||%25|&chdl=SYS-127.0.0.53|Google+Public+DNS|algo-dnscrypt-network|algo-harddns-network Recommended configuration (fastest + nearest): ---------------------------------------------- nameserver 172.29.234.200 # algo-dnscrypt-network nameserver 127.0.0.53 # SYS-127.0.0.53 nameserver 172.16.168.50 # algo-harddns-network ******************************************************************************** In this test, algo-dnscrypt-network is 364.7%: Faster ********************************************************************************

macuser666 commented 5 years ago

Hi I'm super satisfied with the current dnscrypt-proxy implementation, which is far better than the previous dnsmasq implementation, especially for ad and tracker blocking. Hopefully the ad/tracker/malware site blocking ability won't be removed, as it enables Algo to be an excellent privacy and security tool. I'm currently using the following host blacklists: https://raw.githubusercontent.com/mitchellkrogza/Ultimate.Hosts.Blacklist/master/hosts/hosts0 https://hblock.molinero.dev/hosts Despite the size of these blacklists, Algo is very responsive.

Please don't remove this ability...

kfken commented 5 years ago

I'll pile on as well in support of dnscrypt-proxy. In terms of configuration options for customization, ease of use, performance, modern crypto primitive support, and safety (C vs Go), I think it beats the competition hands down. It's also frequently updated with features and maintained by devs who are clearly committed to the project.