Ah, too bad; the version of openssl offered by Entware for my router is still 1.0.2o-1. Thank you for investigating! Now I don't have to spend time on this...
Here's some charts of various wireless technologies and their base latencies. https://opensignal.com/blog/wp-content/uploads/2014/03/Latency-comparison-with-other-techs.png Add to to the top the first encrypted DNS lookup (if the queried name not in cache already), TCP handshake (1 round trip) and TLS handshake (2 round trips), DNSSEC checking and it will get very painfully slow to connect the first time using less than 4G. I have now made a little Live CD for myself with very latest Unbound from git repo (version 1.7.4) that brings some additional performance boost and also made it use openssl 1.1.1 that supports TLSv1.3. Then tried to connect the whole thing over 4G connection to Quad9 servers and the first encrypted DNS was almost instantenous !!! Unfortunately, Cloudflare DNS-over-TLS does not yet support TLSv1.3 but they are working on it to upgrade. After they get it fixed, I can have randomized, encrypted DNS queries between Quad9 and Cloudflare https://community.cloudflare.com/t/tls13-not-working-for-dns-over-tls/31332/11 https://developers.cloudflare.com/1.1.1.1/dns-over-tls/ Also, hope unbound will support this soon (if not already?): 0-RRT https://blog.cloudflare.com/introducing-0-rtt/
Very interesting However, I'm using unbound with Pi-hole as described here and I don't think that what you wrote applies to the root servers (yet).
That's true, the so called last mile to the root servers is still in clear unfortunately So all that we can do right now is encrypt all the rest below root, cache as much as possible to minimize the stuff needed to send, and to try to improve latency.
Here's my attempt to make some improvements to the update blocklist script for unbound. I added in a temp directory that gets removed after the script exits, and you can manually add domains you want to be always be whitelisted or blacklisted by adding them to the files listed in the comments. I also added in the commands to load the updated blocklist to unbound while preserving the DNS cache; no need to restart unbound for the new blocklist to take effect. You will need to to have unbound-control working prior to running this script for that to work. This script assumes that unbound-control is configured for root/sudo. Instructions to setup unbound-control is in unbound's documentation page in case anyone needs it. Of course you may need to make some modifications depending on what flavor of *nix is installed or where unbound's directories are located. Let me know what you think. Code: #!/bin/sh # A bash script to update domain blocklist for Unbound # This will download the blocklists hosted by Steven Black # and DNScrypt.info then combine the lists and remove duplicates # To reduce false postives, anudeepND's hosted whitelist will # be use to sanatize the blocklist # You can also manually add domains to the blacklist or whitelist # by adding them in blacklist.txt or whitelist.txt in /etc/unbound # CREDITS # Steven Black https://github.com/StevenBlack/hosts # DNScrypt.info https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Public-blacklists # anudeepND https://github.com/anudeepND/whitelist # Check for sudo if [[ "${UID}" -ne 0 ]]; then echo 'Please use "sudo" to run this script.' >&2 exit 1 fi # Make a temp dir for temp files, to be removed after exiting script MTEMPDIR=$(mktemp -d) trap "rm -rf $MTEMPDIR" EXIT cd $MTEMPDIR echo echo 'Downloading Files...' echo wget -q https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts if [[ $? -ne 0 ]]; then echo 'Steven Black blacklist failed to download, please check network connection' >&2 exit 1; fi wget -q https://download.dnscrypt.info/blacklists/domains/mybase.txt if [[ $? -ne 0 ]]; then echo 'DNScrypt blacklist failed to download, please check network connection' >&2 exit 1; fi wget -q https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt if [[ $? -ne 0 ]]; then echo 'anudeepND whitelist failed to download, please check network connection' >&2 exit 1; fi echo 'Building blocklist...' echo cat hosts | grep '^0\.0\.0\.0' | awk '{print $2}' > block sed '/#/d; /*/d; /^$/d; /^\./d' mybase.txt > mybase touch -a /etc/unbound/blacklist.txt cat block mybase /etc/unbound/blacklist.txt | sort -u > merged touch -a /etc/unbound/whitelist.txt cat whitelist.txt /etc/unbound/whitelist.txt | sort -u > whitelist comm -23 merged whitelist > merged_corrected # Change "/etc/unbound/unbound-blocked.conf" to match the include setting in unbound.conf file awk '{print "local-zone: \""$1"\" always_nxdomain"}' merged_corrected > /etc/unbound/unbound-blocked.conf # Attempting to load updated blocklist to unbound echo 'Loading updated blocklist to Unbound...' echo unbound-control dump_cache > unbound.dump if [[ $? -ne 0 ]]; then echo 'Unable to load blocklist to unbound. You will need to restart unbound manually to load the updated blocklist!' >&2 logger "Unbound domain blocklist updated at $(date), manual restart required" exit 1; fi unbound-control reload cat unbound.dump | unbound-control load_cache # Log update logger "Unbound domain blocklist updated at $(date)" echo echo 'Unbound domain blocklist updated and loaded!' exit 0
Thanks for providing your code which offers some very interesting modifications and additions. Unfortunately, I'm not able to test it right now as I'm behind a Pi-hole and don't use unbound any more. Perhaps @Stefan Froberg can comment?
Thanks summerheat. I thought I would add that I too use Pi-Hole in some of my setups, however after I discovered nextdns.io and started utilizing them with Unbound I found that the set up was much better than Pi-Hole and I used unbound+nextdns for my primary network. Nextdns.io is also using unbound in their infrastructure so all the features work in unbound (DoT specifically) locally and network wide. You might want to give those guys a look if you have a chance.
Hm, nextdns.io looks interesting but it seems that an account is required in order to configure it. I don't think that I want that. As a matter of fact, just recently I switched from Pi-hole to dnscrypt-proxy. It's fast and its filtering capabilities are not quite as flexible as regexes in Pi-hole but better as in dnsmasq.
