DNS over TLS - Sites are loading very slow

Networking DNS
1

Grettings!
Ive got the issue after using DoT that sites like for e.g. amazon do load very long
If do choose on my device like for e.g. just 9.9.9.9 and not the ipfire adress and it just works fine.

Iam using following DNS:

#1 81.3.27.54 - [TLS name removed removed cause of postings “RESTRICTIONS”]
#2 89.233.43.71 - [TLS name removed removed cause of postings “RESTRICTIONS”]
#3 185.95.218.42 - [TLS name removed removed cause of postings “RESTRICTIONS”]
#4 93.177.65.183 - [TLS name removed removed cause of postings “RESTRICTIONS”]

Anyone else having similiar issues?

edit#1
Since IPFire having rececuring issues with DNS, since the introduction of DNSSEC, i decided to go back to UDP DNS for now.

edit#2
I also decided to set “QNAME Minimisation” back to Standard.

2

I’ve had nothing but problems with DNS over TLS also. At first sites like Amazon and Wikipedia take a long time, eventually some sites stop loading at all. I tried the cloudflare dns, and the google one for DOT but its only reliable when I go back to UDP mode. At first I thought it was IPS, but disabling it didn’t help.

Do I need to open port 853 for it to work? Is it possible my ISP (Bell) is blocking it?

3

Hello,

it was mentioned here, that TLS is quite slow right now:

Hopefully we will be able to fix that in one of the next releases. We are relying on the unbound team here.

Yes, TCP/853 needs to be open, but normally should be.

4

Hi all,
what´s a little strange, am having here no problems with DoT. Have also activated ‘QNAME minimization strict’. Amazon, Wikipedia, …, no problems with non of them.

Current DoT config looks like this:

22,159.69.114.157,fdns2.dismail.de,enabled,dismail.de (mit DNS-over-TLS sowie Werbe- Tracker
3,89.233.43.71,unicast.censurfridns.dk,enabled,censurfridns
21,80.241.218.68,fdns1.dismail.de,enabled,dismail.de (mit DNS-over-TLS sowie Werbe-  Tracker
14,185.49.141.37,getdnsapi.net,enabled,GetDNSapi
26,199.58.81.218,dns.cmrg.net,enabled,Provider: dkg
23,46.182.19.48,dns2.digitalcourage.de,enabled,Digitalcourage
7,145.100.185.18,dnsovertls3.sinodun.com,enabled,Sinodun 1
24,185.95.218.42,dns.digitale-gesellschaft.ch,enabled,Digitale Gesellschaft (CH) (mit DNS-over-TLS )
11,159.69.198.101,dot-de.blahdns.com,enabled,BlahDNS 2 DE
20,37.252.185.232,dot1.appliedprivacy.net,enabled,Foundation for Applied Privacy
25,130.59.31.248,dns.switch.ch,enabled,DNS-over-TLS Servers by switch.ch
4,81.3.27.54,recursor01.dns.lightningwirelabs.com,enabled,Lighningwirelabs TLS
27,80.241.218.68,fdns1.dismail.de,enabled,https://dismail.de/info.html#dns
29,185.222.222.222,dns.sb,enabled,DNS SB
18,116.203.70.156,dot1.dnswarden.com,enabled,DNSwarden
15,146.185.167.43,dot.securedns.eu,enabled,SecureDNS
8,199.58.81.218,dns.cmrg.net,enabled,Cmrg
28,116.203.35.255,uncensored-dot.dnswarden.com,enabled,https://github.com/bhanupratapys/dnswarden
9,89.234.186.112,dns.neutopia.org,enabled,Neutopia
19,116.203.35.255,dot2.dnswarden.com,enabled,DNSwarden 1
5,158.64.1.29,kaitain.restena.lu,enabled,kaitain
6,145.100.185.17,dnsovertls2.sinodun.com,enabled,Sinodun

with the following results:


From Host: fdns2.dismail.de ---- With IP: 159.69.114.157 ---- Date: Thu 16 Apr 2020 07:40:21 PM CEST

in 35.2 ms

The encryption is OK and works with: TLS1.2-ECDHE-X25519-RSA-SHA256-CHACHA20-POLY1305

