惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园_首页
Microsoft Security Blog
Microsoft Security Blog
云风的 BLOG
云风的 BLOG
B
Blog
The Register - Security
The Register - Security
L
LangChain Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
N
Netflix TechBlog - Medium
F
Full Disclosure
The GitHub Blog
The GitHub Blog
Recorded Future
Recorded Future
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
Blog — PlanetScale
Blog — PlanetScale
Jina AI
Jina AI
美团技术团队
宝玉的分享
宝玉的分享
Hugging Face - Blog
Hugging Face - Blog
阮一峰的网络日志
阮一峰的网络日志
G
Google Developers Blog
大猫的无限游戏
大猫的无限游戏
S
SegmentFault 最新的问题
D
DataBreaches.Net
Martin Fowler
Martin Fowler
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Google DeepMind News
Google DeepMind News
WordPress大学
WordPress大学
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
博客园 - Franky
The Cloudflare Blog
博客园 - 【当耐特】
U
Unit 42
月光博客
月光博客
T
The Blog of Author Tim Ferriss
博客园 - 叶小钗
博客园 - 聂微东
I
InfoQ
B
Blog RSS Feed
Apple Machine Learning Research
Apple Machine Learning Research
Cyberwarzone
Cyberwarzone
V
V2EX
S
Securelist
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
S
Security @ Cisco Blogs
PCI Perspectives
PCI Perspectives
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
H
Heimdal Security Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The Hacker News
The Hacker News
D
Darknet – Hacking Tools, Hacker News & Cyber Security
T
Tor Project blog

HN's home page

Rainbow Query Language | Hacker News Exec into Node via Kubectl An AI native hedge fund The Seven-Action Documentation Model | Hacker News Package Manager for Kubectl Plugins Tongan Castaways | Hacker News Tech overlords plan for conscious AI to conquer the cosmos. What could go wrong? Data Breach Disclosure Lag Is Getting Worse How LLMs Work | Hacker News I Dropped PRDs for Shape Up Go Experiments Explained | Hacker News FCA's Palantir deal could expose UK financial data to Trump's US, critics fear WebXR BCI for Neural-Adaptive Avatar Control in Mixed Reality The first murder conviction via DNA analysis Tom Interviews Theo de Raadt of the OpenBSD Project (2019) [video] Show HN: Replace shell commands with bun shell typescript scripts Quay.io Is Down | Hacker News AI driven analysis of brokerage account fees in the UK Bill Gates Spent Years Crafting His Image. Now It's Cracking Using LLMs to secure source code Wi-Fi 8 in the Lab [video] The household battery revolution that could change energy bills and the world Is Python Becoming Pinyin? | Hacker News Livia – Executive Assistant | Hacker News FindMyPipe – Query Apple Find My from Linux for AI Agents Show HN: Agent skill for creating product launch videos with Remotion RecruitMyself – AI job search copilot for resumes and applications AI coding agents and the erosion of system understanding The 'Resting' Generation and South Korea's Youth Recession AMD Computex 2026: 10 Years of AM4, AM5 Support Through 2029 Docker Networking Explained | Hacker News Textbooks in Tokenland | Hacker News Key Chemistry Question Answered, No Quantum Computer Required Gifts For Retrocomputing Fans – remix yesterday's tech with a modern spin Miscellany № 49: introducing the quasiquote – Shady Characters Amazon Thinks the Future of Data Centers Is a Technical Problem It Just Solved A brief history of the UUID (2017) Flying High Unpressurized (2016) | Hacker News Five Years of Trying to Add Recursion to Lychee How British comfort food won over the French Blorp Language | Hacker News Decache – you might have the internet's lost media in your PC's cache folders Criminal Activities and Migration | Hacker News A free, open-source library of DESIGN.md files for AI-generated UIs MiniMax M3 | Hacker News People are apparently farming citations on ResearchGate – Chuniversiteit Hacker News Basketeer – a typed TS SDK for your Tesco account, with nutrition data 'Penguin' decays from CERN's Large Hadron Collider experiment hint new physics Emergence World: A Laboratory for Evaluating Long-Horizon Agent Autonomy Homebrew lead Mike McQuaid: Sandboxes and Worktrees - My Secure Agentic AI Setup Lean, Not Backpressure | Hacker News AI Dangers Eclipse Nuclear Weapons at Singapore Defense Forum Open source analytics that answers backbase How turkey hacked the hair-transplant industry How GPT Image 2 Is Transforming Marketing Workflows in 2026 Improve Git monorepo performance with a file system monitor Strava for Claude Code MiniMax M3 on Qubrid AI There's Something Else We Should Be Worrying About Celebrity Profile of an A.I. Actress What Is Windows K2? | Hacker News AI is devoid of meaning and humanity. Its vapid voice suits the political moment Show HN: Interpreto – Live Translation for Travel Taxicab Geometry Sealed classes and interfaces in Java (2025) Show HNs | Hacker News My AI Skill Edited This Video That Explains My AI Skill – Arcturus Labs Amazon Pinpoint End of Support The Mystery of the Backward Index MP/M's Process Dispatcher SlimTide Reviews: A Modern Solution for Metabolism and Energy Learning Lustre: Type-safe front end development with gleam Thomas Mann: Goethe Heartened by Panama (As Suez for English, or Danube-Rhine) How to make Message Log of the Unreal Engine 100 times faster Sum-product, unit distances, and number fields Can Meta Buy Belief? | Hacker News Twenty Years of Bigtable | Hacker News Show HN: Combine WigglyPaint GIFs into Video Show HN: AgentThreatBench – Benchmark for AI Agent Memory Security Genius Spotted in the Wild Napkins: Where Ethernet, Compaq and Facebook’s cool data center got their starts (2011) Moderate caffein use alters sleep-related EEG Nvidia Announces RTX Spark | Hacker News Show HN: Ministry of Everything – CLI agent harness for a single operator CEOs blame AI for layoffs, MIT prof says it fits a pattern to find cover story Bugs I didn't expect while building a zsh cleanup script for macOS dev machines Nvidia jumps into PCs with new chip debuting in laptops from Microsoft, Dell, HP Nvidia unveils PC 'superchip' in challenge to Apple and Intel Show HN: Having fun making mini static site apps Synthea API: Create Synthetic Medical Records as a Service Berkshire Hathaway to buy Taylor Morrison for $6.8B in cash The most complex model we understand [video] SanDisk stock is +4,440.53% in the past year Driftwm: What if your window manager worked like a whiteboard? US Immigration enforcement looks into buying ad data AI Is Creating More Work for Australia's Workplace Tribunal Finding New Biblical Cross-References with Codex Glide: A tiling window manager for macOS Ultra-highly efficient enrichment of uranium from seawater via studtite nanodots (2024)
Choosing a Public DNS Resolver
pawal · 2026-06-28 · via HN's home page

