0

High DoH resolution latency

My DoH resolution latency is consistently ~ 500 ms despite relatively low network latency and much faster standard DNS lookups. I believe this is having a very adverse affect on browser performance.  I strongly prefer the privacy DoH offers and would rather not configure my clients to use standard DNS.

Any recommendations for additional troubleshooting?

 

jeffl@Dell:~$ bin/trustydns-dig https://dns.nextdns.io google.com mx
;; opcode: QUERY, status: NOERROR, id: 53538
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;google.com.    IN       MX

;; ANSWER SECTION:
google.com. 300 IN MX 10 smtp.google.com.

;; ADDITIONAL SECTION:

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: ; udp: 1232

;; Query Time: 423ms/0s
;; Final Server: https://dns.nextdns.io
;; Tries: 1(queries) 1(servers)
;; Payload Size: 80

jeffl@Dell:~$

 

jeffl@Dell:~dig @45.90.28.175 www.yahoo.com

; <<>> DiG 9.18.28-1~deb12u2-Debian <<>> @45.90.28.175 www.yahoo.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48433
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;www.yahoo.com.                 IN      A

;; ANSWER SECTION:
www.yahoo.com. 35 IN CNAME me-ycpi-cf-www.g06.yahoodns.net.
me-ycpi-cf-www.g06.yahoodns.net. 35 IN A 209.73.179.248
me-ycpi-cf-www.g06.yahoodns.net. 35 IN A 209.73.179.247

;; Query time: 20 msec
;; SERVER: 45.90.28.175#53(45.90.28.175) (UDP)
;; WHEN: Thu Dec 05 10:26:00 EST 2024
;; MSG SIZE  rcvd: 119

jeffl@Dell:~$

 

jeffl@Dell:~$ sh -c 'sh -c "$(curl -s https://nextdns.io/diag)"'

Welcome to NextDNS network diagnostic tool.

This tool will download a small binary to capture latency and routing information
regarding the connectivity of your network with NextDNS. In order to perform a
traceroute, root permission is required. You may therefore be asked to provide
your password for sudo.

The source code of this tool is available at https://github.com/nextdns/diag

Do you want to continue? (press enter to accept)
[sudo] password for jeffl:
Testing IPv6 connectivity
  available: false
Fetching https://test.nextdns.io
  status: ok
  client: 2600:4040:4025:a500:f4be:481f:aff7:cff0
  protocol: UDP
  dest IP:
  server: vultr-atl-1
Fetching PoP name for ultra low latency primary IPv4 (ipv4.dns1.nextdns.io)
  hetzner-iad: 8.417ms
Fetching PoP name for ultra low latency secondary IPv4 (ipv4.dns2.nextdns.io)
  zepto-iad: 32.955ms
Fetching PoP name for anycast primary IPv4 (45.90.28.0)
  vultr-atl: 22.939ms
Fetching PoP name for anycast secondary IPv4 (45.90.30.0)
  zepto-iad: 9.386ms
Pinging PoPs
  hydron-clt: 9.298ms
  hetzner-iad: 9.36ms
  anexia-mnz: 9.352ms
  anexia-ewr: 9.324ms
  zepto-xrs: 19.305ms
  zepto-iad: 21.107ms
  tier-clt: 22.799ms
  vultr-ewr: 21.104ms
  teraswitch-pit: 40.022ms
  cloudzy-pit: 59.538ms
Traceroute for ultra low latency primary IPv4 (5.161.43.197)
    1    192.168.0.1   29ms  15ms  15ms
    2     72.86.37.1    6ms   8ms   7ms
    3  100.41.24.130   17ms   4ms  14ms
    4                   *     *     *
    5                   *     *     *
    6  62.115.56.201   12ms  11ms   9ms
    7     5.161.0.82    9ms   9ms   9ms
    8                   *     *     *
    9    5.161.8.250   12ms   9ms   9ms
   10   5.161.43.197   11ms  12ms   5ms
Traceroute for ultra low latency secondary IPv4 (199.119.65.94)
    1    192.168.0.1    1ms   0ms   0ms
    2     72.86.37.1    9ms   9ms   7ms
    3  100.41.24.132   11ms  10ms   7ms
    4                   *     *     *
    5 80.239.135.178    9ms  12ms   *
    6   62.115.10.98    6ms  10ms  21ms
    7 45.134.214.101    7ms   8ms  11ms
    8  199.119.65.14    7ms   9ms  16ms
    9  199.119.65.94   13ms  10ms   9ms
Traceroute for anycast primary IPv4 (45.90.28.0)
    1    192.168.0.1    0ms   0ms   0ms
    2     72.86.37.1   21ms  14ms   5ms
    3  100.41.24.130   11ms   9ms  11ms
    4                   *     *     *
    5 80.239.135.178    9ms  11ms   *
    6 62.115.123.124   10ms   *    17ms
    7                   *     *     *
    8 62.115.138.241   20ms  21ms  28ms
    9 213.248.96.151   28ms  20ms  25ms
   10                   *     *     *
   11                   *     *     *
   12                   *     *     *
   13     45.90.28.0   24ms  17ms  20ms
Traceroute for anycast secondary IPv4 (45.90.30.0)
    1    192.168.0.1    2ms   2ms   0ms
    2     72.86.37.1   12ms   5ms  10ms
    3  100.41.24.130   13ms   7ms  17ms
    4                   *     *     *
    5 80.239.135.178    *     *    10ms
    6   62.115.10.98   17ms  10ms  19ms
    7 45.134.214.101    9ms  11ms   9ms
    8  199.119.65.14    7ms  12ms   7ms
    9     45.90.30.0   13ms   6ms  12ms
Do you want to send this report? [Y/n]:

5 replies

null
    • ChrisC
    • 10 mths ago
    • Reported - view

    What software are you using for DoH? I am using dnscrypt and its very fast, same speed as cloudflare.

      • Jeff_Loughridge
      • 10 mths ago
      • Reported - view

       I have the nextdns client loaded on most end systems.  In addition, I have secure DNS configured in Chrome to use NextDNS. My understanding is that either one should be sufficient for the client to use DoH.

    • NextDNs
    • 10 mths ago
    • Reported - view

    Looking at the report, your queries seems to be around 8 and 30ms.

      • Jeff_Loughridge
      • 10 mths ago
      • Reported - view

      I recognize that I could analyze NextDNS diag tool's source code on Github; however, short of that or wireshark capture, I am not clear on what tests the diag is executing. The trustydns client I'm using (https://github.com/markdingo/trustydns) is explicitly using DoH. Is there a doubt about its reporting of ~ 500 ms latency? I see much faster DoH resolution when I use trustdns to query public DoH servers. I cannot rule out that I am improperly analyzing what is happening.

      • Jeff_Loughridge
      • 10 mths ago
      • Reported - view

       I wanted to follow up on this. If you doubt the results of the trustydns command line tool which shows 400 to 500 ms, is there an alternate command line tool that you want me to execute to measure DoH resolution time?

Content aside

  • 10 mths agoLast active
  • 5Replies
  • 262Views
  • 3 Following