Monday, August 12, 2024

Pi-Hole vs Control D or NextDNS on a home router

Testing the performance of a Pi-Hole vs NextDNS or Control D on a home router.

The Pi-Hole was running on a Raspberry Pi 3 B+ and the router is a Synology RT2600ac.

The short summary (TLDR)

1) Fastest Performance: Pi-Hole

2) NextDNS and Control D are much easier to set up and maintain than a Pi-Hole.

3) If you are happy with base level functionality and ad blocking, Control D and NextDNS perform similarly.

4) If you want advanced features you need to install the Control D or NextDNS app (daemon or service) directly on your router. NextDNS’s app was MUCH faster than Control D’s in my setup. But we are still talking about small pieces of time, and that difference may not be noticeable.

5) The NextDNS daemon supports local caching, a big speed advantage. (edit: it has been brought to my attention that the Control D daemon can be configured to support caching. But I could not get the config file to work.)

6) Control D offers some “traffic redirection” features that may allow you to pretend you are in a different region of the world (possibly useful for foreign streaming websites and television).

7) The NextDNS web control panel is much easier to use than the current Control D web panel. Control D claims it is because of all the added features… and that is partially correct but I also think it’s an overly complicated design. I did see some hints that a new UI for Control D is coming.

The long story and testing

I’ve been happily using a Pi-Hole on our home network for the last 5 years. Pi-Hole is a DNS server application that blocks advertisements on your network. For us, that blocks ads on our phone, computers and even some of the ads in our TV’s menus. I ran the Pi-Hole on a Raspberry Pi and recently the SD card in the Pi failed. After I got the network back up and running I decided to investigate some other ways to block advertisements on our home network.

My first option was to just get a new SD card for the Raspberry Pi and set that up as a Pi-Hole again. However, the Pi-Hole does require occasional maintenance. You should keep the Raspberry Pi OS and Pi-Hole package updated. And of course, it is another box hooked up to the home network.

The second and third options, Control D and NextDNS, are DNS services that you can set up on your router, instead of the default DNS services suggested by your Internet Service Provider. Note that some ISPs do not allow you to change your DNS easily… I think this is because they want to watch your traffic! There are ways around this, like using your own router instead of the once provided by your ISP. I really recommend doing that.

Two ways to use Control D or NextDNS

1) Manually configure the router to use the Control D or NextDNS servers. That is done by entering the appropriate IP addresses into the router’s menus as your preferred and alternate DNS.

2) Install a app or daemon on the router that will automatically take over the DNS functions on the router*. This will provide more features but requires a bit more expertise and maintenance.

*To use Control D or Next DNS you need a router that runs Linux, like one of the Synology routers or some Ubiquiti routers. (My home router is a Synology RT2600ac.) You can also use routers running ”alternative” or open source firmware like DD-WRT, Merlin Fresh Tomato, pfSense. etc. Check on the Control D or NextDNS sites to make sure you choose a compatible router!

Testing

Many people “ping” their DNS server to test it’s response time. In my opinion, this is a waste of time. “Ping” does not test the lookup time at all. Also, pinging the DNS does not test the speed of any software provided to do DNS in your router! A better way is to use “dig”. However, even then you need a bunch of digs to get enough information to average out the results. So instead:

I used Steve Gibson’s “DNS Benchmark” software to test how stuff worked. I also did some testing from the command line with “dig”. I am on AT&T’s fiber 1 Gbps service.

About the charts

These are the three local DNS servers on my network:

192.168.77.1 < This is my home router, a Synology RT2600ac
192.168.77.100 < This is my Pi-Hole, configured to use google’s DNS (8.8.8.8) and Steven Black’s ad list.
192.168.1.254 < This is the “router” provided by my service provider AT&T.
 