The certificate is trusted and OK

The DNSSEC validation works and is OK


From Host: unicast.censurfridns.dk ---- With IP: 89.233.43.71 ---- Date: Thu 16 Apr 2020 07:40:21 PM CEST

in 859.0 ms

The encryption is OK and works with: TLS1.2-ECDHE-SECP256R1-RSA-SHA256-AES-256-GCM

The certificate is trusted and OK

The DNSSEC validation works and is OK


From Host: fdns1.dismail.de ---- With IP: 80.241.218.68 ---- Date: Thu 16 Apr 2020 07:40:22 PM CEST

in 128.3 ms

The encryption is OK and works with: TLS1.2-ECDHE-X25519-RSA-SHA256-CHACHA20-POLY1305

The certificate is trusted and OK

The DNSSEC validation works and is OK


From Host: getdnsapi.net ---- With IP: 185.49.141.37 ---- Date: Thu 16 Apr 2020 07:40:23 PM CEST

in 412.6 ms

The encryption is OK and works with: TLS1.3-ECDHE-SECP256R1-RSA-PSS-RSAE-SHA256-AES-256-GCM

The certificate is trusted and OK

The DNSSEC validation works and is OK


From Host: dns.cmrg.net ---- With IP: 199.58.81.218 ---- Date: Thu 16 Apr 2020 07:40:23 PM CEST

in 269.0 ms

The encryption is OK and works with: TLS1.3-ECDHE-SECP256R1-RSA-PSS-RSAE-SHA256-AES-256-GCM

The certificate is trusted and OK

The DNSSEC validation works and is OK


From Host: dns2.digitalcourage.de ---- With IP: 46.182.19.48 ---- Date: Thu 16 Apr 2020 07:40:24 PM CEST

in 276.3 ms

The encryption is OK and works with: TLS1.2-ECDHE-SECP256R1-RSA-SHA256-AES-256-GCM

The certificate is trusted and OK

The DNSSEC validation works and is OK


From Host: dnsovertls3.sinodun.com ---- With IP: 145.100.185.18 ---- Date: Thu 16 Apr 2020 07:40:25 PM CEST

in 608.8 ms

The encryption is OK and works with: TLS1.3-ECDHE-SECP256R1-RSA-PSS-RSAE-SHA256-AES-256-GCM

The certificate is trusted and OK

The DNSSEC validation works and is OK


From Host: dns.digitale-gesellschaft.ch ---- With IP: 185.95.218.42 ---- Date: Thu 16 Apr 2020 07:40:26 PM CEST

in 90.2 ms

The encryption is OK and works with: TLS1.3-ECDHE-SECP256R1-RSA-PSS-RSAE-SHA256-AES-256-GCM

The certificate is trusted and OK

The DNSSEC validation works and is OK


From Host: dot-de.blahdns.com ---- With IP: 159.69.198.101 ---- Date: Thu 16 Apr 2020 07:40:26 PM CEST

in 186.9 ms

The encryption is OK and works with: TLS1.3-ECDHE-SECP256R1-RSA-PSS-RSAE-SHA256-AES-128-GCM

The certificate is trusted and OK

The DNSSEC validation works and is OK


From Host: dot1.appliedprivacy.net ---- With IP: 37.252.185.232 ---- Date: Thu 16 Apr 2020 07:40:27 PM CEST

;; WARNING: can't connect to 37.252.185.232@853(TCP)
;; ERROR: failed to query server 37.252.185.232@853(TCP)

Encryption do not works, this server seems to be OFF


From Host: dns.switch.ch ---- With IP: 130.59.31.248 ---- Date: Thu 16 Apr 2020 07:40:27 PM CEST

in 340.1 ms

The encryption is OK and works with: TLS1.2-ECDHE-SECP256R1-ECDSA-SHA256-AES-256-GCM

The certificate is trusted and OK

The DNSSEC validation works and is OK


From Host: recursor01.dns.lightningwirelabs.com ---- With IP: 81.3.27.54 ---- Date: Thu 16 Apr 2020 07:40:27 PM CEST

in 318.6 ms

The encryption is OK and works with: TLS1.3-ECDHE-SECP256R1-ECDSA-SECP384R1-SHA384-AES-256-GCM

