TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

67% Positive

Analyzed from 688 words in the discussion.

Trending Topics

#dns#list#domains#cache#every#pre#own#unbound#server#records

Discussion (18 Comments)Read Original on HackerNews

JdeBP38 minutes ago
Every time that this comes up, be it a general list like this or someone announcing a new service, my reaction, and that that I see of surprisingly many other people on Hacker News, is fairly unmoved. I've run my own proxy DNS service for about a quarter of a century at this point, using three different sets of softwares on six different operating systems, and every single point on the filter tab is something that I can (and do) just do for myself.

The list is not so much interesting for the options that it presents, as far as I am concerned, but for the things that it reveals. Every single entry that is explicitly marked 'China' also has 'operates under Chinese regulations'; which is, in 2026, something that is of concern for more than just the Chinese entries on the list, to people on my continent for starters.

'Run by one individual in Denmark.' is an interesting statement of bus factor, but I don't think that all of the other entries should be assumed to be better just because they are mute on the point. There's far less information about who is behind DNS.Watch than there is about Thomas Steen Rasmussen. And it appears that DNS.Watch went off the air at least once in recent years, so it is a legitimate concern.

Then there are all sorts of things not on this list that might matter to people, such as Quad101 looking like it has geographic restrictions on whom it is available to and Gcore being an AI company.

Benderabout 2 hours ago
I use Unbound locally as a DoH server. The Alpine Linux Unbound package is compiled with libnghttp2, required for the built in DoH listener. That's more than enough to enable ECH [1].

I pre-cache all the domains I use hourly via cron. My ISP is not going to dork with my DNS requests and their employees are bigger deviants than I. If I ever started browsing the web from a phone I would just set up my own public DoH server. It only takes a few minutes and gives me my own query logs for debugging weird issues.

[1] - https://tls-ech.dev/

harshrealityabout 1 hour ago
Why pre-cache? For speed... what is it, 30-50ms at most? If the authoritative server's TTL is <60minutes, do you force it to 3600? Do you audit all the connections that occur for every website you visit, collect all the domains hosting assets, and pre-cache those as well, or is the main site's domain the only critical one because that affects perceived latency the most?
Benderabout 1 hour ago
I pre-cache for speed, verifying records that have expired since I retain the expired records for sites that have intermittent DNS issues and also to throw in domains that I do not use in the off chance someone is logging where I go and when. They will see the Cloudflare top 20K domains hourly. Myself and family members have been able to access sites when others around the internet can not due to infrastructure related DNS problems. In other words, when others will say "It's always DNS" for myself and family members that is rarely the case as DNS records do not change as often as people seem to think they do.
abcdefg12about 1 hour ago
Or you could use dnscrypt so ISP doesn’t see your lookups at all
peteeabout 1 hour ago
Unbound has "prefetch" which will refresh near-expired cached records, and various other cache/ttl knobs. "serve-expired" seemed to work well too
Benderabout 1 hour ago
I use both of those as well in Unbound.
petee38 minutes ago
I was thinking that if you preload your 50k list and override the min-ttl, the prefetch would let you relax the cron schedule a little
kingo55about 1 hour ago
> I pre-cache all the domains I use hourly via cron.

How does this look? Shell script querying a list of hostnames? What qualifies as a domain you use?

Benderabout 1 hour ago
It looks like this [1] I enable query logging to a tmpfs RAM disk and then every month I update a list of domains that I have queries more than {n} times. I mix that in with a list of the Cloudflare top 20K domains after removing the broken ones.

[1] - https://nochan.net/b/Internet-Crap/20260602-Set-Up-Your-Own-...

kingo55about 1 hour ago
It would be nice if a site like this could offer a basic speed comparison test to your local network.

Imagine seeing response times at P90 for a series of random lookups and comparing the median response times.

snailmailmanabout 1 hour ago
I run an instance of smokeping locally for this purpose. It pings a variety of DNS servers (including my ISPs DNS) and several of the top websites. I periodically update my local DNS server’s upstream accordingly.

All the big DNS servers are in the 5-6ms range for me, but that hasn’t always been the case. My ISPs DNS is about the same but with crazy variance and spikes of up to 50ms, even though they should be able to be the fastest.

_defabout 2 hours ago
quad9 seems fine. Glad there are a bunch of alternatives though. We should never stop practicing decentralization in the net.
mzajc19 minutes ago
Be cautious with Quad9; their main address (9.9.9.9) has a "malware" blacklist that has misfired several times already: twice for a private torrent tracker, once for gist.github.com, issue was resolved within minutes to hours. They have a non-filtered address (9.9.9.10), but it doesn't do DNSSEC verification. IMO they're too unreliable to be worth the hassle.
degenerateabout 2 hours ago
9.9.9.9 with 1.1.1.1 as secondary
denkmoonabout 2 hours ago
9.9.9.9 is all you need