mirrors/dnscrypt-proxy
1
0
Fork 0
mirror of https://github.com/DNSCrypt/dnscrypt-proxy.git synced 2025-03-04 02:14:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Nits + a new page on caching

Frank Denis 2018-04-10 14:18:21 +02:00
parent e315419612
commit 3425e0eab0
5 changed files with 85 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

58
Caching.md Normal file

@ -0,0 +1,58 @@
# Making things go fast
Independently from the protocol, dnscrypt-proxy implements features to reduce DNS latency.
## IPv6 blocking
If you don't have IPv6 connectivity, most applications will keep sending DNS queries to resolve IPv6 IP addresses no matter what.
In this scenario, dnscrypt-proxy can immediately respond "there are no IPv6 addresses" instead of sending queries to upstream DNS servers, and waiting for useless responses.
In order to do so, change:
```toml
block_ipv6 = false
```
to
```toml
block_ipv6 = true
```
in the configuration file.
You may also want to avoid probing resolvers that are only accessible using IPv6:
```toml
ipv6_servers = false
```
Note: some operating systems, notably macOS X, may be confused by blocked IPv6 responses. If you notice queries that cannot be properly resolved, do not enable this feature.
## DNS cache
The proxy has a built-in DNS cache, that keeps responses to recent queries in memory.
The first time a query is made, a network exchange is required. But the second time the same query is made, if the response is still valid, it will be immediately sent from memory.
This improves resiliency against network failure, drastically reduces latency, and enhances privacy as less queries will be sent to 3rd party servers.
The cache is enabled by default (`cache = true`), and has a couple knobs you can turn:
```toml
cache_size = 512
cache_min_ttl = 600
cache_max_ttl = 86400
cache_neg_ttl = 60
```
The TTL represents how long, in seconds, an entry will be kept in memory. In the example configuration above, a response will be kept at least for 10 minutes, at most for 1 day, and if a question receives "this doesn't exist" as a response, this will be stored for 1 minute.
`cache_size` is the maximum number of entries in the cache. For a typical home network, the default value is fine, even with multiple devices sharing the same server. Lower it if you are really short on memory, and raise it only if you have many devices behind the same proxy.
In most cases, the default cache settings don't need to be changed.
You can check that the cache works by using a tool such as `dig` to send a DNS query. Send the same query twice: the second time should get an instantaneous response.
# [Load Balancing Options](Load-Balancing-Options)

2
Configuration-Sources.md

@ -89,4 +89,4 @@ Finally, the resulting list need to be signed with [Minisign](https://jedisct1.g
For security purposes, `dnscrypt-proxy` will not accept lists that are not signed.
# [Load Balancing Options](Load-Balancing-Options)
# [Making this go fast](Caching)

14
Installation-pfsense.md

@ -2,18 +2,18 @@
## Installation
Example with FreeBSD/arm and version 2.0.8. Change accordingly.
Example with FreeBSD/arm and version 2.0.9. Change accordingly.
```sh
cd /tmp
fetch -m https://github.com/jedisct1/dnscrypt-proxy/releases/download/2.0.8/dnscrypt-proxy-freebsd_arm-2.0.8.tar.gz
mkdir dnscrypt-proxy-freebsd_arm-2.0.8
tar -zxf dnscrypt-proxy-freebsd_arm-2.0.8.tar.gz -C dnscrypt-proxy-freebsd_arm-2.0.8
mv dnscrypt-proxy-freebsd_arm-2.0.8/freebsd-arm/dnscrypt-proxy /usr/local/bin/dnscrypt-proxy
fetch -m https://github.com/jedisct1/dnscrypt-proxy/releases/download/2.0.9/dnscrypt-proxy-freebsd_arm-2.0.9.tar.gz
mkdir dnscrypt-proxy-freebsd_arm-2.0.9
tar -zxf dnscrypt-proxy-freebsd_arm-2.0.9.tar.gz -C dnscrypt-proxy-freebsd_arm-2.0.9
mv dnscrypt-proxy-freebsd_arm-2.0.9/freebsd-arm/dnscrypt-proxy /usr/local/bin/dnscrypt-proxy
chown root:wheel /usr/local/bin/dnscrypt-proxy
chmod +x /usr/local/bin/dnscrypt-proxy
mkdir /usr/local/etc/dnscrypt-proxy
cp dnscrypt-proxy-freebsd_arm-2.0.8/freebsd-arm/example-dnscrypt-proxy.toml /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml
mkdir -p /usr/local/etc/dnscrypt-proxy
cp dnscrypt-proxy-freebsd_arm-2.0.9/freebsd-arm/example-dnscrypt-proxy.toml /usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml
```
Adapt the configuration `/usr/local/etc/dnscrypt-proxy/dnscrypt-proxy.toml` to your need.

