SmartDNS – local DNS server that forwards to multiple upstream DNS servers (opens in new tab)

(pymumu.github.io)

5 pointsthejosh2y ago3 comments

3 comments

3 comments · 1 top-level

Bender2y ago· 2 in thread

Those running Unbound DNS and likely anyone on PiHole which uses Unbound can already benefit from talking to the fastest upstream DoT/DoH providers and may configure the balance or preference without leaking the same name to each provider, if I am understanding the diagram and documentation correctly regarding SmartDNS. Unbound can passively keep track of how fast each upstream provider is [1] and supports DoT/DoH if DoH support was compiled in and can forward specific zones to non DoT if required.

    fast-server-num: 4
    fast-server-permil: 200

    forward-zone:
    name: "."
    forward-addr: 74.82.42.42@853#ordns.he.net
    forward-addr: 45.67.219.208@853#dot.la.ahadns.net
    forward-addr: 185.235.82.82@853#b.ns.dnslify.com
    forward-addr: 141.95.160.38@853#geo.dnswarden.com
    forward-addr: 146.255.56.98@853#dot1.applied-privacy.net
    forward-addr: 144.202.69.149@853#adblockdot.us.dnswarden.com

In the above example we balance across the 4 fastest of those providers 200 out of 1000 times. Using DoT examples as not every Linux distribution compiles in DoH support

[1] - https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound... [search for fast-server-permil]

thejoshOP2y ago

This is awesome, thanks -- going to look into that now. I found SmartDNS interesting and thought I would share it, it's pretty simple to setup. I can see why it's Chinese focused, they have "interesting" internet access over there :-).

I have been looking into DNS quite a bit lately (Unbound, etc), as DNS lookup performance has been pretty subpar lately. I'm in Perth, Australia, and we're pretty remote so our latency is meh at best, and Cloudflare performance has been all over the shop lately, I think they're having issues in WA). DNS can also cause really routing issues here sometimes as we get better latency to Singapore than Sydney, so we might get shunted off to SG.

I've also been using dnscrypt-proxy2 (https://github.com/DNSCrypt/dnscrypt-proxy) for a while, but the above issues with Cloudflares DNS is what triggered me to look into other options.

I use a min-cache-ttl of 15 minutes, which seems to work well.

Thank you for sharing this tip about, looking into this now :).

LinuxBender2y ago

This is awesome, thanks

You're quite welcome. I assume based on the SmartDNS documentation that the developers had not heard of Unbound as they were making comparisons to dnsmasq which I do still use for DHCP now that ISC has deprecated their original dhcp daemon and I found ISC's replacement of Kea to be a little over-complicated for my setup.

I think based on the description of your latency issues that Unbound should fit the needs as you can just load up all the DoT providers you can find and then use Unbound's commands to view the infrastructure stats and even keep running stats if you wish. If you enable extended stats they can be imported into Munin or other performance graphs or just trust it will pick the fastest. Unbound can be tuned as desired or required to use the fastest upstream resolvers. Like you I also increase min-ttl. I also increase that for infrastructure cache ttl as well. This is useful if you should decide to not use DoT/DoH as Unbound can keep track of the name server IP's to reduce time to first packet.

If you temporarily enable query logging to a tmpfs mount to avoid disk write penalty then you can write a script to find the most common names you request and then create a cron job to prefect the NS and/or A records for domains that you visit often. The cron would need to run at a lower interval than your min-ttl if the desire is to keep everything in cache. You can also tell Unbound to prefetch records, it's just not as aggressive or explicit.

    # bind8 behavior, useful if not using DoT forwarders
    target-fetch-policy: "-1 -1 -1 -1 -1"

    # or bind9 behavior sortof, less overhead if using forwarders
    target-fetch-policy: "3 2 1 0 0"

j / k navigate · click thread line to collapse