Every time that this comes up, be it a general list like this or someone announcing a new service, my reaction, and that that I see of surprisingly many other people on Hacker News, is fairly unmoved. I've run my own proxy DNS service for about a quarter of a century at this point, using three different sets of softwares on six different operating systems, and every single point on the filter tab is something that I can (and do) just do for myself.

The list is not so much interesting for the options that it presents, as far as I am concerned, but for the things that it reveals. Every single entry that is explicitly marked 'China' also has 'operates under Chinese regulations'; which is, in 2026, something that is of concern for more than just the Chinese entries on the list, to people on my continent for starters.

'Run by one individual in Denmark.' is an interesting statement of bus factor, but I don't think that all of the other entries should be assumed to be better just because they are mute on the point. There's far less information about who is behind DNS.Watch than there is about Thomas Steen Rasmussen. And it appears that DNS.Watch went off the air at least once in recent years, so it is a legitimate concern.

Then there are all sorts of things not on this list that might matter to people, such as Quad101 looking like it has geographic restrictions on whom it is available to and Gcore being an AI company.


> 'Run by one individual in Denmark.' is an interesting statement of bus factor

I find it more interesting as a statement about organizational oversight. If there are multiple people involved in operations, they can keep an eye on each other and speak up if they see anything weird going on (e.g. a DNS resolver implementing selective logging or interfering with results). If there's only one person running the show, there's no one to call them out.

(And if you're thinking, "but so-and-so is a principled person, they would never do anything like that" - pressure from law enforcement can be a powerful thing.)


