-
Notifications
You must be signed in to change notification settings - Fork 30
Advanced Topics
It goes without saying, encrypted DNS network traffic is heavier than regular DNS traffic - a few times heavier! And why forwarding it all, since most of it you don't need anyway?
The first one to go is IPv6. It amounts for half the DNS queries going out. Every browser and every networked program requests an IPv4 address (A record) and an IPv6 address (AAAA record). It doesn't matter if you have or not IPv6 connectivity, the AAAA requests still go out. By default the proxy drops these request. You can overwrite this default using --ipv6 command line option.
Next to go is the ad traffic. On regular webpages ads generate almost half the queries. We use our own anti-tracker and adblocker derived from various sources on the Internet. You can also add your own hosts list in /etc/fdns/hosts, or you can disable the ad filter by using --nofilter command line option.
We also filter the requests going out, and forward only A and AAAA queries. This stops most DNS tunneling attacks. Some attacks still go trough, such as Iodine, but not without leaving an angry trace in /var/log/syslog. Disable this functionality using --allow-all-queries.
For more information, check out this article.
FDNS has a simple DNS caching system to further reduce the traffic going out. By default we use a fixed time to live (TTL) of 40 minutes for our cache entries. You can change this value with --cache-ttl=seconds.
In regular browsing, a 40 minutes default will resolve from cache about one third of the request. Increasing the TTL will increase this number. Here is a discussion about the ridiculously low TTL values passed down by the current DNS network.
We switch to regular DNS over UDP in case the DoH/DoT service becomes unavailable. We use Quad9 (9.9.9.9) for fallback. The status of the service (encrypted/not encrypted) and the number of queries sent over regular DNS is reflected in the monitor. This happens mostly due to an unstable Internet connection, or immediately after you get the computer out of sleep mode. In this later case it will take a few seconds for the SSL/TLS layer to detect the errors and re-initialize the connection.
A conditional forwarder is a DNS server that redirects DNS queries based on the DNS domain name to specific resolvers. You can use this feature to:
- redirect queries for local domain names to a DNS server on your local network
- forward OpenNIC domains to an OpenNIC server
Here is an example to redirect domain queries ending in .libre to an OpenNIC server:
$ sudo fdns --forwarder=libre@66.70.228.164
Note: you can also use OpenNIC tag to connect to a DoH provider that already supports OpenNIC domains by starting the proxy as sudo fnds --server=OpenNIC.
It is possible to run multiple DoH/DoT proxies on the same computer, each with its own IP address in 127.0.0.0/8 loopback space, or on a specific Ethernet interface by using --proxy-addr command line option. Example:
$ sudo fdns --daemonize
$ sudo fdns --daemonize --proxy-addr=127.2.2.2
$ sudo fdns --daemonize --proxy-addr=127.3.3.3
List your running proxies:
$ fdns --proxies
pid 4900, address 127.3.3.3
pid 4893, address 127.2.2.2
pid 4883, address 127.1.1.1 (default)
The command to monitor a specific proxy is:
$ fdns --monitor=127.2.2.2
To shut down a specif proxy, use the PID displayed by --proxies command, and allow not more than 30 seconds for all processes started by the proxy to shut down:
$ sudo kill -9 4900
Install your custom host file in /etc/fdns/hosts file. This file is not overwritten by installing a new version of FDNS. Currently only entries in 127.0.0.1 hostname format are supported. Example:
$ cat /etc/fnds/hosts
127.0.0.1 wmasters.tk
127.0.0.1 ww.pr0gramm.com
127.0.0.1 ww1.netcodepool.org
127.0.0.1 ww8.ypool.ga
127.0.0.1 3322.net
127.0.0.1 blocphi-phi-pool.com
127.0.0.1 btcc.com.whecloud.com
127.0.0.1 chinaenter.cn.w.kunlunar.com
127.0.0.1 coinhiv.com
127.0.0.1 ezystorm.com
127.0.0.1 xerox300.000webhostapp.com
[...]
next: FAQ
FDNS Handbook
- Articles