Other servers I used in testing:

1.1.1.1 cloudflare
8.8.8.8 dns.google
9.9.9.9 dns9.quad9.net
12.127.16.67 rmtu.mt.rs.els-gms.att.net
12.127.17.71 dns-rs1.bgtmo.ip.att.net
76.76.2.0 p0.freedns.controld.com unfiltered
76.76.10.0 s0.freedns.controld.com unfiltered
76.76.2.2 p2.freedns.controld.com ads-tracking
76.76.10.2 s2.freedns.controld.com ads-tracking
76.76.2.35 controld x-stevenblack
76.76.10.35 controld x-stevenblack
45.90.28.0 dns1.nextdns.io
45.90.28.135 dns1.nextdns.io
45.90.30.0 dns2.nextdns.io
45.90.30.135 dns2.nextdns.io

The scale moves on the charts, but note that the vertical gray dashed lines are at every 20 milliseconds

Red bar = cached
green bar = uncached
blue bar = dotcom

All the charts are sorted by cached performance (the red bars).

First, let's try a fairly normal configuration using Cloudflare for DNS as a baseline.

With 1.1.1.1 set directly in the router menus: Look at my router, 192.168.77.1. Its performance using 1.1.1.1 is very similar to directly hitting 1.1.1.1 or any of the other servers. But note the cached performance of the Pi-Hole (.100) and the AT&T router (.254) is far better because of the local caching.

I don’t know what happened to Quad 9 (9.9.9.9) above. Maybe just a bad moment for them.

Now let’s try with the Control D server set in the router menus.

The scale moved compared to the last chart, but Control D performed very well. I set Control D to use Steven Black’s ad list. You can see the performance (192.168.77.1) is very similar to hitting the external servers directly. But of course the local caching of the Pi-Hole (.100) remains far superior.

Then I tested Control D’s daemon, ctrld, installed on the router. 

Again, it is setup to use Steven Black’s ad list. The ctrld daemon is not easily configured to do local caching*. And performance of the router running ctrld (192.168.77.1) is significantly slower than hitting the servers directly. The vertical dashed lines are at 20 milliseconds, so you can see the cached performance is about 20ms, about double hitting the routers directly. Also the uncached (green) and dotcom (blue) responses are also significantly slower than any other option.

I discussed the poor performance of the ctrld daemon with Control D. The issue may be because the router is still running dnsmasq while it runs ctrld on a different port. This started to get hard for me to debug any further, but maybe they will choose to fix this issue. You can see the details on the ctrld github if you wish.

Comparing the daemon’ from NextDNS vs Control D

I did like the extra features that come with running a daemon directly on the router. So I decided to see the NextDNS’s daemon performed better than the one from Control D. And the result was a very pleasant surprise!

First I ran the Control D daemon again. You can see its relatively poor performance again (192.168.77.1). Also Quad 9 (9.9.9.9) has a very poor showing.


But then I installed the daemon from NextDNS. During installation it asked if I wanted to turn on caching, and of course I selected yes! Running the test, of course the NextDNS cached performance was great (192.168.77.1). But the uncached (green) and dotcom (blue) responses are also good. The uncached was a bit longer than directly hitting some of the other DNS, but not excessively so.

So for me, the NextDNS daemon was the winner.

It does caching, which is a big advantage. And it is significantly faster.

From Gibson's DNS Benchmark tool:
--------------- ctrld daemon--------nextdns daemon
cached-------- .022-----------------.000 (obviously a locally cached response is much faster*)
uncached------.058-----------------.050 (similar)
dotcom--------.024-----------------.010 (nextdns is way faster)

But, if you don't use the daemon... both Control D and NextDNS are good.

I will note that I did not test NextDNS configured manually in the router menus, as I wasn’t interested in that option. But I expect that performance would have compared to be very similar to Control D configured the same way. If you are just using Control D or Next DNS servers manually configured in the router menus, speed is probably not a big factor in the choice.

* It has been brought to my attention that the Control D daemon can be configured to support caching. But I could not get the config file to work with my router.

No comments:

Post a Comment