Associate
No Idea never tried...
Do you change DNS?
- Thread starter danlightbulb
- Start date
Associate
But just sending a Query over an HTTPS port doesn't make any sense!
Edited to save confusion.
Edited to save confusion.
Last edited:
thanks for this posting, I asked something similar a while back but the answers I got from another board made it sound like an almost yes and no answer... I always felt there was something still popping up on the ISP side.
If you trust your VPN provider they usually offer a DNS server which is what I do anyhow, for rest of devices that require access to clear net I tend to use quad9/cloudflare but now at least I know even that is not safe for data leakage.
Think ill switch to Cloudflare for now and check into other DNS options later on, maybe quad9 is just minus one 9 and all data goes to City of London Police and the Manhattan District Attorney's Office.
Quad9 is a non-profit and sponsored by those agencies and more with a view to reducing cybercrime. That's why they ended up by far the best anti-malware/anti-botnet/anti-everything-bad DNS provider by far, even significantly in excess of Cloudflare's malware blocking service. They're not actually affiliated (in the sense you mean) with LEA.
If you're that concerned (and it's legitimate to be, I'm not deriding you), you might like Mullvad DNS. It's blazing fast, has unfiltered and ad/malware blocking variants, and is run by one of the most audited and trusted VPN companies. Run a proxying forwarder on your LAN and set it to forward all your traffic over DoH or DoT to whomever you choose. Then set your browsers to enable ECH and - short of using Tor or VPN - you've done all you can for now.
Soldato
been using Techitium since 28th Jan (in recursive mode) and I can already tell the difference in browsing speeds compared to AGH, it is blazing fast.
Usage:
I can highly recommend it!
Last edited:
I really like Technitium, and you're right - it's very fast. For my use case I'd want/need per client blocklists. There *is* a plugin for that, but the syntax is a little convoluted and it doesn't appear there's any quick way to do it, so it's on the pile for Future Me.
Associate
I would have to agree with what you both said, Technitium is very fast and easy to implement on various systems. the instructions are well written and clear.
You have to hand it to them though, it would take me quite a while to re-rebuild my current deployment with Unbound/Pihole vs Technitium in just a few minutes to deploy the same features more or less.
You have to hand it to them though, it would take me quite a while to re-rebuild my current deployment with Unbound/Pihole vs Technitium in just a few minutes to deploy the same features more or less.
My main issue is their syntax for the advanced blocking app. The regular blocking doesn't allow per-client list choices, and the advanced blocking app doesn't accept plain text IP ranges. I have no problem with manual config (see: Blocky), but for the Technitium advanced blocking app everything has to be done the 'long way'. My network is just a regular /24, but there's six of us - me, my wife, and four kids. We all have iPhones/iPads/laptops/PCs/smart watch etc, then there's smart devices and FireTV Sticks, plus CCTV cameras, plus IoT devices, plus multiple physical servers, and so on. Because of client config requirements in AGH, running DHCP was no good - I needed each client to stay recognisable over the long term. I ended up just basically dumping DHCP for resident devices, and assigning everyone 10 IP addresses:
Code:
--- Core networking equipment
10.100.0.1 - border router running VyOS 1.3 LTS, CLI only
10.100.0.2 - core managed/L3 switch
--- Personal device ranges
10.100.0.10 to 10.100.0.19 - My devices
10.100.0.20 to 10.100.0.29 - Wife's devices
10.100.0.30 to 10.100.0.39 - Eldest's devices
10.100.0.40 to 10.100.0.49 - Child 2's devices
10.100.0.50 to 10.100.0.59 - Child 3's devices
10.100.0.60 to 10.100.0.69 - Child 4's devices
10.100.0.70 to 10.100.0.79 - Old/random/inherited devices
----------
Legacy server IP assignments from before the re-segment, carried up 100 IPs out of the' family' range, but kept memorable.
