Enhancement picking fastest proxy in the list -not only closest

[osevan]

Dnscrypt do on every start response latancy check, and pick the fastest one in the serverlist - not closest one.

Could you bring this function inside fdns?

Thanks and

Best regards

[netblue30]

We'll try to do something, but just be aware that what everybody measures is the access time from your computer to the server. How long it takes the server to bring in the response varies widely from server to server. So, you can have a 50ms server access time, and the server will take 2 more seconds to bring in the response.

In FDNS at startup we test the access time for two random servers and pick the fastest one. It usually stays under 80ms. Then, if you run "fdns --monitor", we keep a moving average of the last few responses, and this is usually under 1 second. You look on the first line in the monitor:

$ fdns --monitor
127.1.1.1 dnscrypt-ca2 ENCRYPTED (DoH 647.53 ms, 170 s)
requests 74, drop 18, cache 31, fwd 0, fallback 0

The 647.53 ms is your average number. 170 is how often we send a keepalive request to keep the TLS connection going.

The fastest server ever is probably Cloudflare. They do it by synchronizing DNS caches between various geographical locations in their network.

[osevan]

Can I run fdns inside firejail?

And /etc/resolve.conf to namesever 127.0.0.1:with different port as standard port?

[rusty-snake]

Can I run fdns inside firejail?

https://github.com/netblue30/firejail/blob/master/etc/profile-a-l/fdns.profile

If you use systemd, it is suggested to use the systemd service.

And /etc/resolve.conf to namesever 127.0.0.1:with different port as standard port?

The format of /etc/resolv.conf is explained in man 5 resovl.conf. (spoiler: no)

For IPv4 IDC as you have a complete class A subnet. However for IPv6 you have only ::1, if you need to use IPv6 for any reason, it can be annoying that there is no option to use an other port.

[osevan]

I cant run fdns without root user, because port-range is under 1024.

How I can run fdns as different user than root?
I need it for user rights hardening.

[rusty-snake]

How I can run fdns as different user than root?

You can't. fdns requires root privileges in order to sandbox it's resolver processes.

fdns/src/fdns/main.c

Lines 407 to 410 in dd69da4

	if (getuid() != 0) {
	fprintf(stderr, "Error: you need to be root to run this program\n");
	exit(1);
	}

So you need to become root first, see #51 and https://github.com/rusty-snake/fdns4users.

[osevan]

How I can run fdns as different user than root?

You can't. fdns requires root privileges in order to sandbox it's resolver processes.

fdns/src/fdns/main.c

Lines 407 to 410 in dd69da4

	if (getuid() != 0) {
	fprintf(stderr, "Error: you need to be root to run this program\n");
	exit(1);
	}

So you need to become root first, see #51 and https://github.com/rusty-snake/fdns4users.

could you remove this id 0 if and else?

because dnscrypt-proxy runs well in firejail with non root user when your port range is above 1024.

You can redirect port 53 to another port like i do with iptables

This is my workaround to avoid root user with dnscrypt:
iptables -t nat -A OUTPUT -p tcp --dport domain -j DNAT --to-destination 127.0.0.1:8000
iptables -t nat -A OUTPUT -p udp --dport domain -j DNAT --to-destination 127.0.0.1:8000

could you remove this ID 0 if and else too?

thanks and

best regards

[osevan]

We'll try to do something, but just be aware that what everybody measures is the access time from your computer to the server. How long it takes the server to bring in the response varies widely from server to server. So, you can have a 50ms server access time, and the server will take 2 more seconds to bring in the response.

In FDNS at startup we test the access time for two random servers and pick the fastest one. It usually stays under 80ms. Then, if you run "fdns --monitor", we keep a moving average of the last few responses, and this is usually under 1 second. You look on the first line in the monitor:

$ fdns --monitor
127.1.1.1 dnscrypt-ca2 ENCRYPTED (DoH 647.53 ms, 170 s)
requests 74, drop 18, cache 31, fwd 0, fallback 0

The 647.53 ms is your average number. 170 is how often we send a keepalive request to keep the TLS connection going.

The fastest server ever is probably Cloudflare. They do it by synchronizing DNS caches between various geographical locations in their network.

Not in my case from Europe, for me is libredns fastest response lower responserate than Cloudflare doh.

[rusty-snake]

because dnscrypt-proxy runs well in firefail with non root user when your port range is above 1024.

This is not dnscrypt-proxy.

You can redirect port 53 to another port like i do with iptables

I think we should add something like a --port=5353 option.

could you remove this id 0 if and else?

Removing the check that displays a error message does not make things work because

fdns requires root privileges