Hacker Neue

Preferences
homebrewer parent
This is a good time to mention that dnsmasq lets you setup several DNS servers, and can race them. The first responder wins. You won't ever notice one of the services being down:

  all-servers
  server=8.8.8.8
  server=9.9.9.9
  server=1.1.1.1
anthonyryan1
Additionally, as long as you don't set strict-order, dnsmasq will automatically use all-servers for retries.

If you were using systemd-resolved however, it retries all servers in the order they were specified, so it's important to interleave upstreams.

Using the servers in the above example, and assuming IPv4 + IPv6:

    1.1.1.1
    2001:4860:4860::8888
    9.9.9.9
    2606:4700:4700::1111
    8.8.8.8
    2620:fe::fe
    1.0.0.1
    2001:4860:4860::8844
    149.112.112.112
    2606:4700:4700::1001
    8.8.4.4
    2620:fe::9
will failover faster and more successfully on systemd-resolved, than if you specify all Cloudflare IPs together, then all Google IPs, etc.

Also note that Quad9 is default filtering on this IP while the other two or not, so you could get intermittent differences in resolution behavior. If this is a problem, don't mix filtered and unfiltered resolvers. You definitely shouldn't mix DNSSEC validatng and not DNSSEC validating resolvers if you care about that (all of the above are DNSSEC validating).

matthewtse
wow good tip

I was handling an incident due to this outage. I ended up adding Google DNS resolvers using systemd-resolved, but I didn't think to interleave them!

whitehexagon
That sounds good in principle, but is there a more private configuration that doesnt send DNS resolutions to cloudfare, google et al. ie. avoid BigTech tracking, and not wanting DOH.

dnsmasq with a list of smaller trusted DNS providers sounds perfect, as long as it is not considered bad etiquette to spam multiple DNS providers for every resolution?

But where to find a trusted list of privacy focused DNS resolvers. The couple I tried from random internet advice seemed unstable.

agolliver
There are no good private DNS configurations, but if you don't trust the big caching recursive resolvers then I'd consider just running your own at home. Unbound is easy to set up and you'll probably never notice a speed difference.
hdgvhicv
I trust my isp far more than I trust cloudflare and google
bagels
Why? Some were injecting ads, blocking services, degrading video and other wrongdoings.
sanxiyn
Maybe their ISPs don't do that. There are many ISPs on the Earth.
hdgvhicv
Mine doesn’t do that, mine is very transparent about what they do, what they will support, what laws they have to follow, what guidelines they can ignore, what logging they do, and if I have issues I jump on IRC and talk to them.

If I have issues with cloudflare what do I do?

mcpherrinm
I've reviewed the privacy policy and performance of various DoH servers, and determined in my opinion that Cloudflare and Google both provide privacy-respecting policies.

I believe that they follow their published policies and have reasonable security teams. They're also both popular services, which mitigates many of the other types of DNS tracking possible.

https://developers.google.com/speed/public-dns/privacy https://developers.cloudflare.com/1.1.1.1/privacy/public-dns...

hamandcheese
NextDNS. Generous free tier, very affordable paid tier. Happy customer for several years and I've never noticed an outage.
malnourish
Likewise; they make it easy to use across my devices, each with bespoke configuration.
bsilvereagle
I haven’t had any problems with OpenNIC: https://opennic.org/

> OpenNIC (also referred to as the OpenNIC Project) is a user owned and controlled top-level Network Information Center offering a non-national alternative to traditional Top-Level Domain (TLD) registries; such as ICANN.

paradao
Using DNSCrypt with anonymized DNS could be an option: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-D...
Tmpod
Quad9 and NextDNS are usually thrown around.
sophacles
You can just run unbound or similar and do your own recursive resolving.
localtoast
dnsforge.de comes to mind.
karmakaze
I don't consider these interchangeable. They have different priorities and policies. If anything I'd choose one and use my ISP default as fallback.
outworlder
My ISP (one of the largest in the US) like to hijack DNS responses (specially NXDOMAIN) and serve crap. No thanks. Which is also why I have to use encryption to talk to public DNS servers otherwise they will hijack anyways.
eli
My ISP has already been caught selling personally identifiable customer data. I trust them less than any of those companies.
sumtechguy
My ISP one got kicked to the curb once they started returning results for anything including invalid sites. Basically to try to steer you towards their search.
nemonemo
Agreed in principle, but has anyone seen any practical difference between these DNS services? What would be a more detailed downside for using these in parallel instead of the ISP default as a fallback?
astrange
Some of them are so privacy-preserving they block sending your own location to the original DNS server, which makes anycast not work, so you get slower connections to the site.
mnordhoff
Even without "all-servers", DNSMasq will race servers frequently (after 20 seconds, unless it's changed), and when retrying. A sudden outage should only affect you for a few seconds, if at all.
karel-3d
dnsdist is AMAZINGLY easy to set up as a secure local resolver that forwards all queries to DoH (and checks SSL) and checks liveliness every second

I need to do a write-up one day

jzebedee
Please do. I'd be curious what a secure-by-default self hosted resolver would look like.
daneel_w
For what it may be worth, here's a most basic (but fully working) config for running Unbound as a DoT-only forwarder:

  server:
      logfile: ""
      log-queries: no
  
      # adjust as necessary
      interface: 127.0.0.1@53
      access-control: 127.0.0.0/8 allow
  
      infra-keep-probing: yes
  
      tls-system-cert: yes
  
  forward-zone:
      name: "."
      forward-tls-upstream: yes
      forward-addr: 9.9.9.9@853#dns.quad9.net
      forward-addr: 193.110.81.9@853#zero.dns0.eu
      forward-addr: 149.112.112.112@853#dns.quad9.net
      forward-addr: 185.253.5.9@853#zero.dns0.eu
heavyset_go
I think systemd-resolved does something similar if you use that. Does DoT and DNSSEC by default.

If you want to eschew centralized DNS altogether, if you run a Tor daemon, it has an option to expose a DNS resolver to your network. Multiple resolvers if you want them.

xyst
Probably great for users. Awful for trying to reproduce an issue. I prefer a more deterministic approach myself.
itscrush
Looks like AdGuard allows for same, thanks for mentioning dnsmasq support! I overlooked it on setup.

This item has no comments currently.