starred/AdGuardHome
1
0
Fork 0
mirror of https://github.com/AdguardTeam/AdGuardHome.git synced 2026-03-04 00:01:12 -05:00
Code Issues 1.2k Projects Packages Wiki Activity

DoT much slower than DoH using the same servers #3070

New issue
Open
opened 2026-03-04 02:56:38 -05:00 by deekerman · 4 comments
deekerman commented 2026-03-04 02:56:38 -05:00
Owner
Copy link

Originally created by @timkgh on GitHub (Sep 23, 2021).

v0.106.3, using the default adguard filter with security and parental control filters.
Upstream DNS servers: 1.1.1.2, 9.9.9.9

Using DoH for both upstreams shows an average query time of about 28ms, but using DoT it is much slower at 81ms. All other settings are the same. Tests run over 24h for each.

Any ideas why that much slower? Are the TLS connections not kept alive or re-used a lot less than the https connections?

Originally created by @timkgh on GitHub (Sep 23, 2021). v0.106.3, using the default adguard filter with security and parental control filters. Upstream DNS servers: 1.1.1.2, 9.9.9.9 Using DoH for both upstreams shows an average query time of about 28ms, but using DoT it is much slower at 81ms. All other settings are the same. Tests run over 24h for each. Any ideas why that much slower? Are the TLS connections not kept alive or re-used a lot less than the https connections?
deekerman commented 2026-03-04 02:56:46 -05:00
Author
Owner
Copy link

@timkgh commented on GitHub (Sep 24, 2021):

Ran some tests, here are my observations:

DoT: responses are generally fast, 25-50ms range, but every 7-10 requests I see 1-2 requests that take 200-300ms which pushes the averages up and is not great for responsiveness.

DoH, DoQ: smooth responses for long periods of time, with just occasional high response times of 100-300ms.

I suspect that DoT connections are maybe cycled much faster and that's the price for the TLS handshake.

Could AGH log when it establishes a new connection to the upstream? e.g. nextdns cli prints something like this in the log:
Connected x.x.x.x:443 (con=8ms tls=9ms, TCP, TLS13)

@timkgh commented on GitHub (Sep 24, 2021): Ran some tests, here are my observations: DoT: responses are generally fast, 25-50ms range, **but** every 7-10 requests I see 1-2 requests that take 200-300ms which pushes the averages up and is not great for responsiveness. DoH, DoQ: smooth responses for long periods of time, with just occasional high response times of 100-300ms. I suspect that DoT connections are maybe cycled much faster and that's the price for the TLS handshake. Could AGH log when it establishes a new connection to the upstream? e.g. nextdns cli prints something like this in the log: `Connected x.x.x.x:443 (con=8ms tls=9ms, TCP, TLS13)`
deekerman commented 2026-03-04 02:56:54 -05:00
Author
Owner
Copy link

@bcookatpcsd commented on GitHub (Sep 24, 2021):

@timkgh

I found things were much faster in the beta release..

(and I wish the logging was better too)

image

I use an sdns stamp to also cut down on looking up the host..

I've not looked into if that actually does reduce time.. but

My 0.02

I have one stream forward to NextDNS.. 4ms avg

@bcookatpcsd commented on GitHub (Sep 24, 2021): @timkgh I found things were much faster in the beta release.. (and I wish the logging was better too) ![image](https://user-images.githubusercontent.com/55087301/134736872-997efb90-13e8-456d-b80e-5bc4507c455a.png) I use an sdns stamp to also cut down on looking up the host.. I've not looked into if that actually does reduce time.. but My 0.02 I have one stream forward to NextDNS.. 4ms avg
deekerman commented 2026-03-04 02:56:54 -05:00
Author
Owner
Copy link

@timkgh commented on GitHub (Sep 24, 2021):

4ms ... nice -- is that because of the new optimistic cache feature?

I just use IP addresses so there's no lookup and no need for bootstrap DNS, e.g. https://1.1.1.2/dns-query

I found that "load balancing" mode is problematic, it does quite the opposite of what it should do, based on empirical evidence.
https://github.com/AdguardTeam/AdGuardHome/discussions/3601#discussioncomment-1360429

AGH (and dnsproxy) might benefit from a look at performance, running some tests or at least collecting better stats so that users can report what they observe in practice.

@timkgh commented on GitHub (Sep 24, 2021): 4ms ... nice -- is that because of the new optimistic cache feature? I just use IP addresses so there's no lookup and no need for bootstrap DNS, e.g. https://1.1.1.2/dns-query I found that "load balancing" mode is problematic, it does quite the opposite of what it should do, based on empirical evidence. https://github.com/AdguardTeam/AdGuardHome/discussions/3601#discussioncomment-1360429 AGH (and dnsproxy) might benefit from a look at performance, running some tests or at least collecting better stats so that users can report what they observe in practice.
deekerman commented 2026-03-04 02:56:54 -05:00
Author
Owner
Copy link

@ameshkov commented on GitHub (Sep 27, 2021):

DOT upstream connections pool implementation is not ideal in general, we'll need to revisit it later at some point.

