Hacker News new | ask | show | jobs
by bogomipz 2846 days ago
I used Stubby and Quad9 for a few months last year but I found the latency pretty terrible unfortunately. I would be curious to hear what other people are using and what their experience has been.
4 comments
ggm 2846 days ago
I used SSH SOCKS tunnels with stubby to keep myself online inside China's state firewall two recent trips. commercial VPN are routinely slowed down or blocked, if you have the luxury of an SSH enabled host "outside" you can use, Stubby and this are good, to get around DNS rewriting tricks and port/ip filters.

Yes, you have have slower paths, trombone paths. But in the circumstances I was in, Stubby was a godsend.

Also check out the dns security option in Android Pie.

link
computerfriend 2845 days ago
This is surprising, as I've had my SSH connection throttled from within China.
link
bogomipz 2846 days ago
Interesting. Can I ask what you used for your SSH host so that latency was bearable?
link
ggm 2845 days ago
A node in Brisbane. I checked path, the AS path was pretty tight, china-telecom to telstra-reach and then into the IX where I have a FreeBSD host. I was testing web speeds to the company on non-SSH/SOCKS paths, they were pretty bad oddly, quite heavily asymmetric, via the US and Japan and in some cases Europe. China-Australia via Europe is not very optimal.

It has to be said if you're trying to bypass DPI, speed isn't your main concern. I tolerated pretty low packet rates. If I had to VOIP it would have been awful

link
bwoodcock 2845 days ago
Did you open a ticket? What AS and city are you originating from, and which Quad9 location were your queries going to?
link
bubblethink 2846 days ago
Try cloudflare ? I found it beats quad9 in latency by a margin.
link
nykolasz 2846 days ago
Really? They both have anycast pops all over the world - and in my tests, very close performance (couple of ms of difference - if that) to be felt by anyone.

ex: https://medium.com/@nykolas.z/dns-resolvers-performance-comp...

link
bubblethink 2846 days ago
I don't have any benchmarking data, but in my brief testing I found that to be the case. I'm using this setup on my openwrt 18.06 router.
link
Fnoord 2845 days ago
You do realise your anecdotal "brief testing" (with n=1) in no way is telling us anything not in the least because you keep your location and network concealed? What might be better in your for us unknown test case scenario might be different in other scenarios.
link
bwoodcock 2845 days ago
Again, if that's the case, you should open a trouble ticket, so the problem can be fixed. It won't get fixed if there isn't a work ticket and nobody knows where your traffic is coming from or going to.
link
gsich 2846 days ago
You need to keep the connection open.
link
bogomipz 2846 days ago
Can't that only be done for a max of 10 seconds though? So beyond 10 seconds, you have the connection overhead all over again no?

https://dnsprivacy.org/wiki/display/DP/Configuring+Stubby

link
gsich 2845 days ago
Yes. I run a bind on a server which forwards all queries to quad9 (udp) Then I stunnel that port and use stubby on my side.

The connection is open longer, but still closes occasionally, so I just resolve a name every x seconds. Not the best way.

link
berti 2846 days ago
Yes. IIRC from my testing a while back, both 1.1.1.1 and 9.9.9.9 close TLS connections either immediately or after a short timeout. Short timeout could work if you're running a larger network, but not so much at home.
link