Evading DNS interception

  • Thread starter Thread starter royalroy
  • Start date Start date
  • Replies Replies 64
  • Views Views 10,132
Adguard is good for DoH. I set it up on my rpi zero. However, there seems to be an issue. My latency to cloudfare is about 40-45 ms. However, on the Adguard config page, the average processing time is 132 ms. Any idea?
 
With DNS Cache TTL set to 3600 and with 5 DNS Providers in Parallel Mode, my processing time is 20ms.

This is mainly because most queries are fetched from cache in <1ms.

The processing time mentioned in AdGuard Page includes the latency+the time for cloudflare to process the query and return the result. You can see this time by using the dig command.

Dig for Windows or Raspberry Pi – Dr John's Tech Talk

drjohnstechtalk.com drjohnstechtalk.com

Most queries which aren't cached take around that time. So its fairly normal
 
I think they were referring to AdGuard Home, not AdGuard DNS. Average Processing Time is a measurement on the WebUI.

Screenshot-2020-12-01-202711.png


And yeah, the lack of customizablity of filters is a problem with AdGuard DNS. NextDNS is better if one doesn't want to host DNS at home.
 
I run a adguardhome service on my openwrt with unbound recursive resolver as the upstream resolver. Its faster than any third-party resolver in my use-case. You can use the same setup in your rpi.
 
JB701 said:
I think they were referring to AdGuard Home, not AdGuard DNS. Average Processing Time is a measurement on the WebUI.

Screenshot-2020-12-01-202711.png


And yeah, the lack of customizablity of filters is a problem with AdGuard DNS. NextDNS is better if one doesn't want to host DNS at home.
Click to expand...
But we can use host files lists to block certain categories,if i use them like 25-26k entries then will the overall latency is mentioned on adguard or from cloudflare server it is
 

I doubt latency will be affected by blocklist. When a user does a DNS Request, AdGuard Home checks if the domain is in blocklist. Even blocklist with 500k entries are just couple of Megabytes which is stored on RAM. So, checking if domain is on blocklist should be done in <1ms.
 
So, the issue with EDNS is almost non - existent. This is the Netflix head of network operations speaking at a conference. Watch this 30 min long video if you have the time and interest to know more how CDNs work. All CDNs use similar techniques, I hope.

fb.watch

Networking @Scale - Delivering terabits of content: External c... | Aaron Klink talks to the Networking @Scale crowd about the various external aspects involved with delivering dozens of terabits of video traffic to... | By At Scale | Facebook

340 views, 1 likes, 0 loves, 0 comments, 0 shares, Facebook Watch Videos from At Scale: Aaron Klink talks to the Networking @Scale crowd about the various external aspects involved with delivering...
fb.watch fb.watch
Source
 
@royalroy Are these videos available anywhere other than facebook? I can't/don't want to access facebook.
 
Okay, so I ran a local area network scan on an app named "ping tools". It gave me a list of all devices on my 192.168.0.0/24 LAN. A device with an IP 172.31.125.145 and a mac address appeared. I scanned for open ports on that device and 53 was open. Looks like it is the one responsible for the DNS interception I did not notice any other standard port open. Is there a way to block that device?
 
You are not directly sending dns request to that ip so I doubt if you can block it.

Why don't you simply use encrypted dns?
 

Top