Issues with 1.1.1.1 public resolver and WARP (opens in new tab)

tomrod2y ago

> thus has a hardcoded exception to intentionally return bogus results to Cloudflare's resolvers.

This is a bad practice.

why in the world are they doing that I wonder.

eli2y ago

It prevents DNS-based CDN routing in the particular way Archive wants to do it.

handsclean2y ago

There are two missing facts here that change the story quite a bit:

- In addition to not supporting EDNS, Cloudflare sends DNS requests from effectively random PoPs, so the recipient doesn’t know even the visitor’s nationality.

- The reason archive.is doesn’t like this is it makes them vulnerable to DoS attack.

Source and details: https://news.ycombinator.com/item?id=36971650

andrewla2y ago

If I understand this correctly, that's hilarious -- Cloudflare is essentially saying that nobody can layer their own cloudflare-like offering on top of their DNS. Edge-routing is their bread and butter!

If you want to use the client's IP geolocation to resolve a CNAME to an edge server, this blocks you from doing so. You have to buy Cloudflare's products to get this benefit, and use their edge servers.

NicoJuicy2y ago

No, they don't, please read this before making unresearched guesses ( note: I had the same reaction at first a couple of years ago).

They forward every info that is required for cdn's to function, that's why no other cdn's are complaining.

See the statement of the CEO:

Tldr:

> We publish the geolocation information of the IPs that we query from. That allows any network with less density than we have to properly return DNS-targeted results. For a relatively small operator like archive.is, there would be no loss in geo load balancing fidelity relying on the location of the Cloudflare PoP in lieu of EDNS IP subnets.

We are working with the small number of networks with a higher network/ISP density than Cloudflare (e.g., Netflix, Facebook, Google/YouTube) to come up with an EDNS IP Subnet alternative that gets them the information they need for geolocation targeting without risking user privacy and security.

LinuxBender2y ago

Do you use something besides 8.8.8.8 or 1.1.1.1?

99% of the time I just talk directly to the root servers from my home network and pre-cache the most popular places I visit. Unbound also supports DoH but most distributions of Linux do not enable that compile time flag in their Unbound package build and I have long since stopped compiling things as most distributions finally started using the right security options in their builds. I also have DoT running at home which the cell phone figured out on it's own.

I keep DoT Unbound DNS running on several VPS providers that also talk directly to the root servers just in case. Useful for cell phones. My ISP is a tiny community ISP and would never filter any results and DNS privacy is just one tiny piece of browsing habits. Until encrypted SNI is fully adopted by all SSL libraries and applications they can still see where I browse unless I am using my own Tinc VPNs or SSH tunneling.

lxgr2y ago

> I just talk directly to the root servers from my home network and pre-cache the most popular places I visit.

Out of curiosity: Why, if you generally trust your ISP? Do you get worse performance using their DNS servers?

LinuxBender2y ago

I prefer to use my own server as I can optimize cache hit ratios for the things I request. This makes the internet perceptibly faster for me and others on my network. I can also pull statistics from my server whereas I would have to beg someone at the ISP for that data as a one-off request. This also gives me the option to block domain names used for dark patterns or outright malevolent behavior. I also have control over the upper and lower limits of cache and I can flush to cache if a website is still relying upon DNS failover vs BGP Anycast but I have not run into that for about a decade.

Speaking of stats, I can also see what IoT/Cell devices are requesting to keep an eye on their behavior and look for interesting patterns of DNS requests.

I have honestly never used the ISP DNS servers so I don't know what their performance is like. It's just muscle memory for me to set up my own home Linux router to be a DNS server. I highly doubt they could top the performance of Unbound and cron-jobs that request commonly used records on an hourly basis. I do know that my performance is better than talking to the DoH/DoT servers on the internet. The cached record response time is in microseconds vs 23ms for CF and non cached response time is generally between 50ms and 70ms vs 80ms to 160ms for CF not-cached.