That is, 10.100.0.5 became 10.100.0.150, 10.100.0.12 became 10.100.0.152 etc:
--- Printers ---
10.100.0.111 - HP LaserJet printer
10.100.0.112 - Epson sublimation printer (wife's projects)
10.100.0.115 - Ruckus R710 enterprise WiFi AP
--- CCTV and servers ---
10.100.0.142 - Hikvision 4K CCTV camera (front of house)
10.100.0.143 - Hikvision 4k CCTV camera (side of house)
10.100.0.144 - Hikvision 4k CCTV camera (rear of house)
10.100.0.150 - DiskStation NAS (CCTV surveillance station / NVR, primary Docker host fronting domain services, downloaders, *arrs. Vaultwarden etc)
10.100.0.152 - Raspberry Pi 3B (secondary LAN DNS, running DietPi)
10.100.0.153 - Radxa Rock 5 model B (primary LAN DNS, reverse proxy for my domain, Docker host etc)
--- Media devices ---
10.100.0.180 - TiVO v6 Virgin box (downstairs)
10.100.0.181 - TiVO v6 Virgin box (upstairs)
10.100.0.190 - FireTV Stick 4K (upstairs)
10.100.0.191 - FireTV Stick 4K (downstairs)
10.100.0.192 - Ring doorbell (front door)
10.100.0.193 - Echo Show 5 (freebie)
10.100.0.199 - Google Nest Mini (freebie)
--- DHCP range for visitors and guests, on segregated guest AP with captive portal
10.100.0.200 to 10.100.0.254As you can see it's a bit of a spread, but it made the most logical sense at the time versus completely gutting all my configs and years of muscle memory to completely rebase everything. It has an odd layout, but it makes sense to me. Everyone has their own small range with some room to grow, and although there's some 'wasted' space in the middle it can always be used in future if needs must. I'll certainly never need more than 50 DHCP addresses for guests, so all's well that ends well. You can see how it's a bit of a pain to set up DNS blocking per-client in an app that doesn't support explicit ranges, though!
In Blocky I can just say (paraphrased)
Eldest child: 10.100.0.30-10.100.0.39; ads/malware/gambling. However, Technitium's Advanced Blocking app demands explicit IPs or CIDR networks, not plain text IP ranges. The closest I can come to what is a few intuitive lines in Blocky is to either list every IP between 10.100.0.10 and 10.100.0.70 and name them repeatedly into 'network groups' (me, me, me, me, wife, wife, wife etc) or convert the ranges to awkward CIDR blocks... And yes, I got around to it today after all - because posting here that I was putting it off irked me enough to actually do it haha!
Code:
{
"enableBlocking": true,
"blockListUrlUpdateIntervalHours": 12,
"networkGroupMap": {
"0.0.0.0/0": "default",
"10.100.0.30/31": "eldest",
"10.100.0.32/29": "eldest",
"10.100.0.40/29": "kids",
"10.100.0.48/28": "kids",
"10.100.0.64/30": "kids",
"10.100.0.68/31": "kids"
},
"groups": [
{
"name": "default",
"enableBlocking": true,
"allowTxtBlockingReport": true,
"blockAsNxDomain": false,
"blockingAddresses": [
"0.0.0.0",
"::"
],
"allowed": [],
"blocked": ["dns.google", "dns.google.com", "dns.opendns.com", "dns.cloudflare-dns.com"],
"allowListUrls": [],
"blockListUrls": [],
"allowedRegex": [],
"blockedRegex": [],
"regexAllowListUrls": [],
"regexBlockListUrls": [],
"adblockListUrls": ["https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/pro.plus.txt", "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/tif.txt"]
},
{
"name": "eldest",
"enableBlocking": true,
"allowTxtBlockingReport": true,
"blockAsNxDomain": false,
"blockingAddresses": [
"0.0.0.0",
"::"
],
"allowed": [],
"blocked": ["dns.google", "dns.google.com", "dns.opendns.com", "dns.cloudflare-dns.com"],
"allowListUrls": [],
"blockListUrls": [],
"allowedRegex": [],
"blockedRegex": [],
"regexAllowListUrls": [],
"regexBlockListUrls": [],
"adblockListUrls": ["https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/pro.plus.txt", "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/tif.txt", "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/anti.piracy.txt", "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/gambling.txt"]
},
{
"name": "kids",
"enableBlocking": true,
"allowTxtBlockingReport": true,
"blockAsNxDomain": false,
"blockingAddresses": [
"0.0.0.0",
"::"
],
"allowed": [],
"blocked": ["dns.google", "dns.google.com", "dns.opendns.com", "dns.cloudflare-dns.com"],
"allowListUrls": [],
"blockListUrls": [],
"allowedRegex": [],
"blockedRegex": [],
"regexAllowListUrls": [],
"regexBlockListUrls": [],
"adblockListUrls": ["https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/pro.plus.txt", "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/tif.txt", "https://nsfw.oisd.nl", "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/anti.piracy.txt", "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/gambling.txt", "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/nosafesearch.txt"]
}
]
}As you can see, that's a real mouthful compared to the short, snappy and easy to grasp way Blocky does it - and it's *still* less flexible and powerful. The rest of the package helps make up for it, though, with the raw speed and easy logging to database, webUI etc. I'll give it a spin on one of the LAN DNS and see how I get on with it.
