mirrors/dnscrypt-proxy
1
0
Fork 0
mirror of https://github.com/DNSCrypt/dnscrypt-proxy.git synced 2025-03-04 02:14:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add cipher suite section

hugepants 2022-12-18 16:56:41 +00:00
parent 61afe47a09
commit 37d6272472
1 changed files with 17 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
Performance.md

@ -2,6 +2,10 @@
Independently from the protocol, dnscrypt-proxy implements features to reduce DNS latency.
* [IPv6 blocking](#ipv6-blocking)
* [DNS cache](#dns-cache)
* [Cipher suites (DoH)](#cipher-suites-doh)
## IPv6 blocking
If you don't have IPv6 connectivity, most applications will keep sending DNS queries to resolve IPv6 IP addresses no matter what.
@ -56,4 +60,17 @@ In most cases, the default cache settings don't need to be changed.
You can check that the cache works by using a tool such as `dig` to send a DNS query. Send the same query twice: the second time should get an instantaneous response.
## Cipher suites (DoH)
In most cases the TLS connection to the DoH server will use the most appropriate cipher suite automatically, according to your hardware capabilities. In simple terms, devices with hardware AES support should use an **AES** suite, and those that don't should use a **ChaCha20-Poly1305** suite. Also TLS version 1.3 is preferred if the server supports it.
You can view the cipher suite (e.g. `4867 = TLS_CHACHA20_POLY1305_SHA256`) and the TLS version (303 = TLS 1.2, 304 = TLS 1.3) by setting `log_level = 1` in `dnscrypt-proxy.toml`. See the reference link below for the full list.
For example - many MIPS, ARM and older Intel 32-bit based devices do not have hardware accelerated AES so should ideally use `4867 = TLS_CHACHA20_POLY1305_SHA256` with TLS 1.3 (304) for the best performance and this can avoid issues like high CPU load, freezing or crashing. Alternatively, if the server only supports TLS 1.2 (303) then a supported ChaCha20 suite (e.g `52392 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305`) would be the next best choice.
If a suboptimal cipher suite is automatically chosen, you can attempt to force a specific suite with the `tls_cipher_suite` option in `dnscrypt-proxy.toml`, but the server must support it.
In some cases, a suboptimal suite is automatically selected but cannot be improved. For example - `mullvad-doh` on MIPS (where ChaCha20 performs best) connects with `4866 = TLS_AES_256_GCM_SHA384`, but forcing `4867 = TLS_CHACHA20_POLY1305_SHA256` does not have any effect and it remains at `4866`. In this case you should choose a different server if you're experiencing performance issues.
Reference - [cipher_suites.go](https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go)
# [Filtering](Filters)