33
Load-Balancing-Options.md

@ -1,10 +1,10 @@
# Load Balancing
`DNSCrypt-Proxy` comes with a load balancing algorithm. It will send consecutive DNS queries to different DNS servers randomly chosen from a sorted (fastest to slowest) set of a chosen size. The size of that set is what you can chose in the configuration file with the `lb_strategy` parameter. A server will be chosen randomly among the N fastest servers in your list of servers (or if you are not specifically choosing servers with the `server_names` parameter, among the N fastest servers from all servers that match your requirements.)
`dnscrypt-proxy` comes with a load balancing algorithm. It will send consecutive DNS queries to different DNS servers randomly choosen from a sorted (fastest to slowest) set of a choosen size. The size of that set is what you can choose in the configuration file with the `lb_strategy` parameter. A server will be choosen randomly among the N fastest servers in your list of servers (or if you are not specifically choosing servers with the `server_names` parameter, among the N fastest servers from all servers that match your requirements.)
## How The List Of Servers Is Populated
When `DNSCrypt-Proxy`:
When `dnscrypt-proxy`:
* Starts
* Each time the server certificates (for DNSCrypt servers) are retrieved/validated (every `cert_refresh_delay` minutes)
@ -12,28 +12,31 @@ When `DNSCrypt-Proxy`:
It calculates an initial RTT (Round-Trip Time) estimation for each resolver (for DoH servers, two initial test queries are made). This list is then sorted from fastest to slowest resolver.
## How The Servers Are Sorted
## How the servers are sorted
`DNSCrypt-Proxy` keeps the list of servers sorted at all times.
`dnscrypt-proxy` keeps the list of servers sorted at all times.
Each time a query is made to a server, the time it takes is used to adjust how fast `DNSCrypt-Proxy` thinks that the server is, using an exponentially weighted moving average. If the newly adjusted RTT of the resolver that was just used happens to be bigger (slower) than a randomly chosen candidate from the list of all servers, then these entries are swapped.
Each time a query is made to a server, the time it takes is used to adjust how fast `dnscrypt-proxy` thinks that the server is, using an exponentially weighted moving average. If the newly adjusted RTT of the resolver that was just used happens to be bigger (slower) than a randomly choosen candidate from the list of all servers, then these entries are swapped.
Over time, every server that is queried is compared with all the other servers and the list is kept sorted without actually having to sort it after every query. Slow servers will probably never compare favorably with the fast servers and will remain at the bottom of the list. Since response times vary appreciably even for the same server, especially as DNS servers need to query other servers to resolve domains when they are not in the cache, the servers at the top of the list might move around as time goes by even if they are close to you.
Over time, every server gets compared to all other servers and the list is progressively kept sorted. Slow servers will probably never compare favorably with the fast servers and will remain at the bottom of the list. Since response times vary appreciably even for the same server, especially as DNS servers need to query other servers to resolve domains when they are not in the cache, the servers at the top of the list might move around as time goes by even if they are close to you.
## Your Load Balancing Options
## Load-balancing options
So the servers are sorted from quickest to slowest. The load balancing is done using that list. You have a choice of 4 different ranges/sets from which to chose the server that will next be queried. The server is chosen randomly inside that set. The 4 possible values of the `lb_strategy` parameter are:
So, the servers are sorted from quickest to slowest. The load balancing is done using that list. You have a choice of 4 different ranges/sets from which to choose the server that will next be queried. The server is choosen randomly inside that set. The 4 possible values of the `lb_strategy` parameter are:
* **fastest** (always pick the one fastest server in the list)
* **p2** (randomly chose between the top 2 fastest servers)
* **ph** (randomly chose between the top fastest half of all servers)
* **random** (just pick any random server from the list)
* `fastest` (always pick the fastest server in the list)
* `p2` (randomly choose between the top 2 fastest servers)
* `ph` (randomly choose between the top fastest half of all servers)
* `random` (just pick any random server from the list)
This setting is a string, so you use `lb_strategy = 'p2'` in the configuration file.
The default strategy is **p2** so `DNSCrypt-Proxy` will pick one of the two fastest servers. It will compare how fast that server was with a randomly chosen server and if that random server is faster, the random server will move up. The same is true for all strategies - random servers will move up in the list when they are faster than the server that was just queried.
The default strategy is `p2` so `dnscrypt-proxy` will pick one of the two fastest servers. It will compare how fast that server was with a randomly choosen server and if that random server is faster, the random server will move up. The same is true for all strategies - random servers will move up in the list when they are faster than the server that was just queried.
## Some Remarks
## Notes
If you enable logging and have a look at the `DNSCrypt-Proxy` log, you will see the response times of all your servers when the proxy starts. Since there are so few DNSCrypt servers out there, you should notice that only a few servers are very fast for you, with the majority being appreciably slower. What this means is that if you have a relatively large list of random server from around the world, and you chose the **ph** strategy, some of your queries will probably end-up using slower servers; **p2** is probably the best strategy to use. However, **ph** would be pretty good if you were choosing regular DNS servers, since there are thousands of those and many would be very fast for you (you can easily find 50 fast servers for any location in North-America).
If you enable logging and have a look at the `dnscrypt-proxy` log, you will see the response times of all your servers when the proxy starts. You should notice that only a few servers are very fast for you, with the majority being appreciably slower.
What this means is that if you have a relatively large list of random servers from around the world, and you choose the `ph` strategy, some of your queries will probably end-up using slower servers; `p2` is probably the best strategy to use.
However, `ph` would be pretty good if you were choosing regular DNS servers, since there are thousands of those and many would be very fast for you (you can easily find 50 fast servers for any location in North-America).

1
_Sidebar.md

@ -8,6 +8,7 @@
* [Configuration](Configuration)
* [Getting started](Configuration)
* [Configuring sources](Configuration-Sources)
* [Making this go fast](Caching)
* [Load Balancing Options](Load-Balancing-Options)
* [Server sources](DNS-server-sources)
* [Public Blacklists and other configuration files](Public-blacklists)