Rendered at 08:59:44 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
JdeBP 7 hours ago [-]
Every time that this comes up, be it a general list like this or someone announcing a new service, my reaction, and that that I see of surprisingly many other people on Hacker News, is fairly unmoved. I've run my own proxy DNS service for about a quarter of a century at this point, using three different sets of softwares on six different operating systems, and every single point on the filter tab is something that I can (and do) just do for myself.
The list is not so much interesting for the options that it presents, as far as I am concerned, but for the things that it reveals. Every single entry that is explicitly marked 'China' also has 'operates under Chinese regulations'; which is, in 2026, something that is of concern for more than just the Chinese entries on the list, to people on my continent for starters.
'Run by one individual in Denmark.' is an interesting statement of bus factor, but I don't think that all of the other entries should be assumed to be better just because they are mute on the point. There's far less information about who is behind DNS.Watch than there is about Thomas Steen Rasmussen. And it appears that DNS.Watch went off the air at least once in recent years, so it is a legitimate concern.
Then there are all sorts of things not on this list that might matter to people, such as Quad101 looking like it has geographic restrictions on whom it is available to and Gcore being an AI company.
duskwuff 6 hours ago [-]
> 'Run by one individual in Denmark.' is an interesting statement of bus factor
I find it more interesting as a statement about organizational oversight. If there are multiple people involved in operations, they can keep an eye on each other and speak up if they see anything weird going on (e.g. a DNS resolver implementing selective logging or interfering with results). If there's only one person running the show, there's no one to call them out.
(And if you're thinking, "but so-and-so is a principled person, they would never do anything like that" - pressure from law enforcement can be a powerful thing.)
itake 4 hours ago [-]
Does anyone have advice on how to use public wifi alongside DNS resolver?
Many public wifi network works need you to use their DNS, so they can redirect you to a gated "accept ToS" screen (and may even require re-approval every 30-60 minutes).
To resolve the issue is so frustrating:
1. realize the internet stopped working
2. ping google.com, wait for timeouts to show up.
3. try to guess if its a ISP issue, but then realize the wifi probably timed out.
4. Switch the dns. Flush DNS.
5. try to access a non-TLS domain
6. approve the gate
7. switch the DNS back
There has to be something that manages this
jer0me 2 hours ago [-]
On macOS, you might be able to use /etc/resolver to fix this:
sudo sh -c 'echo "nameserver 192.168.1.1" > /etc/resolver/captive.apple.com'
I did this for an internal website at my university that could only be resolved using the network name server. It just occurred to me that it might also work for the URL macOS uses to detect captive portals. We'll have to see if it works the next time I'm at a café.
boramalper 2 hours ago [-]
For macOS and iOS, you can create a profile to configure which DNS server you want to use at all times (including across different Wi-Fi networks and mobile data). See:
That’s what I’ve been using for years and never had any issues with public hotspots.
charcircuit 2 hours ago [-]
This is something your OS should handle as part of the OS's support for captive portals. I'd recommend contacting your OS's creator about this and filing a bug.
sevg 4 hours ago [-]
Happy NextDNS user. Lots of configurability, including which filterlists to enable, configurable logging etc.
Plus it’s reliable and fast from basically anywhere (which is harder to achieve if I ran my own resolvers in the cloud, and anyway I don’t want to have to maintain that).
flyingzucchini 3 hours ago [-]
Yeah it’s been pretty good for me too.
Bender 9 hours ago [-]
I use Unbound locally as a DoH server. The Alpine Linux Unbound package is compiled with libnghttp2, required for the built in DoH listener. That's more than enough to enable ECH [1].
I pre-cache all the domains I use hourly via cron. My ISP is not going to dork with my DNS requests and their employees are bigger deviants than I. If I ever started browsing the web from a phone I would just set up my own public DoH server. It only takes a few minutes and gives me my own query logs for debugging weird issues.
Why pre-cache? For speed... what is it, 30-50ms at most? If the authoritative server's TTL is <60minutes, do you force it to 3600? Do you audit all the connections that occur for every website you visit, collect all the domains hosting assets, and pre-cache those as well, or is the main site's domain the only critical one because that affects perceived latency the most?
Bender 8 hours ago [-]
I pre-cache for speed, verifying records that have expired since I retain the expired records for sites that have intermittent DNS issues and also to throw in domains that I do not use in the off chance someone is logging where I go and when. They will see the Cloudflare top 20K domains hourly. Myself and family members have been able to access sites when others around the internet can not due to infrastructure related DNS problems. In other words, when others will say "It's always DNS" for myself and family members that is rarely the case as DNS records do not change as often as people seem to think they do.
abcdefg12 8 hours ago [-]
Or you could use dnscrypt so ISP doesn’t see your lookups at all
Bender 8 hours ago [-]
When all the authoritative servers support TLS I can enable TLS outbound but very few of them do at the moment. At some point someone is decrypting, turtles all the way down. I could of course just do DoT to another instance of Unbound somewhere else but I do not need to do that as my ISP does not care about my queries. I used to keep standby DoT Unbound servers around but I have never once seen a US ISP tinker with my traffic. If they did I would put up billboards saying they what they are doing.
exiguus 6 hours ago [-]
I use my own public powerdns dnsdist and recurser/authoritave instances for DoH, DoT, DoQ, TCP and UDP now for ~3 years. Setup took some time, because i used bind, unbound and dnsmasq before.