@ameshkov commented on GitHub (Sep 27, 2021): DOT upstream connections pool implementation is not ideal in general, we'll need to revisit it later at some point.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
AGDNS-3523-upd-dnsproxy-middlewares
ADG-11407-add-docker-release
AGDNS-3535-upd-urlfilter
AGDNS-3684-fix-tls-status
beta-v0.107
release-v0.107.72
ADG-10306
beta-v0.108
ADG-10291
upd-url-filter
release-v0.107.71
release-v0.107.70
ADG-10301
ADG-8560-react-update
ADG-8560-graph-fix
release-v0.107.69
release-v0.107.68
release-v0.107.67
release-v0.107.66
ADG-10295
release-v0.107.65
release-v0.107.64
release-v0.107.63
release-v0.107.62
release-v0.107.61
release-v0.107.60
release-v0.107.59
release-v0.107.58
ADG-9783
ADG-1-utils-bundle-update
ADG-9415
release-v0.107.57
ADG-9565
release-v0.107.56
release-v0.107.55
release-v0.107.54
release-v0.107.53
infra-fix
upd-locales
release-v0.107.52
release-v0.107.51
AGDNS-2184-adguard-home
AG-32410-upd-dnsproxy
release-v0.107.50
release-v0.107.49
release-v0.107.48
release-v0.107.47
release-v0.107.46
release-v0.107.45
release-v0.107.44
release-v0.107.43
release-v0.107.42
6263-custom-ups-cache
release-v0.107.41
6399-fix-ups-check
release-v0.107.40
release-v0.107.39
release-v0.107.38
release-v0.107.37
6099-check-port-install
release-v0.107.36
release-v0.107.35
6006-refactor-client-lookup
release-v0.107.34
AG-23822
release-v0.107.33
3389-querylog-export
release-v0.107.32
fix-templates
release-v0.107.31
release-v0.107.30
5799-allowed-clients
5347-wildcard-interference
release-v0.107.29
AG-21485
release-v0.107.28
release-v0.107.27
release-v0.107.26
release-v0.107.25
release-v0.107.24
4728-cap-check
release-v0.107.23
release-v0.107.22
2499-rewrites-3
release-v0.107.21
release-v0.107.20
release-v0.107.19
4927-refactor-tls
release-v0.107.18
release-v0.107.17
release-v0.107.16
release-v0.107.15
websvc-confin-manager
release-v0.107.14
2926-lla-ipv6
4926-scroll
release-v0.107.13
release-v0.107.12
release-v0.107.11
release-v0.107.10
release-v0.107.9
WIP-upd-urls
release-v0.107.8
release-v0.107.7
release-v0.107.6
release-v0.107.5
release-v0.107.4
release-v0.107.3
release-v0.107.2
release-v0.107.1
release-v0.107.0
fix-stats-layout
beta-v0.106
release-v0.106.3
release-v0.106.2
release-v0.106.1
fix-client2-generator
dsheets-ipset-subs
fix-context
2044-gc
1691-clear-leases-v2
v0.107.72
v0.108.0-b.82
v0.108.0-b.81
v0.107.71
v0.108.0-b.80
v0.107.70
v0.108.0-b.79
v0.107.69
v0.108.0-b.78
v0.107.68
v0.108.0-b.77
v0.107.67
v0.108.0-b.76
v0.107.66
v0.108.0-b.75
v0.107.65
v0.108.0-b.74
v0.108.0-b.73
v0.107.64
v0.108.0-b.72
v0.107.63
v0.108.0-b.71
v0.107.62
v0.108.0-b.70
v0.108.0-b.69
v0.107.61
v0.108.0-b.68
v0.108.0-b.67
v0.107.60
v0.108.0-b.66
v0.107.59
v0.108.0-b.65
v0.107.58
v0.108.0-b.64
v0.107.57
v0.108.0-b.63
v0.107.56
v0.108.0-b.62
v0.107.55
v0.108.0-b.61
v0.108.0-b.60
v0.107.54
v0.108.0-b.59
v0.107.53
v0.108.0-b.58
v0.107.52
v0.108.0-b.57
v0.107.51
v0.108.0-b.56
v0.107.50
v0.107.49
v0.108.0-b.55
v0.107.48
v0.107.47
v0.107.46
v0.108.0-b.54
v0.107.45
v0.108.0-b.53
v0.107.44
v0.108.0-b.52
