Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Alex Atkin UK]

https://www.youtube.com/watch?v=cdb7M37o9sU

[meritez]

DNS-over-QUIC is so much faster than anything else I've ever used

[Alex Atkin UK]

Surely classic DNS will always be faster?  But DNS over QUIC should fix DNS over TLS/HTTPS being considerably slower.

Although since moving to FTTP everything loads quicker than I've ever experienced before, even though pfSense is doing DNS over TLS to Cloudflare.  My LAN is using classic DNS to pfSense as no point adding overhead on the LAN side.

Nice to see DNS-over-QUIC coming to Unbound, though with the speed Netgate move pfSense might have it in ten years. 

[Chrysalis]

Well because Netgate were been stubborn on keeping that stupid default on DNS records updating for dynamic DHCP they rolled back unbound to an older version to fix an issue with that setting and I believe its still stuck on that version.

DNS over QUIC I expect will be similar to DNS over HTTPS.  But without having to do TCP negotiation.

Ironically DNSCrypt itself which has been around ages is also quite fast compared to DNS over TLS,  but I think the complexity of setting it up prevented it from been taken on as the mainstream option.

Checking on OPNSense that doesnt seem to forcefully lock Unbound and even on an old build of OPNSense I can upgrade to a newer version of Unbound thats on the latest pfSense.

[Alex Atkin UK]

Well because Netgate were been stubborn on keeping that stupid default on DNS records updating for dynamic DHCP they rolled back unbound to an older version to fix an issue with that setting and I believe its still stuck on that version.

Yeah that's utterly stupid.  It takes Unbound way too long to reload as it is, having it happen every time a DHCP lease renews is moronic. I don't understand why anyone would want that and not just use static entries instead.

[Weaver]

A great video lecture. Really enjoyed it. So my Safari doesn’t have QUIC enabled, although the code is in there, or something.

I realise that no—one’s doing it, for firewall compatibility reasons, but I wonder if there’s an IP protocol number allocated and reserved for QUIC/IP as opposed to QUIC/UDP/IP. It would be nice to be able to at least consider dumping the UDP junk one day in the far future maybe.

When he was talking about link mobility - a really wonderful reason to get rid of TCP, and I think I posted something years ago about computer UIDs - that made me think and I had a whole load of questions. When I switch from the WLAN>DSL pipe over to 4G on my ipad, what is supposed to happen if the new MTU is crap? Which it certainly will be be in the case where my Firebrick router switches over from DSL to failover 3G via a USB ‘dongle’? To try and fix this, I currently run an IPv6 low MTU, and for IPv4 I just let it fragment, which might not be a clever idea, but it’s a bit hard to test it just now.

Worse than this, when I switch to 4G or 3G via AQL/A&A, even though it’s A&A, champions of IPv6 for 20 years or something, the networks are still too lazy to support IPv6. So I have to switch to AA’s tunnelling over IPv4, which works beautifully, but creates the MTU problem. And luckily I’m ducking it by having a very low MTU of 1408 bytes for IPv6.

MTUs for internetworking should now imho have a minimum MTU of 1600 bytes (yay for BT), then going to a preferred 9k or 4k depending on what future hardware can reasonably cope with.

[Chrysalis]

Yeah that's utterly stupid.  It takes Unbound way too long to reload as it is, having it happen every time a DHCP lease renews is moronic. I don't understand why anyone would want that and not just use static entries instead.

Just watched most of the video, thanks for posting it.  So its a bit better than I thought it was and interesting to learn the reasl reason the UDP protocol is been used.

Sadly Apache are dragging their feet, as far as I know they havent started work on implementing QUIC support yet.  Nginx I think have been working on it though.

We both agree on Netgate's stance.

[Alex Atkin UK]

MTUs for internetworking should now imho have a minimum MTU of 1600 bytes (yay for BT), then going to a preferred 9k or 4k depending on what future hardware can reasonably cope with.

For relatively short interconnects then sure, I believe its more problematic once you go long distance as you don't want large MTUs over high-latency links that are prone to packet loss.

I'd think that high MTUs is rather detrimental on a shared medium as you can serve less concurrent clients?  Even on a 10Gbit LAN I've found very little real-world benefit to large MTUs and in fact I got WORSE performance above a certain size.

[Weaver]

Alex, it might depend on what hardware support there is for 9k ? If all your TCP/IP operations are already handled in hardware, even in 9k, then you’re not gaining as much benefit from the CPU load reduction due to the greatly reduced number of io operations and therefore interrupts. And the interrupt reduction (mitigation ?) thing that some systems use to reduce the number of interrupts might come into it too? I’m thinking of the "large send" offload hardware support thing (especially in ipv6) where you just give the hardware say 35k of data and say "deal with it, send this with TCP".

There are two things we could be talking about there: speed of the transfer, and CPU use, important on servers and some other systems perhaps.

[Alex Atkin UK]

If all your TCP/IP operations are already handled in hardware, even in 9k, then you’re not gaining as much benefit from the CPU load reduction due to the greatly reduced number of io operations and therefore interrupts. And the interrupt reduction (mitigation ?) thing that some systems use to reduce the number of interrupts might come into it too?