Another nifty option in Unbound is to cache the "Infrastructure" records and to "Keep Probing" multiple nodes. This combines into a nice balance of speed and resilience especially if someones name server is having a moment but their status page is green.

    unbound-control dump_infra|wc -l
    1235

These numbers are thrown off a bit by my cron jobs that are requesting things that I am not visiting all the time and when the authoritative record is sub 3600 seconds. They are requested hourly. Some of the government domains in my cron job seem to be throwing off the curve, I will reach out to them.

    total.num.cachehits=20949
    total.num.cachemiss=8010
    total.num.prefetch=753
    total.recursion.time.median=0.0698958

hk13372y ago

Pihole is preconfigured to use multiple DNS. I use cloudflare and OpenDNS and exclude Google.

> exclude Google.

Their DNS? or all of their services?

iamdbtoo2y ago

The reason has been known for a while now.

and https://news.ycombinator.com/item?id=36971650

depr2y ago

sillysaurusx2y ago

Thank you (both)!

lxgr2y ago

The operators of archive.* have a peculiar problem with eDNS, or rather Cloudflare’s lack of support thereof. Some details here:

https://community.cloudflare.com/t/archive-today-works-again...

5424582y ago

Cloudflare supports EDNS, they just don't support the optional EDNS Client Subnet extension.

frankjr2y ago

> Note that if you use 1.1.1.1, you apparently can't visit archive.is links. I'm not sure why, but around a dozen people on HN have confirmed this. (At least as of a couple months ago.)

https://news.ycombinator.com/item?id=19828702

shasts2y ago

There is https://www.dns0.eu and https://nextdns.io.

I like the 300K requests per month free tier that nextdns.io has. Comes with plenty of filters.

peddling-brink2y ago

I’m a big fan of NextDNS, ad filters, logs (or not), block list, allow list, multiple profiles, parental-ish controls. They have binaries to add support for DoH to my router. I literally couldn’t be happier with a DNS provider.

basch2y ago

My one gripe is with the block / parental controls interface.

Let’s say you want to block Peacock, and there’s a bunch of urls you want to block, each is it’s own individual rule. If you accidentally delete one instead of disable it, it’s gone. If you can remember the url you accidentally deleted, now it’s placed at the top of the list, out of order. There appears to be no log of changes you make. It would be nice to be able to add custom parental controls with sets/bundles of urls.

Also you can’t toggle or package ad blocking rules, only delete and add. Sort of the same interface complaint as above. I have to go in and delete four ad blocking packages every time I want to watch Paramount+. Then go find them again when I am done.

kmlx2y ago

the marketing copy on dns0 is lol considering the many ISP data retention schemes across EU states.

> The European public DNS that makes your Internet safer.

> A free, sovereign and GDPR-compliant recursive DNS resolver with a strong focus on security to protect the citizens and organizations of the European Union.

for example france: https://www.patrick-breyer.de/en/data-retention-france-illeg...

> In a decree made public today, French Prime Minister Élisabeth Borne has extended the temporary retention of communications data of all citizens in France for another year. The blanket retention obligation concerns identity data (surname, first name, date and place of birth, postal address(es), e-mail address(es), telephone number(s)) as well as payment information, connection data (IP addresses, port numbers, identification numbers of users and their devices, date, time and duration of each communication, data on supplementary services and their providers)

they basically collect everything.

sambazi2y ago

like i ever wanted to care about the number of dns-requests originating from my systems.

ornornor2y ago

300k is a lot to be fair. And if that’s not enough it’s something like 20$ a year. It’s the only way I found to block ads (except in YouTube) on the iPhone.

bharathyes2y ago

even beyond that the DNS works fine but the filtering would be turned off.

re5i5tor2y ago

Switched off 1.1.1.1 for that reason a while back. Currently using OpenDNS which is now unfortunately owned by Cisco. Definitely a lack of actually open alternatives.

dano2y ago

Running your own resolver that points directly to root servers is also an option. https://nlnetlabs.nl/projects/unbound/about/

It isn't too complicated to set up and provides faster responses than external DNS servers, especially after the cache gets built up a bit.

xorcist2y ago

Not too complicated is an understatement. It's literally zero configuration unless you want to do something special.

mtsr2y ago

Indeed, this is my preferred solution too. Unfortunately this doesn’t protect one from snooping by network intermediaries, although that’s much less of an issue in the EU due to privacy regulations. At least in principle, but it’s hard to be sure.

https://news.ycombinator.com/item?id=27501867

re5i5tor2y ago

Thanks for this, really interesting.

johnklos2y ago

Quad9 seems decent. They're certainly not as shitty as Cloudflare or Cisco.

yakubin2y ago

I used to use OpenDNS, but then out of nowhere they decided to enable parental control by default[1] and without an account I don’t think I could disable it.

