DNS Proxy & DNS Cache
DNS Proxy & DNS Cache
1. Does DNS Proxy support http/3 ? If not, can the support be added for faster queries ?
2. Can you add option of customizing DNS Cache size ? Current is 4MB Default and can't be changed.
3. Can you implement optimistic caching in DNS Cache ?
e.g. the client immediatelly receives response of cached entry (with short TTL like 10s), but in the background the router queries upstream DNS servers in case 'original' ttl has expired ?
I feel like DNS cache is great, but current implementation of overriding TTL is too harsh, it doesn't seem to be doing optimistic caching or re-trying to update entries in the background, just caching until specified TTL and thats it, quite useless tbh.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Hi @pdu_
Thanks for posting in our business forum.
1. No. DoH and DoT only.
2. This is not gonna be the job of the controller. It is not a DNS server. If you'd like to have a large cache or custom cache size, you should consider building up an internal DNS server.
3. This also sounds like a DNS server setup.
Do you happen to know if this feature is available on other brands? Like Meraki, Mikrotek, or UBNT? Would be helpful for me to collect the feedback.
- Copy Link
- Report Inappropriate Content
@Clive_A "Do you happen to know if this feature is available on other brands? Like Meraki, Mikrotek, or UBNT? Would be helpful for me to collect the feedback."
I am not going to do the research regarding this, I just thought in general this should be pretty great to have such features.
You could be the first you know, no reason to be afraid to be leaders in featureset.
Then again, other providers do have internal DNS already, for resolving clients hostnames, while you don't. And since you already basically have DNS server there, why not populate it with clients as well.. e.g. if I have client named in omada as server, then why not serve server.lan or other custom domain from the cache as well.
Or allow us to add custom entries to the cache ourselves via API, but would be prefered if you would do this internally tbh..
- Copy Link
- Report Inappropriate Content
Hi @pdu_
Thanks for posting in our business forum.
pdu_ wrote
@Clive_A "Do you happen to know if this feature is available on other brands? Like Meraki, Mikrotek, or UBNT? Would be helpful for me to collect the feedback."
I am not going to do the research regarding this, I just thought in general this should be pretty great to have such features.
You could be the first you know, no reason to be afraid to be leaders in featureset.
Then again, other providers do have internal DNS already, for resolving clients hostnames, while you don't. And since you already basically have DNS server there, why not populate it with clients as well.. e.g. if I have client named in omada as server, then why not serve server.lan or other custom domain from the cache as well.
Or allow us to add custom entries to the cache ourselves via API, but would be prefered if you would do this internally tbh..
Then you might wait for this feature in the future. Or if our contract user asks for this immediately.
I understand that you guys from the forum would also want the best/latest tech. I totally understand that but as for the PM or dev, they don't want to hurry in such features. Something else would be more important for the business environment. For the DNS, many of our users don't even know about this new protocol and what's it for.
This is not a DNS server like Adguard or pi-hole. Or any other form of DNS server. We are not gonna focus on a single feature.
Local DNS servers will be implemented in the future which I have explained in other related threads. We have API but if we don't open it up, then the team has its own concerns. We now have added more and more support to API but it is not instant to unlock everything.
- Copy Link
- Report Inappropriate Content
@Clive_A I understand that, but many home users as well as business users don't want to set up their own AGH or PiHole instances.
Some people prefer set and forget solutions, which AGH/PiHole are not, they require HW/SW management and maintenance.
Feature of DNS Proxy and DNS Cache is enough.
Also right now it seems the logic beind DNS Proxy is little bit weird, can you provide more insight how it works ?
Basically it seems it's not preferring the fastest DNS server but rather goes randomly ?
So the problem is that when one of the defined DNS servers is slow or erratic, all clients are affected as well.
EDIT: "Then you might wait for this feature in the future. Or if our contract user asks for this immediately."
Well, I understand that we as one time buyers are probably less important to you guys, compared to contract users, but we still paid for the network infrastructure you are selling so, sure, I can wait for the features but please make sure they are put on the roadmap at least:
- Parallel Upstream DNS request (so the client gets response ASAP, not being affected by erratic or slow DNS upstream)
- Allow more than 2 upstreams
- Optimistic caching (serve expired entries to the client with ttl 10sec while simultaneously updating entry in cache from upstream)
- DNS‑over‑HTTP/3 support, DNS‑over‑QUIC support (optional)
- Provide information about DNS servers used in predefined selections on DNS Proxy page (e.g. there is Quad9 mentioned but they have different options and user has no idea which is being used.)
- SAVE 'custom' dns servers which are provided (currently when you define custom DoH servers and then switch to DoT custom servers, DoH servers are deleted and you have to re-define them again)
These features would be tremendous.