If I recall correctly I had to disable interrupt moderation on my NAS and clients as I couldn't get close to line rate with it enabled.

Actually the strange thing was, if the NAS had it enabled, Windows clients performed poorly.  If I disabled it on the NAS, Windows clients performed fine. 
Linux clients were completely fine either way.

[Weaver]

Interrupt moderation is a really horrible idea. We have really fast CPUs now with lots of cores, interrupts can land on a core that’s not busy with anything critical, so who freaks out about the cost of interrupts now? Jumbo frames cut the number of interrupts by a factor of 6, so that’s there if you’re that worried about CPU load while you’re trying to compute flat out in parallel with doing io. Just get more threads, or, better, more megahertz, or a more execution units CPU such as the best AMD ones which can in optimum conditions execute 5 micro ops in parallel, not 4, so can sometimes manage more insns per megahertz.

[Chrysalis]

Cloudflare got themselves into a spot of bother with an obsession on maxing MTU size, A while back it was agreed for everyone to use 1280 for IPv6 as it would fit in all types of broadband and kill negotiation issues, but some companies like cloudflare broke ranks as they wanted that tiny resource saving going up to 1500, they started discovering black hole connectivity issues so dropped back to 1280 again.

The reason I prefer 1500 on my IPv4 is nothing to do with overhead but merely for compatibility.

My experience with interrupt moderation is it is a much less evil than stuff like TSO, LRO, GRO, and GSO. Interrupts are not necessarily spread out over multiple cores either, depends on the configuration and capability of the driver and kernel.

For reference my IPv6 MTU is 1280.

[Weaver]

As I recall the 1280 figure was arrived at a long long time ago, before ‘broadband’ ie DSL and it was arrived at by thinking about links that include those long forgotten now such as X25. I use 1408 because it’s faster than 1500, because it’s an exact number of completely filled ATM cells on my ADSL2 links with the overheads that I have with PPPoEoA. It needs to be so low because of the 1440 MTU in my stupid 3G USB NIC that the Firebrick uses for failover, then that minus 20 for IPv6 tunnelling in IPv4 and then it’s the largest ATM sweet-spot below that. But as Chrys says, there’s something to be said for having a reduced LAN MTU in IPv6, but I don’t see the need to go down quite as far as 1280, but then it matters little anyway. I would still recommend thinking about something like 1400 on IPv6.

I do still remain a big fan of 9k. Partly irrationally! I understand, but don’t accept Alex’s point about unreliable links dropping a packet that can either be 1500 bytes or 9k. We aren’t talking about corruption, because future networks are all perfect, and if you still have DSL for the next few days, get G.INP / PhyR as you need a per-link-hop L2 retx protocol which has very low RTT, just over the one single link. Without L2ReTX, DSL is inferior to dialup, seeing as all modems 32 years ago had L2 retx and very good it was too. That case makes Alex’s point about small MTUs and thus small PDUs perfectly; those 1990s dialup modem L2retx protocols used iirc 64 bytes as the DTU, that way they could cope with very unreliable links and the time cost of retransmitting a lost DTU was low. Also the probability of getting a DTU is really kept low if the DTU is corrupted in 1 bit and then same again when you retry, then seem again, so you never ever get anywhere.

Legitimate router drops I will talk about next. One packet’s cost is the time it takes transport protocols to ramp up again; it’s not the cost of the time to transmit one PDU, be it 9k or 1500 bytes, because networks are so ridiculously fast now compared to when the internet was around in the 1980s with 9600 bps dialup modem links, or 32k / 64kbps if you were lucky. In 1994 I had an X.25 link at work to another site, was put in by BT and it was 9600 bps even then. No dialup. My point is that as speeds go up, other design parameters should scale up to suit. And the number of PDUs that need to be sent, and number of io operations needed to be initiated in order to send a medium-large block of data is a bit silly now. Also routers can have GB of RAM in them if they wish, for buffers. Of course huge buffers per flow are evil as we know; bad queuing hell. The interplanetary network protocol or ‘bundle’ network assumes that routers will have huge amounts of non-volatile storage, so not just loads of RAM but gigantic hard disks too. (Because unlike the internet, a bundle protocol router can be charged with long-term custody over a bundle, holding on to it and ensuring it gets to its destination some day. I’ve forgotten what the correct term for this optional feature is; it’s negotiated if a sender asks for it.)

Anyway, if we were designing a network layer nowadays, no way would I even think of something as small as 1.5 kB; at least 4kB would cross my mind, then 16kB or 60kB (NOT 64*1024=65536 !). I would be thinking about current and future RAM architectures, page sizes and cache friendliness related size numbers.

Btw, I wonder what max L4 PDU size QUIC uses in IPv4 and IPv6?

[XGS_Is_On]

Btw, I wonder what max L4 PDU size QUIC uses in IPv4 and IPv6?

Whatever fits in the IP MTU. QUIC relies on the UDP and IP layers to guide payload size. It has a minimum requirement but can and will use PMTU information to make best use of the link.

[neil]

How to enable DNS over QUIC in openwrt router? I have dns over https.
And will it be able to bypass firewall filtering? At ISP or country level? First it was simple DNS filtering, you were able to bypass it using google dns but now you can't bypass unless you start using VPN.