[1]: Maybe only in EU?

xist2y ago

208.67.222.222 / 208.67.220.220 do not have the functionality worldwide. The IPs ending in .123 do have parental control enabled worldwide

agloe_dreams2y ago

A Pihole will do what you want with a ton of control added.

re5i5tor2y ago

I run Pihole. How does it solve upstream DNS provider troubles; it still needs / uses them? I'll admit there's a lot of Pihole config I have not explored.

metabeard2y ago

It's not open, but I'm happy with https://nextdns.io/

ElongatedMusket2y ago

It works again, so you can go back to 1.1.1.1

re5i5tor2y ago

Thank you, switched back and so far archive.* seems to be working on 1.1.1.1

Jnr2y ago

How come archive.is works for me?

I have set up Cloudflare DoH in my router, I block other popular DoH servers on my network and I also redirect any other DNS queries (UDP 53) to my router's DNS (which in turn uses Cloudflare).

And at least in my region (EU) I did not notice any issues with 1.1.1.1.

yakubin2y ago

Maybe your computer ignores the DNS resolver address suggested by your router? You can check with dig what resolver you’re using, if you’re on a Unix-like system.

Jnr2y ago

No, I mean - it uses Cloudflare and it works. I did try with dig. :) Also tried it from other countries in EU, works fine.

NicoJuicy2y ago

Well. I used archive.is a lot. But Cloudflare has a point by not making a specific adjustment to fix the archive.is issue ( since it's on archive.is their end).

So, I don't go to archive.is anymore.

lgeorget2y ago

I use OpenDNS. 208.67.222.222 doesn't roll off the tongue (or fingers) as easily as 1.1.1.1 but if you use it frequently enough, you'll remember it.

1vuio0pswjnm72y ago

As a "collector of reliable DNS servers"^1 I can report there are DoH servers that will actually take a traditional DNS query that does not support EDNS0 and, perhaps using the client IP from the TCP connection, return a response that includes EDNS0 Client Subnet (ECS). Whether the DoH provider is sending the ECS to authoritative servers I do not know, but to me it is quite sad to see this being returned in the response given I did not request it. Anyway, ECS is supposedly the reason 1.1.1.1 does not include DNS data for archive.is

The site once used a tracking pixel as a poor mans ECS. The client IP address was inserted into the image name. Apparently the operator of the site explained this was used to achieve CDN-like functionality:

1. Perhaps we should be clear that "servers" here means open resolvers. These servers are of course not authoritative for any name, and generally recursion is slower than iteration, i.e., use of authoritative servers only (fee free to challenge me on this and I will share a citation, although I know this is true from own experiments). Thus "reliable" is perhaps ambiguous. Not all of them always return the same results. Some will return different answers, and not always for "load balancing" reasons. Some may be missing data entirely. Some will return wrong answers, e.g., pretending to be authoritative. Much DNS funny business on the internet today. I gather results from a variety of resolvers, from authoritative servers as well as other sources of DNS data, e.g., public zone files, scans and crawls, and I compare notes; I personally would not feel comfortable using one open resolver (third party DNS) as the source for all DNS data; I could not rely on it. As such, "reliable" is IMHO a loaded term if used to describe open resolvers.