Edit: Syntax (irony!), because Technitium/JSON requires all URLS in quotes or it won't work.
Last edited:
Associate
My needs are as fast as I can get vs power usage, it would appear Technitium wins in that context. Lets hope they add better functionality/features soon!
Cache wins everytime in this test at least vs pihole.
Cache wins everytime in this test at least vs pihole.
Associate
- Joined
- 28 Nov 2011
- Posts
- 1,665
Using ISP DNS. I'm sure KCOM have local cache. Whenever I've looked at the speed test for DNS and I've added in the IP's for KCOM's DNS they've always been on top!
Soldato
The Dev is open to requests/ideas, post here: https://github.com/TechnitiumSoftware/DnsServer/discussions/categories/ideasMy needs are as fast as I can get vs power usage, it would appear Technitium wins in that context. Lets hope they add better functionality/features soon!
Cache wins everytime in this test at least vs pihole.
Associate
I was more pointing for other people, I'm still testing. Bottom set pihole.
For context for people following along https://www.grc.com/dns/gallery.htm
For context for people following along https://www.grc.com/dns/gallery.htm
Currently checking out the alternative DNS services mentioned in this thread and thought I'd switch to Quad9 and spin up a pihole container on a spare Intel i3 NUC.
This might be a pihole question, but think it's a DNS related. With just the default master block list, and the four Quad9 DNS boxes ticked I get plenty of ‘DNS_PROBE_POSSIBLE’ browser messages and failed loading of pages. Refreshing or waiting then the page will eventually load. No blocked domains in pihole log.
The NUC doesn't seem to be choking, resource wise.
What's a common cause of pages not loading first attempt, then being allowed through?
This might be a pihole question, but think it's a DNS related. With just the default master block list, and the four Quad9 DNS boxes ticked I get plenty of ‘DNS_PROBE_POSSIBLE’ browser messages and failed loading of pages. Refreshing or waiting then the page will eventually load. No blocked domains in pihole log.
The NUC doesn't seem to be choking, resource wise.
What's a common cause of pages not loading first attempt, then being allowed through?
Some initial testing on a Beelink SER5 (Ryzen 5500u, 16GB RAM, 512GB NVMe) show that per 10,000 queries AdGuard Home is fastest at resolving at around 400 queries per second and 2ms response time, with 3% CPU usage. Blocky was much slower at 60qps (I suspect the number of goroutines needs tweaking up) and still 2ms response time with 7% CPU usage. Technitium managed the same 400qps as AGH, with 2ms response times but 25% CPU usage(!). I suspect a combination of dotnet rearing its head, advanced blocking app (three sets of custom filtering) and logging queries to SQL there.
All upstreams and filter lists were the same across tests. Overall I still prefer Technitium objectively, mostly because of the fact it can also be authoritative DNS for your domain(s) while staying recursive for regular DNS queries. AGH is ingrained in me now (I've used it since the first alpha launch), so it's hard to ditch it completely - especially with such good performance in recent versions. I figured some of you may find these limited results interesting.
All upstreams and filter lists were the same across tests. Overall I still prefer Technitium objectively, mostly because of the fact it can also be authoritative DNS for your domain(s) while staying recursive for regular DNS queries. AGH is ingrained in me now (I've used it since the first alpha launch), so it's hard to ditch it completely - especially with such good performance in recent versions. I figured some of you may find these limited results interesting.