The certificate is trusted and OK

The DNSSEC validation works and is OK


From Host: fdns1.dismail.de ---- With IP: 80.241.218.68 ---- Date: Thu 16 Apr 2020 07:40:28 PM CEST

in 22.4 ms

The encryption is OK and works with: TLS1.2-ECDHE-X25519-RSA-SHA256-CHACHA20-POLY1305

The certificate is trusted and OK

The DNSSEC validation works and is OK


From Host: dns.sb ---- With IP: 185.222.222.222 ---- Date: Thu 16 Apr 2020 07:40:28 PM CEST

in 128.6 ms

The encryption is OK and works with: TLS1.3-ECDHE-SECP256R1-RSA-PSS-RSAE-SHA256-AES-256-GCM

The certificate is trusted and OK

The DNSSEC validation works and is OK


From Host: dot1.dnswarden.com ---- With IP: 116.203.70.156 ---- Date: Thu 16 Apr 2020 07:40:29 PM CEST

;; WARNING: connection timeout for 116.203.70.156@853(TCP)
;; ERROR: failed to query server 116.203.70.156@853(TCP)

Encryption do not works, this server seems to be OFF


From Host: dot.securedns.eu ---- With IP: 146.185.167.43 ---- Date: Thu 16 Apr 2020 07:40:34 PM CEST

in 389.1 ms

The encryption is OK and works with: TLS1.3-ECDHE-SECP256R1-RSA-PSS-RSAE-SHA256-AES-256-GCM

The certificate is trusted and OK

The DNSSEC validation works and is OK


From Host: dns.cmrg.net ---- With IP: 199.58.81.218 ---- Date: Thu 16 Apr 2020 07:40:35 PM CEST

in 248.9 ms

The encryption is OK and works with: TLS1.3-ECDHE-SECP256R1-RSA-PSS-RSAE-SHA256-AES-256-GCM

The certificate is trusted and OK

The DNSSEC validation works and is OK


From Host: uncensored-dot.dnswarden.com ---- With IP: 116.203.35.255 ---- Date: Thu 16 Apr 2020 07:40:35 PM CEST

;; WARNING: can't connect to 116.203.35.255@853(TCP)
;; ERROR: failed to query server 116.203.35.255@853(TCP)

Encryption do not works, this server seems to be OFF


From Host: dns.neutopia.org ---- With IP: 89.234.186.112 ---- Date: Thu 16 Apr 2020 07:40:35 PM CEST

in 169.4 ms

The encryption is OK and works with: TLS1.3-ECDHE-SECP256R1-RSA-PSS-RSAE-SHA256-AES-256-GCM

The certificate is trusted and OK

The DNSSEC validation works and is OK


From Host: dot2.dnswarden.com ---- With IP: 116.203.35.255 ---- Date: Thu 16 Apr 2020 07:40:36 PM CEST

;; WARNING: can't connect to 116.203.35.255@853(TCP)
;; ERROR: failed to query server 116.203.35.255@853(TCP)

Encryption do not works, this server seems to be OFF


From Host: kaitain.restena.lu ---- With IP: 158.64.1.29 ---- Date: Thu 16 Apr 2020 07:40:36 PM CEST

in 38.4 ms

The encryption is OK and works with: TLS1.2-ECDHE-SECP256R1-RSA-SHA512-AES-256-GCM

The certificate is trusted and OK

The DNSSEC validation works and is OK


From Host: dnsovertls2.sinodun.com ---- With IP: 145.100.185.17 ---- Date: Thu 16 Apr 2020 07:40:36 PM CEST

in 94.1 ms

The encryption is OK and works with: TLS1.2-ECDHE-SECP256R1-RSA-SHA256-AES-256-GCM

The certificate is trusted and OK

The DNSSEC validation works and is OK

May TCP 853 does have hard times in specific regions ? The ms´s are volatile, but may it is the simple amount of different possibilities…

Best,

Erik

5

Hi guys,

Got the same problems here. But not only on Amazon & so on. It’s about everything. DNS status is constantly switching from OFF to Working… I have to refresh pages to force DNS waking up.

6

@antwitz How did you switch back to UDP DNS pse ? Are you using your ISP ones ?