Unfrozen06882y ago

ControlD

From the makers of Windscribe VPN (Canadian)

I use the filter that blocks ads and malware 76.76.2.2 76.76.10.2

https://controld.com/free-dns

https://docs.controld.com/docs

fragmede2y ago

Cloudflare is in the wrong here. Archive.is had to develop a unique CDN system to protect against illegal content being uploaded and immediately reported, which led to server seizures and downtime. Cloudflare's DNS disrupts this system, putting archive.is at risk. Archive.is even offered to proxy Cloudflare DNS users via their CDN, but Cloudflare rejected the proposal. This leaves archive.is in a vulnerable position, and it's unreasonable to expect them to register their own autonomous system just to fix this issue.

mhitza2y ago

I use https://www.dns0.eu/ but that doesn't have a fancy IP address

marban2y ago

Any benchmarks or experiences over CF from Europe?

soap-2y ago

dns0 claims to have 12ms latency, cloudflare claims to have 13.6ms.

anuraaga2y ago

I was using Cloudflare DNS for a while until learning it was the cause of archive brokenness, switched to Google DNS, and recently have started trying out Adguard DNS just out of curiosity of trying out DNS-over-QUIC (requires a VPN app that supports that). Can't say whether it's better or worse but always fun to try out a new tech.

beowa2y ago

> Do you use something besides 8.8.8.8 or 1.1.1.1?

NextDNS

jacooper2y ago

You can use quad9 without filters, and i use it because unlike CF it supports EDNS(9.9.9.11)

RamblingCTO2y ago

Duuuuuude, thank you so much! I was using 9.9.9.9 and it didn't work for me at all. Got stuck in a loop with the captcha for months now. Archive.is is essential for me. Using 9.9.9.11 fixed it for me.

ChrisArchitect2y ago

coincidentally archive.ph links started working for me today, so not sure this is true anymore

quesera2y ago

Just a reminder for anyone on the fence, or who has not considered it previously...

Running your own DNS resolver is super easy. It probably has the highest ROI of any self-hosted service, because it is so easy and inexpensive to do.

I recommend Unbound: https://nlnetlabs.nl/projects/unbound

lantry2y ago

Plus you can do fun things like block ads across your whole network with tools like pihole.

AnonC2y ago

Can you disable the blocking on each device as and when needed (for a little while) and enable it back again (on iOS)? That would be a killer feature for running a DNS server and pi-hole at home.

snailmailman2y ago

It has a pretty easy “toggle for 5 mins” button on the dashboard if I encounter issues. It has a few preset time options.

I think you can set rules per device in Pihole? I haven’t tried personally. I’ve only had set a few (3-4) sites manually allowed through the blocklists.

RockRobotRock2y ago

How slow is running your own recursive DNS?

quesera2y ago

Depends on a few factors:

My nameserver, 8.8.8.8, and 1.1.1.1 are all about 25ms away from me. Mine is actually a few ms closer, but that will vary.

Bigger nameservers will have warmer caches, so first lookup might be a bit slower on my nameserver.

I presume the big nameservers are managed well under capacity, so load should not be significant.

All told, I cannot perceive any performance difference at all.

I run my own resolver on my home network and I never notice anything. When loading a webpage or doing pretty much anything else online the DNS delay is negligible. And if the answer is already cached in my house it's definitely faster than having to leave my home network to get a response.

rubatuga2y ago

For my DNS resolver I run, it tends to take around twice as long for the initial request compared to other caching resolvers.

drexlspivey2y ago

It's actually a lot faster since unbound can prefetch and cache your most common queries. Most lookups in my pihole resolve in sub 1ms

RockRobotRock2y ago

Yeah but that's the same as a regular home DNS server that isn't recursive. Your devices also have their own cache.

dintech2y ago

I’ve just started using Warp+ and it has been excellent for my specific use case: better peering to my Plex server while in another continent. Plex was unusable and now it’s not. Overall very happy despite this brief outage.

zozos2y ago

I did not know you can use wrap+ like this. I will try it out as well. Plex has been unusable between continents.

jshier2y ago

You can't use Warp+ to control your egress point, unlike many other VPN services, so you can't use it to bypass geographic blocks. However, since Warp+ (not Warp) routes you within Cloudflare's network (using their Argo routing from participating datacenters), I'd guess GP gets a more stable and faster connection to their server than the public internet would provide.

lopkeny12ko2y ago

What's the point of having a secondary endpoint 1.0.0.1 if an outage breaks both that and 1.1.1.1? Are these two servers not running in physically isolated regions with independent code deploys?

