Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use UDP instead of TLS for failover DNS servers #58

Closed
wants to merge 1 commit into from
Closed

Use UDP instead of TLS for failover DNS servers #58

wants to merge 1 commit into from

Conversation

fenichelar
Copy link

This will allow the requests to be redirected and will reduce the performance impact caused by Home Assistant losing connectivity to Cloudflare's DNS servers due to internet loss, blocking, etc.

@Zixim

This comment has been minimized.

@frenck
Copy link
Member

frenck commented Sep 28, 2021

Originally it used UDP and was replaced by TLS because of enhanced privacy reasons (community-driven/requested for good reasons).

This is reducing security for a custom workaround, I don't think this is solving anything to be honest.

@fenichelar
Copy link
Author

@frenck

This is reducing security for a custom workaround, I don't think this is solving anything to be honest.

This isn't a custom workaround. The issue with TLS is that if connectivity to the internet is lost, HA constantly tries to open a TLS connection. By constantly, I mean many times a second. This overloads HA on low powered devices.

@frenck
Copy link
Member

frenck commented Sep 28, 2021

I understand, however, this PR has a different side effect (privacy) which is more important.

This PR cannot be accepted in its current format for that reason. Please note, TLS here has been added because of the community (originally we didn't use it).

Nevertheless, thanks for willing to contribute 👍

@frenck frenck closed this Sep 28, 2021
@alexdelprete

This comment has been minimized.

@fenichelar
Copy link
Author

@frenck

I understand, however, this PR has a different side effect (privacy) which is more important.

I don't understand this comment. TLS is only used for the fallback servers, not the primary servers. This only improves privacy when there is a DNS failure. If the focus was privacy, wouldn't you want to use TLS on the primary servers?

@frenck
Copy link
Member

frenck commented Sep 28, 2021

If the focus was privacy, wouldn't you want to use TLS on the primary servers?

Partly agree, yet, it would be external communication that would be encrypted instead of not (even in a fallback situation). However, that doesn't change the fact this was changed to what it is for the above-given reasoning; which we are not willing to revert again.

@bentasker
Copy link

@frenck When DoT is used, coredns can cause packet storms, whilst with UDP it does not (see #64 for more info) - there are tangible side effects to the decision to use DoT rather than UDP.

I think you should revisit the decision to use DoT, at least until a better way to mitigate the issue can be identified.

I'm more than happy to create a PR for it, but having stumbled across this one figured better to flag up than to submit what'll essentially be a duplicate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

6 participants