I set up my own resolver about 2 years ago, and it has just worked. Never once had an issue.


Does anyone have advice on how to use public wifi alongside DNS resolver?

Many public wifi network works need you to use their DNS, so they can redirect you to a gated "accept ToS" screen (and may even require re-approval every 30-60 minutes).

To resolve the issue is so frustrating:

1. realize the internet stopped working 2. ping google.com, wait for timeouts to show up. 3. try to guess if its a ISP issue, but then realize the wifi probably timed out. 4. Switch the dns. Flush DNS. 5. try to access a non-TLS domain 6. approve the gate 7. switch the DNS back

There has to be something that manages this


On macOS, you might be able to use /etc/resolver to fix this:

  sudo sh -c 'echo "nameserver 192.168.1.1" > /etc/resolver/captive.apple.com'

I did this for an internal website at my university that could only be resolved using the network name server. It just occurred to me that it might also work for the URL macOS uses to detect captive portals. We'll have to see if it works the next time I'm at a café.


prefer this form:

    echo "nameserver 192.168.1.1" | sudo tee /etc/resolver/captive.apple.com

For macOS and iOS, you can create a profile to configure which DNS server you want to use at all times (including across different Wi-Fi networks and mobile data). See:

https://doh.lvv.me/

That’s what I’ve been using for years and never had any issues with public hotspots.


This is something your OS should handle as part of the OS's support for captive portals. I'd recommend contacting your OS's creator about this and filing a bug.


Happy NextDNS user. Lots of configurability, including which filterlists to enable, configurable logging etc.

Plus it’s reliable and fast from basically anywhere (which is harder to achieve if I ran my own resolvers in the cloud, and anyway I don’t want to have to maintain that).


I use Unbound locally as a DoH server. The Alpine Linux Unbound package is compiled with libnghttp2, required for the built in DoH listener. That's more than enough to enable ECH [1].

I pre-cache all the domains I use hourly via cron. My ISP is not going to dork with my DNS requests and their employees are bigger deviants than I. If I ever started browsing the web from a phone I would just set up my own public DoH server. It only takes a few minutes and gives me my own query logs for debugging weird issues.

[1] - https://tls-ech.dev/


I use my own public powerdns dnsdist and recurser/authoritave instances for DoH, DoT, DoQ, TCP and UDP now for ~3 years. Setup took some time, because i used bind, unbound and dnsmasq before. It's super stable and i can also use it on my mobile or legacy devices and as resolver in unbound, adguard/dnsproxy or just in my local resolve.conf.


To be honest, there’s no way to prevent others from using my DNS server without putting it behind a VPN or in any other non-public network. Also you can do port-knocking or something, but that's not rely authentication. However, I'm not aware of any authentication mechanisms in DNS. That would also cause performance to plummet. If you use a VPN or something, in turn, would mean you'd have to rely on someone else's DNS infrastructure. So I don't have any of this and its public.

The good thing about dnsdist is that it acts as a sort of load balancer for DNS queries and offers features such as dynamic blocking (including via eBpf) at the IP level and rules and rate limits for query types you can combine. Therefore, there are no limits (or very open limits) for all query types from whitelisted IPs, and stricter rules for all others. IPset and GeoIP banning of known malicious IPs and regions (using block-lists) also keeps the footprint of "unwanted" use very, very small.


Why pre-cache? For speed... what is it, 30-50ms at most? If the authoritative server's TTL is <60minutes, do you force it to 3600? Do you audit all the connections that occur for every website you visit, collect all the domains hosting assets, and pre-cache those as well, or is the main site's domain the only critical one because that affects perceived latency the most?


I pre-cache for speed, verifying records that have expired since I retain the expired records for sites that have intermittent DNS issues and also to throw in domains that I do not use in the off chance someone is logging where I go and when. They will see the Cloudflare top 20K domains hourly. Myself and family members have been able to access sites when others around the internet can not due to infrastructure related DNS problems. In other words, when others will say "It's always DNS" for myself and family members that is rarely the case as DNS records do not change as often as people seem to think they do.


When all the authoritative servers support TLS I can enable TLS outbound but very few of them do at the moment. At some point someone is decrypting, turtles all the way down. I could of course just do DoT to another instance of Unbound somewhere else but I do not need to do that as my ISP does not care about my queries. I used to keep standby DoT Unbound servers around but I have never once seen a US ISP tinker with my traffic. If they did I would put up billboards saying they what they are doing.


