Re: [dns-privacy] some DNS privacy implementation benchmark
Carsten Strotmann <carsten@strotmann.de> Mon, 14 August 2017 08:00 UTC
Return-Path: <carsten@strotmann.de>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5BED13203D for <dns-privacy@ietfa.amsl.com>; Mon, 14 Aug 2017 01:00:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dS8BCoUM5dLT for <dns-privacy@ietfa.amsl.com>; Mon, 14 Aug 2017 01:00:06 -0700 (PDT)
Received: from smtp3.strotmann.de (smtp3.strotmann.de [IPv6:2a03:4000:2:33f::5353]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 750A3132031 for <dns-privacy@ietf.org>; Mon, 14 Aug 2017 01:00:06 -0700 (PDT)
Received: from smtp2.strotmann.de (unknown [IPv6:fd00::2]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp3.strotmann.de (Postfix) with ESMTPS id 229E67FDB6 for <dns-privacy@ietf.org>; Mon, 14 Aug 2017 10:00:03 +0200 (CEST)
Received: from emacs.strotmann.de.strotmann.de (unknown [172.42.1.123]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp2.strotmann.de (Postfix) with ESMTPSA id 3xW7Lq0ZvjzBnhQ for <dns-privacy@ietf.org>; Mon, 14 Aug 2017 10:00:03 +0200 (CEST)
References: <861sogika3.fsf@emacs.strotmann.de> <d0d2810a-dc88-675f-5364-36a89e11d351@huitema.net>
User-agent: mu4e 0.9.16; emacs 25.2.1
From: Carsten Strotmann <carsten@strotmann.de>
To: dns-privacy@ietf.org
In-reply-to: <d0d2810a-dc88-675f-5364-36a89e11d351@huitema.net>
Date: Mon, 14 Aug 2017 08:00:02 +0000
Message-ID: <86mv72h94t.fsf@emacs.strotmann.de>
MIME-Version: 1.0
Content-Type: text/plain
X-Spamd-Result: default: False [0.00 / 0.00] TO_DN_NONE(0.00)[] RCVD_COUNT_TWO(0.00)[2] RCVD_TLS_ALL(0.00)[] TO_MATCH_ENVRCPT_ALL(0.00)[] FROM_HAS_DN(0.00)[] MIME_GOOD(0.00)[text/plain] RCPT_COUNT_ONE(0.00)[1] RCVD_VIA_SMTP_AUTH(0.00)[] FROM_EQ_ENVFROM(0.00)[] ARC_NA(0.00)[] PREVIOUSLY_DELIVERED(0.00)[dns-privacy@ietf.org]
X-Rspamd-Server: localhost
X-Rspamd-Scan-Time: 0.24
X-Rspamd-Queue-ID: 229E67FDB6
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/QacS7tptIVHB9fiiAJI5a3pnwDw>
Subject: Re: [dns-privacy] some DNS privacy implementation benchmark
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Aug 2017 08:00:09 -0000
Hello Christian, Christian Huitema writes: > These are interesting measurements, but they mix three variables: the > transport protocol, the RTT between stub and resolver, and the amount of > caching at the resolver. Yes, I know. The goal for this measurements were not to judge the different protocols, but to give an indication of performance on implementations available today (this work is part of an magazine article about implementing DNS-Privacy on Linux/BSD). > > In my simulations, the key variable is the Round Trip Time between stub > and resolver. The various transports differ in how they handle > connections, retransmission, and head of queue blocking, There is a gap between the theoretical abilities of the transports and the available implementations. I was interested in the user experience today using the tools that are available in mainstream Linux distributions (except "dnsfwd", which is only available as [experimental] source but which I added to not hurt the reputation of DNS-over-TLS). > but these > effects are always expressed in terms of "number of additional RTT times > some probability", the probability generally being at most a few percents. > > The other variable in a "stub to recursive" scenario is the amount of > caching done by the resolver. In standard stub to recursive scenarios, > the queries appear to be served from the cache 30% to 40% of the time -- > with a better service at big resolvers such as large ISP or Google DNS. > This is because the cache is populated from requests of multiple > clients, plus probably some pre-fetching. Small resolvers typically have > lower cache rate. This matters, because the "recursive to authoritative" > part of the resolution is typically larger than the "stub to resolver" part. > I will re-do the test with a replay of some real-world DNS queries that will make use of caching. The test I've done now is somewhat artificial, as it asked 1000 different questions on a cold cache. But that was the best way to measure the DNS resolution performance trough the different transports. Getting an answer from a local cache is always 0 ms in a local LAN. > In the unbound scenarios, were you using unbound as a local recursive > server? Yes. The cache was cold at the beginning of each test. > >> "Stubby" is missing, I having issues getting it to work, I will update >> this list once I've got "Stubby" working. >> >> As I have this setup now, is there an working implementation that is >> missing and should also be in the list? >> >> DNS-over-QUIC? >> DNS-over-HTTP(S)? > You probably need to wait until at least October for realistic > implementations of DNS over QUIC. I'm excited about DNS-over-QUIC from the technical point of view, it has potential. From the point of DNS Privacy, I'm not so thrilled, as I fear that the one major implementation will be between Chrome Browser and Google-DNS, which is a Zero-sum game for DNS privacy. Anyway, I will test drive DNS-over-QUIC once it is available in some useable form. Best regards Carsten Strotmann
- [dns-privacy] some DNS privacy implementation ben… Carsten Strotmann
- Re: [dns-privacy] some DNS privacy implementation… Christian Huitema
- Re: [dns-privacy] some DNS privacy implementation… Carsten Strotmann
- Re: [dns-privacy] some DNS privacy implementation… Carsten Strotmann