v0.107.43
v0.108.0-b.51
v0.107.42
v0.108.0-b.50
v0.108.0-b.49
v0.107.41
v0.107.40
v0.108.0-b.48
v0.108.0-b.47
v0.107.39
v0.108.0-b.46
v0.107.38
v0.108.0-b.45
v0.107.37
v0.108.0-b.44
v0.108.0-b.43
v0.107.36
v0.107.35
v0.108.0-b.42
v0.108.0-b.41
v0.107.34
v0.108.0-b.40
v0.108.0-b.39
v0.107.33
v0.108.0-b.38
v0.108.0-b.37
v0.107.32
v0.108.0-b.36
v0.107.31
v0.108.0-b.35
v0.107.30
v0.108.0-b.34
v0.107.29
v0.108.0-b.33
v0.107.28
v0.108.0-b.32
v0.107.27
v0.108.0-b.31
v0.108.0-b.30
v0.107.26
v0.108.0-b.29
v0.108.0-b.28
v0.107.25
v0.108.0-b.27
v0.107.24
v0.108.0-b.26
v0.107.23
v0.108.0-b.25
v0.107.22
v0.108.0-b.24
v0.107.21
v0.108.0-b.23
v0.107.20
v0.108.0-b.22
v0.107.19
v0.108.0-b.21
v0.107.18
v0.108.0-b.20
v0.107.17
v0.108.0-b.19
v0.108.0-b.18
v0.107.16
v0.108.0-b.17
v0.107.15
v0.108.0-b.16
v0.107.14
v0.108.0-b.15
v0.107.13
v0.108.0-b.14
v0.107.12
v0.108.0-b.13
v0.107.11
v0.108.0-b.12
v0.107.10
v0.108.0-b.11
v0.107.9
v0.108.0-b.10
v0.107.8
v0.107.7
v0.108.0-b.9
v0.108.0-b.8
v0.108.0-b.7
v0.108.0-b.6
v0.107.6
v0.108.0-b.5
v0.108.0-b.4
v0.107.5
v0.107.4
v0.108.0-b.3
v0.107.3
v0.108.0-b.2
v0.108.0-b.1
v0.107.2
v0.107.1
v0.107.0
v0.107.0-b.17
v0.107.0-b.16
v0.107.0-b.15
v0.107.0-b.14
v0.107.0-b.13
v0.107.0-b.12
v0.107.0-b.11
v0.107.0-b.10
v0.107.0-b.9
v0.107.0-b.8
v0.107.0-b.7
v0.107.0-b.6
v0.107.0-b.5
v0.107.0-b.4
v0.107.0-b.3
v0.107.0-b.2
v0.107.0-b.1
v0.106.3
v0.106.3-b.1
v0.106.2
v0.106.2-b.1
v0.106.1
v0.106.1-b.1
v0.106.0
v0.106.0-b.5
v0.106.0-b.4
v0.106.0-b.3
v0.106.0-b.2
v0.106.0-b.1
v0.105.2
v0.105.2-beta.1
v0.105.1
v0.105.1-beta.1
v0.105.0
v0.105.0-beta.5
v0.105.0-beta.4
v0.105.0-beta.3
v0.105.0-beta.2
v0.105.0-beta.1
v0.104.3
v0.104.2
v0.104.1
v0.104.0
v0.104.0-beta3
v0.104.0-beta2
v0.104.0-beta1
v0.103.3
v0.103.2
v0.103.1
v0.103.0
v0.103.0-beta3
v0.103.0-beta2
v0.103.0-beta1
v0.102.0
v0.101.0
v0.100.9
v0.100.8
v0.100.7
v0.100.6
v0.100.5
v0.100.4
v0.100.3
v0.100.2
v0.100.1
v0.100.0
v0.99.3
v0.99.2
v0.99.1
v0.99.0
v0.98.1
v0.98.0
v0.97.1
v0.97.0
v0.96-hotfix
v0.96
v0.95-hotfix
v0.95
v0.94
v0.93
v0.92-hotfix2
v0.92-hotfix1
v0.92
v0.91
v0.9-hotfix1
v0.9
v0.1
Labels
Clear labels   
P1: Critical

   
P2: High

   
P3: Medium

   
P4: Low

   
UI

   
bug

   
cannot reproduce

   
compatibility

   
dependencies

   
docker

   
documentation

   
duplicate

   
enhancement

   
enhancement

   
external libs

   
feature request

   
good first issue

   
help wanted

   
infrastructure

   
invalid

   
localization

   
needs investigation

   
performance

   
potential-duplicate

   
question

   
recurrent

   
research

   
snap

   
waiting for data

   
wontfix
No labels
P1: Critical
P2: High
P3: Medium
P4: Low
UI
bug
cannot reproduce
compatibility
dependencies
docker
documentation
duplicate
enhancement
enhancement
external libs
feature request
good first issue
help wanted
infrastructure
invalid
localization
needs investigation
performance
potential-duplicate
question
recurrent
research
snap
waiting for data
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/AdGuardHome#3070
No description provided.