SSLy2y ago

DNS servers are run anycast from each cloudflare POP. Why are the two addresses' fault domains not separated otherwise is the proper question.

silverwind2y ago

Will DNS clients actually try the other if one of them returns SERVFAIL?

ArchOversight2y ago

Yes.

https://www.cloudflare.com/network/

routing redundancy

jshier2y ago

They've posted their incident report: https://blog.cloudflare.com/1-1-1-1-lookup-failures-on-octob...

denysvitali2y ago

Duplicate: https://news.ycombinator.com/item?id=37762227

lucgagan2y ago

Crazy how many things a single thing breaking takes down with it

diggan2y ago

Not sure how crazy it is when that single thing's whole business objective is to be between what you're trying to reach and yourself.

ornornor2y ago

Wait until you learn about what happens when the electricity stops working

luuurker2y ago

And that's why we all use more than one DNS server. Right? :-P

T3OU-7362y ago

(Unaffected by this).

Found it the reverse chronological order (with timestamps being a smaller/lighter font, at least on mobile) to have caused extra thinking, which, for a status, seems undesireable.

I get wanting to expose the latest thing first, but the "top-posting" style seems intuitive. Perhaps, as a compromise, a status page would have a "Latest" block at the top, with the timestamp prominent, where the latest known status would be placed by whatever makes the updates, but the updates themselves are in the chronological order?

j / k navigate · click thread line to collapse

116 comments

sillysaurusx2y ago

Note that if you use 1.1.1.1, you apparently can't visit archive.is links. I'm not sure why, but around a dozen people on HN have confirmed this. (At least as of a couple months ago.)

I think the world could use more alternatives to 8.8.8.8. Hopefully 1.1.1.1 will become more reliable as the years tick by.

cmeacham982y ago

As neutrally as possible:

Archive.is doesn't like this (because it prevents DNS-based CDN routing), and thus has a hardcoded exception to intentionally return bogus results to Cloudflare's resolvers.

5424582y ago

I think it's also worth noting that Cloudflare's implementation is EDNS compliant. The EDNS extension for sending the client subnet is explicitly optional in the standard.

silotis2y ago

Cloudflare's lack of EDNS doesn't prevent DNS based routing. It can still be done based on the DNS request's source address. This will be the IP of the Cloudflare POP closest to the client.

Lack of EDNS only makes DNS based routing slightly worse if your CDN has a POP density similar-or-greater-than Cloudflare's.

Scaevolus2y ago

Correct. Cloudflare's POP routing is quite extensive, and I'd be shocked if archive.is had more than a handful of backends it's routing to.

Even so, why would an extra few dozen ms matter at all? Archive.is appears to be spindle-limited, is a client with marginally higher RTT an issue? The admin is silly.

tomrod2y ago

> thus has a hardcoded exception to intentionally return bogus results to Cloudflare's resolvers.

This is a bad practice.

why in the world are they doing that I wonder.

eli2y ago

It prevents DNS-based CDN routing in the particular way Archive wants to do it.

handsclean2y ago

There are two missing facts here that change the story quite a bit:

- In addition to not supporting EDNS, Cloudflare sends DNS requests from effectively random PoPs, so the recipient doesn’t know even the visitor’s nationality.

- The reason archive.is doesn’t like this is it makes them vulnerable to DoS attack.

Source and details: https://news.ycombinator.com/item?id=36971650

andrewla2y ago

NicoJuicy2y ago

No, they don't, please read this before making unresearched guesses ( note: I had the same reaction at first a couple of years ago).

They forward every info that is required for cdn's to function, that's why no other cdn's are complaining.

See the statement of the CEO:

Tldr:

LinuxBender2y ago

Do you use something besides 8.8.8.8 or 1.1.1.1?

lxgr2y ago

> I just talk directly to the root servers from my home network and pre-cache the most popular places I visit.

Out of curiosity: Why, if you generally trust your ISP? Do you get worse performance using their DNS servers?

