<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=DE link=blue vlink="#954F72"><div class=WordSection1><p class=MsoNormal>Hi all,</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>recently I tried to set up my Unbound Server to resolve queries by recursive DoT resolvers. This works Pretty well with the following configuration:</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>forward-zone:<br> name: "."<br> forward-tls-upstream: yes<br> # Quad9<br> forward-addr: 9.9.9.9@853#dns.quad9.net<br> # Cloudflare DNS<br> forward-addr: 1.1.1.1@853#cloudflare-dns.com<br> forward-addr: 1.0.0.1@853#cloudflare-dns.com<br> # Google<br> forward-addr: 8.8.8.8@853#dns.google<br> forward-addr: 8.8.4.4@853#dns.google<br> # DNS Privacy<br> forward-addr: 94.130.110.185@853#ns1.dnsprivacy.at<br> forward-addr: 94.130.110.178@853#ns2.dnsprivacy.at<br> # Uncensored<br> forward-addr: <a href="mailto:89.233.43.71@853#unicast.censurfridns.dk">89.233.43.71@853#unicast.censurfridns.dk</a></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>But the Problem arises when it Comes to Resolution times. With my initial configuration I have an average resolution time of < 100ms. For that I am using this configuration:</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>auth-zone:<br> name: "."<br> master: b.root-servers.net<br> master: d.root-servers.net<br> master: i.root-servers.net<br> master: f.root-servers.net<br> master: j.root-servers.net<br> master: k.root-servers.net<br> url: https://www.internic.net/domain/root.zone<br> #fallback-enabled: yes<br> for-downstream: no<br> #for-upstream: yes<br> zonefile: /var/lib/unbound/root.zone</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>With the TLS way the Resolution time increases to > 200ms. When I query one of those TLS DNS Servers directly via kdig, I get results in approx. 30-60ms.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Is this something that one has to live with when using TLS or do I have a configuration Problem on my end?</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Thanks!<br><br></p><p class=MsoNormal>Bye</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Gesendet von <a href="https://go.microsoft.com/fwlink/?LinkId=550986">Mail</a> für Windows 10</p><p class=MsoNormal><o:p> </o:p></p></div></body></html>