There is a bunch of public dnscrypt servers to which your client can randomly fan out encrypted queries.


Unbound has "prefetch" which will refresh near-expired cached records, and various other cache/ttl knobs. "serve-expired" seemed to work well too


I was thinking that if you preload your 50k list and override the min-ttl, the prefetch would let you relax the cron schedule a little


I could but I like to run everything in cron hourly to force trigger the retry mechanisms on the expired records and make a bunch of noise so that my network always looks active.

It's just a "me" thing. Others can and should do whatever they think will work for them. If everyone does this a little different that is probably best.


> I pre-cache all the domains I use hourly via cron.

How does this look? Shell script querying a list of hostnames? What qualifies as a domain you use?


It would be nice if a site like this could offer a basic speed comparison test to your local network.

Imagine seeing response times at P90 for a series of random lookups and comparing the median response times.


I run an instance of smokeping locally for this purpose. It pings a variety of DNS servers (including my ISPs DNS) and several of the top websites. I periodically update my local DNS server’s upstream accordingly.

All the big DNS servers are in the 5-6ms range for me, but that hasn’t always been the case. My ISPs DNS is about the same but with crazy variance and spikes of up to 50ms, even though they should be able to be the fastest.


quad9 seems fine. Glad there are a bunch of alternatives though. We should never stop practicing decentralization in the net.


Be cautious with Quad9; their main address (9.9.9.9) has a "malware" blacklist that has misfired several times already: twice for a private torrent tracker, once for gist.github.com, issue was resolved within minutes to hours. They have a non-filtered address (9.9.9.10), but it doesn't do DNSSEC verification. IMO they're too unreliable to be worth the hassle.


Was about to comment this. I actually don't like advert or malware blocking on my public DNS resolvers. It sounds cool but annoying when it misfires.

Once Quad9 blocked Halo MCC XBOX Live -> Steam achievements, several fileshare services (probably used for malware somewhere but not my usage) etc...

1.1.1.1 blocked archive.is or got blocked by them or something...

Gone back to Google DNS (gasp) for now, yes as a European... no blocking, fast, never goes down.


I believe cloudflare only blocked archive.is on their "Families" filtered dns. I've been using their normal 1.1.1.1 and haven't encountered any blocks.


I always just set up root recursors at my home and other locations. I've never noticed any downside.


Same. I’ve been running my own caching DNS servers since my earliest home network, dating back almost 30 years.


The downside is obviously that uncached queries take much longer (adding >100ms) and more queries are uncached since you can't share the cache with a large user-base. Unless you just visit the same websites over and over again, this results in worse overall performance.


I've never felt this. Most large services run or delegate to anycast DNS services.

If you have knowledge of TCP, you know you will occasionally get stalls much greater than that beyond control.


Versus letting a singular entity snoop everything? If you actually open a connection to the result what is the difference? The only way to fully deal with all that is an overlay or mixnets.


the _one_ downside i've seen is on an airplane serviced by Starlink: UDP was extremely lossy to the point that whatever recursive resolver i was using at the time would mark half of all nameservers it saw as "unhealthy" and start returning NXDOMAINs to the clients before even trying to hit the authoritative NS.


Should add one more filter: EDNS client subnets.

Some like cloudflare doesn’t support that in the name of privacy.

EDNS lets the dns server of the site you are visiting know from where you are connecting and can give you the closest server. 1.1.1.1 does not do that. This breaks all sorts of ISP cache and peering arrangements.

Here’s an example: My ISP’s google global cache is broken every time I use cloudflare. With google dns, opendns, isp’s own dns I get my ISP’s own ip address for the domain “googlevideo.com” which is where youtube videos load from. With cloudflare dns I get an ip address of an actual google server which may or may not be in my country. Result: my downloads from google drive/youtube/play store all are faster with a dns server with proper EDNS support.

Now imagine this on a global scale for smaller websites, your request might go to a different continent.

I understand the product decision for cloudflare and I don’t want them to change but this is something people should know about. There are numerous reports on their forums which are always locked with no activity.