Thank you so much for your work. 👍
- Copy Link
- Report Inappropriate Content
Hi @pdu_
Thanks for posting in our business forum.
pdu_ wrote
@Clive_A I understand that, but many home users as well as business users don't want to set up their own AGH or PiHole instances.
Some people prefer set and forget solutions, which AGH/PiHole are not, they require HW/SW management and maintenance.
Feature of DNS Proxy and DNS Cache is enough.
Also right now it seems the logic beind DNS Proxy is little bit weird, can you provide more insight how it works ?
Basically it seems it's not preferring the fastest DNS server but rather goes randomly ?
So the problem is that when one of the defined DNS servers is slow or erratic, all clients are affected as well.
EDIT: "Then you might wait for this feature in the future. Or if our contract user asks for this immediately."
Well, I understand that we as one time buyers are probably less important to you guys, compared to contract users, but we still paid for the network infrastructure you are selling so, sure, I can wait for the features but please make sure they are put on the roadmap at least:
- Parallel Upstream DNS request (so the client gets response ASAP, not being affected by erratic or slow DNS upstream)
- Allow more than 2 upstreams
- Optimistic caching (serve expired entries to the client with ttl 10sec while simultaneously updating entry in cache from upstream)
- DNS‑over‑HTTP/3 support, DNS‑over‑QUIC support (optional)
- Provide information about DNS servers used in predefined selections on DNS Proxy page (e.g. there is Quad9 mentioned but they have different options and user has no idea which is being used.)
- SAVE 'custom' dns servers which are provided (currently when you define custom DoH servers and then switch to DoT custom servers, DoH servers are deleted and you have to re-define them again)
These features would be tremendous.
Thank you so much for your work. 👍
I cannot guarantee what you asked for is on the roadmap. To anyone, any requests, I cannot.
Second, I still need to research the market. If our competitors do not have these or from the industrial perspective, there is no one doing that, the chance is also small.
Third, from what you asked, which is basically what the AGH or Pi-hole do, so I checked what they require for hardware parts. OFC, both Linux-based.
ER8411 specs:
Hmm, I am a little concerned, TBH. This hardware requirement varies a lot. I cannot say definitely. dnsmasq is super lightweight but does not support what you asked for.
Fourth, brief search for the stuff you asked. https://en.m.wikipedia.org/wiki/Comparison_of_DNS_server_software QUIC does not seem to be universal.
The DNS server would come at the V5.15 controller. But I am not sure if they will include some of the features.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
Hi @pdu_
pdu_ wrote
Thanks for your valuable feedback and post here. This request has been forwarded to the developer team for further evaluation.
You can subscribe to the firmware release thread which is pinned on the related page. Or pay attention to our official website where most releases will show up there very soon.
As a reminder, any request will be evaluated by our developer team before it is officially added to the roadmap. That may take some time before you see a release with this feature. If your requested feature is not on high priority or not reported by many people, it may be delayed for more feedback.
(This is not a guarantee that your requested feature will be implemented. Only requests passed the evaluation can be added to the roadmap.)
- Copy Link
- Report Inappropriate Content
@Clive_A as for the memory requirements etc.. pi-hole and adguard-home are on the heavy side because they work with block lists/filtering.
There is also something like this, like 5MB storage requirement only: Control-D-Inc/ctrld: A highly configurable, multi-protocol DNS forwarding proxy (github.com)
MIT License btw.. and it has better caching it seems, since it supports cache_serve_stale option according to this ctrld/docs/config.md at main · Control-D-Inc/ctrld (github.com)
And it has client discovery too.
But yeah this isn't universal tool as well I guess..
Anyway however since it supports OpenWRT (which you use on the ER605) then maybe you could allow us to enable this as a service instead of using unbound (current DNS proxy) ?
- Copy Link
- Report Inappropriate Content
@Clive_A And I think I possibly found a bug in dns proxy
When following is met:
1. Using ad blocking upstream where response for blocked domains is 0.0.0.0
2. Overwriting TTL to max value
the DNS cache saves this entry, response returns correct TTL but then after original TTL has expired (10s) the router queries upstream again, even though the entry is already in the cache. It doesn't respond from cache, instead waits for upstream response.
this basically means the TTL override is useless for entries with 0.0.0.0 response.
EDIT: This only happens when querying AAAA as well as A entries, A entry is cached and works properly, so this probably isn't issue of the cache, since it clearly only caches A (ipv4) entries but not AAAA (ipv6)
- Copy Link
- Report Inappropriate Content
@Clive_A Also it seems you guys stopped people from using debug mode with newest firmware updates, now the passwords generated previously via md5 dont work anymore.
Can you provide a guide on how to access debug mode now ? How to generate password or simply how to get to the system via ssh ?
Seems this is breaking it:
Previously we were able to generate root and CLI debug mode passwords, now they dont work.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 1
Views: 2461
Replies: 12
Voters 0
No one has voted for it yet.