Pipeline DNS over TLS queries over a single connection

[amithm7]

rfc7858#section-3.3

[Ch4t4r]

When I initially created Nebulo I did just that. What I quickly noticed though is that DoT providers do not follow the specs and close the TLS connections regardless. I can check what the state is right now, though.

[ignoramous]

I can check what the state is right now, though

Btw, RethinkDNS supports pipelining of queries over DoT (connections are closed after 60s of inactivity, but keep-alive isn't considered "activity"... this is done to limit resource exhaustion), if you ever want to test. https://rethinkdns.com/configure?p=dot | code.

In our tests, DNS over TLS without pipelining is über expensive. Like 5x the latencies.

[bernhardschmidt]

Indeed a keepalive would be welcome. Especially when the configured server has a higher RTT (think you own pihole deployment at home, to be used from 4G while on travel) the TLS handshake for every single DNS query really hurts performance.

[ignoramous]

...the TLS handshake for every single DNS query really hurts performance.

TLS v1.2 has support for session resumption which the server needs to support, while TLS v1.3 bakes it in the protocol itself.

As for DoH3, the underlying transport (QUIC) supports faster handshakes, too.

[bernhardschmidt]

TLS v1.2 has support for session resumption which the server needs to support, while TLS v1.3 bakes it in the protocol itself.

That's true, but if I'm not mistaken that's still a 2 RTT (1 RTT for TCP and 1 RTT for session resumption) penalty on every DNS lookup. Might not be a large issue when using anycasted public resolvers, but if you go to your private server it's adding up

[ignoramous]

No, I'm with you. Pipelining is great. In our tests, we saw 5x improvements! Amith (OP) implemented pipelining for RethinkDNS servers for DoT just for this reason alone.