I am not saying it’s a conspiracy but this doesn’t affect sites on cloudflare btw due to their global anycast routing/infra setup which I don’t know enough to explain.


Shame there is no client subnet filter. I've had issues in the past with various websites when using resolvers that don't add that hint.


Most important and super privacy/security related topic: DNS. Instead of choosing a public one. Host your own infrastructure. You don't need public instances. Just run ADGUARD or unbound/dnsmasq/dnsdist in recursive mode on your router or machine. And you can set limits and block-lists to your needs.


Do you mean when communicating directly with a root DNS server over unencrypted UDP or TCP? You're right. There's currently no universal way to encrypt direct queries to root DNS servers. To work around this, the best approach is to host your own public DNS server outside your untrusted ISPs network and connect to it securely using DoH, DoQ, or DoT. Alternatively, you can rely on a trusted third-party public DNS provider that supports encrypted connections. In the end, there's no perfect solution. You have to choose who to trust. Personally, I trust my ISP more than external DNS providers. For anonymity you could route your DNS root queries throe tor or a VPN for the cost of performance.


Google's AI Mode was pretty effective at solving it. I'm impressed. I just copied and pasted the two lines.


Random, but I don't understand why anyone would choose a "block ads and trackers" DNS server as a default.

Even if it's configuring something for boomer family, that sounds like a recipe for "why is this website not working"?


Because it is very useful on mobile. App typically use an advertising SDK for their monetisation, which means we can BLOCK THEM ALLLLLLL


Because to me even as an IT person it sounds like a good idea on the surface. To have no connections to/form ads, malware, c2.

But yes, then you happen upon your first false positive.

And you switch back to a non filtered DNS OR one that you can whitelist or control, still annoying.


unfortunately many DNS resolvers are integrated with CDNs. I do want privacy of an independent non-tracking DNS but I also want my video streaming work fast. :(


What does it mean for a DNS resolver to be "integrated with CDNs"? And why does that affect streaming speed negatively?


Some CDNs (like Cloudflare) use solely BGP anycast steering for routing to the "nearest" server. Other CDNs (like Akamai, Fastly, Netflix, and YouTube) use a hybrid BGP-DNS steering because some ISPs have extremely questionable routing practices.

Unfortunately, if the CDN only rely on BGP steering (or conversely if you are a user who is stuck on an ISP monopoly), there are cases where this is not necessarily the nearest network-wise (or performant network-wise) if there are peering disputes. If the said ISP is a virtual monopoly or (worse) state-sanctioned to collect network "toll fees" (like in South Korea), non-preferred and international routes are (intentionally) congested.*

If you use a third-party DNS, you basically lose this DNS optimization, and ECS does not fully solve this (because sometimes the DNS override are placed only on the ISP's recursive DNS servers). You're basically in a lose-lose position: either use third-party servers and the IP addresses served to you on popular CDNs are in the congested path, or use the often-unreliable and heavily-logged ISP-provided DNS.

* Usually. There are exceptions, but this comment is just a simplification of the complexities of real-life networking (where RFCs and mutual cooperation die out without fanfare).

Edit for further reading: DNS is the new BGP by Geoff Huston of APNIC (https://ispcol.potaroo.net/2023-09/service-routing.html), How LinkedIn used PoPs and RUM to make dynamic content download 25% faster from the old LinkedIn engineering team (Archived at https://web.archive.org/web/20160310065302/https://engineeri...), Wikimedia's mapping of their CDNs (https://gerrit.wikimedia.org/r/plugins/gitiles/operations/dn...)


I would be curious if you could provide any examples for the issues you cite. They sound plausible to me, especially around peering disputes or in various Asia countries, but I wonder how in practice this looks in like a traceroute for the amount of added latency etc.

I would suspect some of non-optimized scenarios are eyeball network operator decisions on their networks that DNS providers and others do not have much control over. Like, Cloudflare resolves an IP that is closest to them, which is likely also the closest to the end user (and the eyeball ISP), but the eyeball ISP BGP path to that resolved IP takes a roundabout path because of their own BGP policy because $reasons.


I use 9.9.9.9 but it failed me a couple of times in the past two months. Cloudflare is very robust but I just don't like them. Falling back on them silently is not what I want. I am rather using them directly when quad9 fails.