Now with healthy whole-grain TLS!
I posted an Ask HN about this and it dropped like a lead zeppelin. So this is actual working code to prove the point.
DNS experts, including yours truly, generally believe that DNS over TCP will not perform as well as DNS over UDP. But some people assert that DoH/DoT perform better for them.
In these COVID times I've had ample opportunity to study DNS performance in my SOHO network(s). This includes some crappy WiFi APs and several media devices (Rokus, Kindles). I've also been playing with 802.11. TLDR: media devices cheat. Ha ha ha. Bet you're really surprised!
What I've discovered is that my wirelessly connected OSX laptop suffers from DNS resolution problems when the media devices are running. I don't think it's entirely the media devices' fault, but yeah they cheat.
But here's the thing about DNS: although DNS servers MUST support TCP, the stub resolvers on your typical well-behaved
device (laptop) will not try TCP opportunistically. In other words they don't try TCP unless they receive a UDP response
to a query with TC=1
. So if they never receive a response to a UDP query, they never try it!
What I discovered was that when DNS was failing
dig foo.bar
would also fail, but
dig foo.bar +tcp
would succeed. Usually startlingly fast!
So my question to you is this: is it about time that Apple and Microsoft considered making DNS with TCP opportunistic, or
in other words if UDP fails their stub resolvers try TCP?
It turns out that Apple is making moves in the direction of supporting DoT at the device level:
Microsoft has made DoH available to Windows insiders, but no word yet on DoT.
It's not clear from either vendor whether this is (or will be) selectable at the level of individual nameservers.
Please leave your experiences and thoughts in the feedback issue.
I assume that you're running a local caching resolver, and not using 8.8.8.8
. I don't know how that will work, I haven't
tried it and I'm not likely to. If you're worried about privacy then DoT/H should be your go-to (I recommend DoT).
This requires python3
. If python3
lives in /usr/bin/
then yay! Otherwise:
python3 ./forwarder.py {--tls} 127.0.0.1 <one-of-your-actual-resolvers> &
Once you've done that, edit your network settings and make one of the nameservers 127.0.0.1
. You don't have to remove
the other nameserver entries unless you've reached the working limit (typically three). It should work with IP6 too,
although I haven't tried it.
If you pass --tls
as the first argument, it uses TLS and attempts to contact the server on port 853. This
mode is also known as DNS over TLS (DoT).
Until 9.16 the BIND (https://www.isc.org/bind/) source tree included instructions on configuring Nginx as a TLS proxy forwarder in the contrib/dnspriv/
directory, but it has been removed because BIND now has native support.