LinuxBender2y ago

Speaking of stats, I can also see what IoT/Cell devices are requesting to keep an eye on their behavior and look for interesting patterns of DNS requests.

    unbound-control dump_infra|wc -l
    1235

    total.num.cachehits=20949
    total.num.cachemiss=8010
    total.num.prefetch=753
    total.recursion.time.median=0.0698958

hk13372y ago

Pihole is preconfigured to use multiple DNS. I use cloudflare and OpenDNS and exclude Google.

> exclude Google.

Their DNS? or all of their services?

iamdbtoo2y ago

The reason has been known for a while now.

and https://news.ycombinator.com/item?id=36971650

depr2y ago

sillysaurusx2y ago

Thank you (both)!

lxgr2y ago

The operators of archive.* have a peculiar problem with eDNS, or rather Cloudflare’s lack of support thereof. Some details here:

https://community.cloudflare.com/t/archive-today-works-again...

5424582y ago

Cloudflare supports EDNS, they just don't support the optional EDNS Client Subnet extension.

frankjr2y ago

> Note that if you use 1.1.1.1, you apparently can't visit archive.is links. I'm not sure why, but around a dozen people on HN have confirmed this. (At least as of a couple months ago.)

https://news.ycombinator.com/item?id=19828702

shasts2y ago

There is https://www.dns0.eu and https://nextdns.io.

I like the 300K requests per month free tier that nextdns.io has. Comes with plenty of filters.

peddling-brink2y ago

basch2y ago

My one gripe is with the block / parental controls interface.

kmlx2y ago

the marketing copy on dns0 is lol considering the many ISP data retention schemes across EU states.

> The European public DNS that makes your Internet safer.

> A free, sovereign and GDPR-compliant recursive DNS resolver with a strong focus on security to protect the citizens and organizations of the European Union.

for example france: https://www.patrick-breyer.de/en/data-retention-france-illeg...

they basically collect everything.

sambazi2y ago

like i ever wanted to care about the number of dns-requests originating from my systems.

ornornor2y ago

300k is a lot to be fair. And if that’s not enough it’s something like 20$ a year. It’s the only way I found to block ads (except in YouTube) on the iPhone.

bharathyes2y ago

even beyond that the DNS works fine but the filtering would be turned off.

re5i5tor2y ago

Switched off 1.1.1.1 for that reason a while back. Currently using OpenDNS which is now unfortunately owned by Cisco. Definitely a lack of actually open alternatives.

dano2y ago

Running your own resolver that points directly to root servers is also an option. https://nlnetlabs.nl/projects/unbound/about/

It isn't too complicated to set up and provides faster responses than external DNS servers, especially after the cache gets built up a bit.

xorcist2y ago

Not too complicated is an understatement. It's literally zero configuration unless you want to do something special.

mtsr2y ago

https://news.ycombinator.com/item?id=27501867

re5i5tor2y ago

Thanks for this, really interesting.

johnklos2y ago

Quad9 seems decent. They're certainly not as shitty as Cloudflare or Cisco.

yakubin2y ago

I used to use OpenDNS, but then out of nowhere they decided to enable parental control by default[1] and without an account I don’t think I could disable it.

[1]: Maybe only in EU?

xist2y ago

208.67.222.222 / 208.67.220.220 do not have the functionality worldwide. The IPs ending in .123 do have parental control enabled worldwide

agloe_dreams2y ago

A Pihole will do what you want with a ton of control added.

re5i5tor2y ago

I run Pihole. How does it solve upstream DNS provider troubles; it still needs / uses them? I'll admit there's a lot of Pihole config I have not explored.

metabeard2y ago

It's not open, but I'm happy with https://nextdns.io/

ElongatedMusket2y ago

It works again, so you can go back to 1.1.1.1

re5i5tor2y ago

Thank you, switched back and so far archive.* seems to be working on 1.1.1.1

Jnr2y ago

How come archive.is works for me?

I have set up Cloudflare DoH in my router, I block other popular DoH servers on my network and I also redirect any other DNS queries (UDP 53) to my router's DNS (which in turn uses Cloudflare).

