Re: [Doh] [Ext] DNS over HTTP/3?

bert hubert <bert.hubert@powerdns.com> Mon, 19 November 2018 15:12 UTC

Return-Path: <bert@hubertnet.nl>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EE49130E11 for <doh@ietfa.amsl.com>; Mon, 19 Nov 2018 07:12:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.652
X-Spam-Level:
X-Spam-Status: No, score=-1.652 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q3m8f6ua806p for <doh@ietfa.amsl.com>; Mon, 19 Nov 2018 07:12:12 -0800 (PST)
Received: from xs.powerdns.com (xs.powerdns.com [82.94.213.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B371130DE1 for <doh@ietf.org>; Mon, 19 Nov 2018 07:12:11 -0800 (PST)
Received: from server.ds9a.nl (ip565244ed.adsl-surfen.hetnet.nl [86.82.68.237]) by xs.powerdns.com (Postfix) with ESMTPS id DCE1F9FD6E; Mon, 19 Nov 2018 15:12:09 +0000 (UTC)
Received: by server.ds9a.nl (Postfix, from userid 1000) id 4878AACA4B3; Mon, 19 Nov 2018 16:12:09 +0100 (CET)
Date: Mon, 19 Nov 2018 16:12:09 +0100
From: bert hubert <bert.hubert@powerdns.com>
To: Paul Hoffman <paul.hoffman@icann.org>
Cc: "doh@ietf.org" <doh@ietf.org>
Message-ID: <20181119151209.GC11506@server.ds9a.nl>
References: <20181119100954.GA6704@server.ds9a.nl> <5BE15B68-1C61-4462-AE84-901E2CF0F9F9@icann.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5BE15B68-1C61-4462-AE84-901E2CF0F9F9@icann.org>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/OMhnn8SVxA56Y2cfQMoyxibCl5Q>
Subject: Re: [Doh] [Ext] DNS over HTTP/3?
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Nov 2018 15:12:22 -0000

On Mon, Nov 19, 2018 at 02:12:18PM +0000, Paul Hoffman wrote:
> > I've observed that the thousands of users of doh.powerdns.org (I also do not
> > know how this happened) take around 22 packets per DNS query/response. 
> 
> It would be valuable to know if this is this because your DoH server kills
> the entire connection after every DNS query, or because the clients are
> doing so.

It does around 2 DNS queries per HTTPS connection on average dnsdist-doh
keeps open an HTTP/2 connection for 10 seconds if it becomes idle.

> > Larger scale adoption of TLSv1.3 might improve this somewhat, but it is a
> > big number.
> 
> DoH was designed for long-lived connections, so the number would normally be smaller after the initial connection.

I can only report what I measure based on several thousands of users.

> > I've also personally observed that a "slightly suboptimal" network
> > absolutely kills browsing performance in Firefox Nightly using DoH.  A naive
> > calculation shows that 0.5% packet loss turns into a 5% failure rate per DoH
> > query, which then can cause Head of Line blocking for further queries, which
> > cascades into "blank pages" getting rendered. 
> 
> When you say "naive calculation", do you mean this is observed in the
> clients hitting your DoH server?  That would indeed be scary.  However,
> the Mozilla numbers tell a very different story.  It would be good to know
> which one is true.

My personal observation is that on a slightly bad network, turning off DoH
speeds up things massively and makes the web useable again.  This naively
makes sense, DoH uses way more packets and suffers from Head of Line
blocking, unlike plain DNS.

We have asked Mozilla to provide more details of their measurements, but
these have not been forthcoming.

Note that the graph published on the blog misses the 95% and 99% bins,
https://blog.nightly.mozilla.org/files/2018/08/DNS-over-HTTPS-Performance-Improvement.png
and does not include details on timeouts.

> > And, perhaps somewhat more provocatively, should we maybe not start pushing
> > DoH/2 if it leaves people with a sub-standard experience, causing them to
> > disable DoH?
> 
> If the implementations on the client or server side make using DoH bad,
> those implementations should be fixed.  If they don't get fixed, we'll
> certainly hear about it.

There is already a Firefox ticket I think, but with Patrick and Daniel gone
or gone soon, I am not sure who owns it now

> > DoH/3 might be somewhat of a wait but it might prevent that
> > sour taste from developing.
> 
> Without sufficient data, it's hard to say if there really is a sour taste.

Perhaps Mozilla can clarify further what they measured beyond the 7
milliseconds slowdown.

I may do some induced packetloss experiments to see if the "experience" can
be reproduced.

	Bert