Great software

I really like this software, and would like to see in the new versions the use of two dns servers at the same time, is it possible? mtu for my local dns is only 512, and the speed is very low (0.02mbit/sec), and the provider gives two dns addresses

That’s an interesting idea. It’s conceptually possible, because the Turbo Tunnel reliability layer should permit multiplexing over multiple network paths. One way to do it might be to have NewDNSPacketConn accept a list of transport+addr pairs, and start up a recvLoop and sendLoop for each.

The user interface would need some thought. The Go flag package doesn’t make it easy to, for example, accept multiple -udp options with different values.

I think it would require a non-trivial amount of effort to implement, and I’m not likely to do it myself. Let me suggest a test that may tell us whether there’s a performance improvement that makes it worth the effort. Install dnsmasq or another local DNS forwarding proxy that supports multiple upstream resolvers. Run dnsmasq with --no-resolve and a --server option for each of the upstream resolvers. Then run dnstt-client with -udp pointing to the local dnsmasq port. The diagram would look like this:

       localhost       |     Internet      |    server
                       |                   |
                       |  .--upstream1--.  |
dnstt-client---dnsmasq---<               >---dnstt-server
                       |  '--upstream2--'  |

This way, distributing queries over multiple resolvers is done by dnsmasq, rather than being a feature built into dnstt-client. If you try this, please let us know if it affects performance in your case.

“dnsmasq -p 8000 --no-resolv --server=10.153.3.196 --server=10.153.3.220”
sadly no change :frowning:

Thanks for running the test :slight_smile: So either this multiplexing doesn’t help performance, or dnsmasq itself doesn’t distribute queries across its upstreams in a way that helps.

If you want, you might try alternative local DNS forwarders, like doh-proxy (I’m not sure if doh-proxy can accept non-DoH connections) or dnscache.

could you analyze the operation of this dns tunnel? it runs very fast

No, I don’t have time to reverse engineer other VPNs.

Are you sure it’s really a DNS tunnel? It may only resemble DNS; i.e., send UDP packets encoded as DNS message to UDP port 53. It may not actually work through a recursive resolver. If that’s the case, it can probably be blocked by blocking the IP addresses of the servers.

If you just need a fast tunnel that uses UDP/53, you can try kcptun. But you will have to install your own server.

Thx! I’ll try

I tested this tool on my ISP’s DNS and it worked great. 24/41 mbps throughput. This ISP did not have any ratelimit and that’s the key to sucess.

Another ISP had some rate limit. It was possible to use ssh quite comfortly but not proxying websites.

Public DNS look very ugly. I tested ~10 public doh/dot servers and only 2 of them even gave me SSH banner from the tunnel’s end. Then connection died.
The only public doh that worked for me is he.net. It works fine and fast at the beginning but ratelimits very soon

Also, I used ipv6 only server side to avoid buying ipv4 address with free UDP port 53, with ipv4 on the client side. It works if client’s DNS has access to ipv6 network

Thanks for testing. The most recent performance tests I did were on 2021-08-02. As you noted, it can be quite variable. Cloudflare DoH/DoT was among the fastest, while Cloudflare UDP was among the slowest. I would have expected most public DoH/DoT to work well enough for SSH, but it is possible things have changed since I last tested it.