<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=DE link=blue vlink="#954F72"><div class=WordSection1><p class=MsoNormal>Hi Joe,</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>thanks for your answer!</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I am Aware that the „delay“ is only noticable when a host is actually not cached, but I was wondering why DoT (DNS over TLS) is bringing such a performance decrease.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I have tested both the configurations based on a few static Domains where I can clearly see, that using DoT is much slower.The strange Thing is that querying one particular resolver for one Domain with and without TLS (without unbound inbetween) give very similar Timings. So there must be something on Unbound side making the difference. My Question was whether this is a configuration issue or a given fact when using Unbound with TLS.</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Bye</p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>Gesendet von <a href="https://go.microsoft.com/fwlink/?LinkId=550986">Mail</a> für Windows 10</p><p class=MsoNormal><o:p> </o:p></p><div style='mso-element:para-border-div;border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal style='border:none;padding:0cm'><b>Von: </b><a href="mailto:jabley@hopcount.ca">Joe Abley</a><br><b>Gesendet: </b>Freitag, 20. März 2020 14:57<br><b>An: </b><a href="mailto:talk.about@gmx.de">Talkabout</a><br><b>Cc: </b><a href="mailto:unbound-users@nlnetlabs.nl">unbound-users@nlnetlabs.nl</a><br><b>Betreff: </b>Re: DoT resolvers - Slow results</p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>Hey,</p></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On Fri, 20 Mar 2020 at 09:45, Talkabout via Unbound-users <<a href="mailto:unbound-users@lists.nlnetlabs.nl">unbound-users@lists.nlnetlabs.nl</a>> wrote:</p></div><div><p class=MsoNormal><o:p> </o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><div><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>But the Problem arises when it Comes to Resolution times. With my initial configuration I have an average resolution time of < 100ms. [...]</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> </p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>With the TLS way the Resolution time increases to > 200ms. When I query one of those TLS DNS Servers directly via kdig, I get results in approx. 30-60ms.</p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'> </p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'>Is this something that one has to live with when using TLS or do I have a configuration Problem on my end?</p></div></div></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>This is very much a meta-answer (I have no suggestions for your unbound question) but it may be worth remembering that the performance that the clients of your resolver see generally has far more to do with the cache hit rate than the time taken to process a cache miss.</p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>A difference of 100ms in resolution time looks like a 100% increase in processing time and I appreciate why that looks worrying.</p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>However, if a particular upstream server sends responses with a TTL of 3600 seconds and your client traffic needs those responses once a second, though, then it's only 1/3600 of your queries that see the extra latency. This looks far less worrying.</p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>A better test of resolver performance is to find some standard, repeatable tests that emulate what end-users are doing and run them regularly. Tests like "load the front page of <a href="http://amazon.com">amazon.com</a>" or "Load the front page of <a href="http://youtube.com">youtube.com</a>" still involve a lot of DNS traffic and are more reflective of what users actually do than "retrieve a particular RRSet from a particular server".</p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div></div><p class=MsoNormal>Joe</p><p class=MsoNormal><o:p> </o:p></p></div></body></html>