And at least in my region (EU) I did not notice any issues with 1.1.1.1.

yakubin2y ago

Maybe your computer ignores the DNS resolver address suggested by your router? You can check with dig what resolver you’re using, if you’re on a Unix-like system.

Jnr2y ago

No, I mean - it uses Cloudflare and it works. I did try with dig. :) Also tried it from other countries in EU, works fine.

NicoJuicy2y ago

Well. I used archive.is a lot. But Cloudflare has a point by not making a specific adjustment to fix the archive.is issue ( since it's on archive.is their end).

So, I don't go to archive.is anymore.

lgeorget2y ago

I use OpenDNS. 208.67.222.222 doesn't roll off the tongue (or fingers) as easily as 1.1.1.1 but if you use it frequently enough, you'll remember it.

1vuio0pswjnm72y ago

Unfrozen06882y ago

ControlD

From the makers of Windscribe VPN (Canadian)

I use the filter that blocks ads and malware 76.76.2.2 76.76.10.2

https://controld.com/free-dns

https://docs.controld.com/docs

fragmede2y ago

mhitza2y ago

I use https://www.dns0.eu/ but that doesn't have a fancy IP address

marban2y ago

Any benchmarks or experiences over CF from Europe?

soap-2y ago

dns0 claims to have 12ms latency, cloudflare claims to have 13.6ms.

anuraaga2y ago

beowa2y ago

> Do you use something besides 8.8.8.8 or 1.1.1.1?

NextDNS

jacooper2y ago

You can use quad9 without filters, and i use it because unlike CF it supports EDNS(9.9.9.11)

RamblingCTO2y ago

ChrisArchitect2y ago

coincidentally archive.ph links started working for me today, so not sure this is true anymore

quesera2y ago

Just a reminder for anyone on the fence, or who has not considered it previously...

Running your own DNS resolver is super easy. It probably has the highest ROI of any self-hosted service, because it is so easy and inexpensive to do.

I recommend Unbound: https://nlnetlabs.nl/projects/unbound

lantry2y ago

Plus you can do fun things like block ads across your whole network with tools like pihole.

AnonC2y ago

Can you disable the blocking on each device as and when needed (for a little while) and enable it back again (on iOS)? That would be a killer feature for running a DNS server and pi-hole at home.

snailmailman2y ago

It has a pretty easy “toggle for 5 mins” button on the dashboard if I encounter issues. It has a few preset time options.

I think you can set rules per device in Pihole? I haven’t tried personally. I’ve only had set a few (3-4) sites manually allowed through the blocklists.

RockRobotRock2y ago

How slow is running your own recursive DNS?

quesera2y ago

Depends on a few factors:

My nameserver, 8.8.8.8, and 1.1.1.1 are all about 25ms away from me. Mine is actually a few ms closer, but that will vary.

Bigger nameservers will have warmer caches, so first lookup might be a bit slower on my nameserver.

I presume the big nameservers are managed well under capacity, so load should not be significant.

All told, I cannot perceive any performance difference at all.

rubatuga2y ago

For my DNS resolver I run, it tends to take around twice as long for the initial request compared to other caching resolvers.

drexlspivey2y ago

It's actually a lot faster since unbound can prefetch and cache your most common queries. Most lookups in my pihole resolve in sub 1ms

RockRobotRock2y ago

Yeah but that's the same as a regular home DNS server that isn't recursive. Your devices also have their own cache.

dintech2y ago

zozos2y ago

I did not know you can use wrap+ like this. I will try it out as well. Plex has been unusable between continents.

jshier2y ago

lopkeny12ko2y ago

What's the point of having a secondary endpoint 1.0.0.1 if an outage breaks both that and 1.1.1.1? Are these two servers not running in physically isolated regions with independent code deploys?

SSLy2y ago

DNS servers are run anycast from each cloudflare POP. Why are the two addresses' fault domains not separated otherwise is the proper question.

silverwind2y ago

Will DNS clients actually try the other if one of them returns SERVFAIL?

ArchOversight2y ago

Yes.