I’d like to thank Bill for reaching out and being able to not only participate in the forum, but also have a technical deep dive discussion here. Rare that we have someone that can do both of these things well. I’m also disappointed at the responses toward Quad9/Bill.
I’m not sure this is the case? I think Quad9 is slow with IPFire. I run pfSense, OPNsense, and IPFire. IPFire out of the box is the only distro that I have to aggressively tune to get decent DNS performance. I say this not out of animosity, but to try to suggest that you look in to the optimizations and defaults shipping with IPFire.
The blog post on DNS also has an interesting conundrum with DNSSEC. That is, if we are forwarding to a DNSSEC provider, including Quad9, having Unbound do additional DNSSEC validation is wasted and slows down the process. pfSense and OPNsense have the ability to disable DNSSEC, and this comes in handy when using Unbound in forwarding mode with a DNSSEC and DoT provider, such as Quad9. Something else to think about before making these blanket statements that Quad9 makes DNS slow. In my experience, Quad9 is quite fast…when used with a properly tuned unbound that isn’t rigidly forced to use presets that aren’t optimal. For reference, my post on some optimization I have to use with IPFire to get decent performance: Unbound - custom configuration - #13 by anon84413319
One more item I have noticed, and perhaps Bill can elaborate on this. Quad9 does seem more aggressive at closing DoT connections. For instance, when I run openssl s_client -connect '9.9.9.9:853' the connection will close after about 10 seconds. If I do the same thing with CloudFlare, it stays open for over a minute.
Finally, when I’ve installed IPFire fresh out of the box, it seems to run Unbound on a single thread vs spawning a thread for each processor core. I suspect that this single threaded nature and the aggressive connection closing may be at odds with each other. Perhaps something the IPFire devs can also validate more to see if this theory is correct?