It's super stable and i can also use it on my mobile or legacy devices and as resolver in unbound, adguard/dnsproxy or just in my local resolve.conf.
nirav72 5 hours ago [-]
If its public , how do you prevent others from accessing it?
slow_typist 18 minutes ago [-]
They don’t, I guess
petee 8 hours ago [-]
Unbound has "prefetch" which will refresh near-expired cached records, and various other cache/ttl knobs. "serve-expired" seemed to work well too
Bender 8 hours ago [-]
I use both of those as well in Unbound.
petee 7 hours ago [-]
I was thinking that if you preload your 50k list and override the min-ttl, the prefetch would let you relax the cron schedule a little
Bender 7 hours ago [-]
I could but I like to run everything in cron hourly to force trigger the retry mechanisms on the expired records and make a bunch of noise so that my network always looks active.
It's just a "me" thing. Others can and should do whatever they think will work for them. If everyone does this a little different that is probably best.
kingo55 8 hours ago [-]
> I pre-cache all the domains I use hourly via cron.
How does this look? Shell script querying a list of hostnames? What qualifies as a domain you use?
Bender 8 hours ago [-]
It looks like this [1] I enable query logging to a tmpfs RAM disk and then every month I update a list of domains that I have queries more than {n} times. I mix that in with a list of the Cloudflare top 20K domains after removing the broken ones and some TLD's.
It would be nice if a site like this could offer a basic speed comparison test to your local network.
Imagine seeing response times at P90 for a series of random lookups and comparing the median response times.
snailmailman 8 hours ago [-]
I run an instance of smokeping locally for this purpose. It pings a variety of DNS servers (including my ISPs DNS) and several of the top websites. I periodically update my local DNS server’s upstream accordingly.
All the big DNS servers are in the 5-6ms range for me, but that hasn’t always been the case. My ISPs DNS is about the same but with crazy variance and spikes of up to 50ms, even though they should be able to be the fastest.
Bender 7 hours ago [-]
Clone this repo [1] and then edit the domain names and resolvers to your liking. It will be something close to what you might be looking for.
quad9 seems fine. Glad there are a bunch of alternatives though. We should never stop practicing decentralization in the net.
mzajc 7 hours ago [-]
Be cautious with Quad9; their main address (9.9.9.9) has a "malware" blacklist that has misfired several times already: twice for a private torrent tracker, once for gist.github.com, issue was resolved within minutes to hours. They have a non-filtered address (9.9.9.10), but it doesn't do DNSSEC verification. IMO they're too unreliable to be worth the hassle.
Some like cloudflare doesn’t support that in the name of privacy.
EDNS lets the dns server of the site you are visiting know from where you are connecting and can give you the closest server. 1.1.1.1 does not do that. This breaks all sorts of ISP cache and peering arrangements.
Here’s an example: My ISP’s google global cache is broken every time I use cloudflare. With google dns, opendns, isp’s own dns I get my ISP’s own ip address for the domain “googlevideo.com” which is where youtube videos load from. With cloudflare dns I get an ip address of an actual google server which may or may not be in my country.
Result: my downloads from google drive/youtube/play store all are faster with a dns server with proper EDNS support.
Now imagine this on a global scale for smaller websites, your request might go to a different continent.
I understand the product decision for cloudflare and I don’t want them to change but this is something people should know about. There are numerous reports on their forums which are always locked with no activity.
I am not saying it’s a conspiracy but this doesn’t affect sites on cloudflare btw due to their global anycast routing/infra setup which I don’t know enough to explain.
js2 7 hours ago [-]
CTRL-F "ECS: Yes"
kev009 6 hours ago [-]
I always just set up root recursors at my home and other locations. I've never noticed any downside.
themacguffinman 3 hours ago [-]
The downside is obviously that uncached queries take much longer (adding >100ms) and more queries are uncached since you can't share the cache with a large user-base. Unless you just visit the same websites over and over again, this results in worse overall performance.
icedchai 6 hours ago [-]
Same. I’ve been running my own caching DNS servers since my earliest home network, dating back almost 30 years.
colinsane 3 hours ago [-]
the _one_ downside i've seen is on an airplane serviced by Starlink: UDP was extremely lossy to the point that whatever recursive resolver i was using at the time would mark half of all nameservers it saw as "unhealthy" and start returning NXDOMAINs to the clients before even trying to hit the authoritative NS.
flyingzucchini 3 hours ago [-]
Interesting puzzle on the top level url… what’s that all about ?
gblargg 43 minutes ago [-]
Google's AI Mode was pretty effective at solving it. I'm impressed. I just copied and pasted the two lines.
exiguus 6 hours ago [-]
Most important and super privacy/security related topic: DNS.
Instead of choosing a public one. Host your own infrastructure.
You don't need public instances. Just run ADGUARD or unbound/dnsmasq/dnsdist in recursive mode on your router or machine.
And you can set limits and block-lists to your needs.
7 hours ago [-]
ValentineC 3 hours ago [-]
Random, but I don't understand why anyone would choose a "block ads and trackers" DNS server as a default.
Even if it's configuring something for boomer family, that sounds like a recipe for "why is this website not working"?
EbNar 2 hours ago [-]
ControlD is pretty cool.
vzaliva 7 hours ago [-]
unfortunately many DNS resolvers are integrated with CDNs. I do want privacy of an independent non-tracking DNS but I also want my video streaming work fast. :(
progval 3 hours ago [-]
What does it mean for a DNS resolver to be "integrated with CDNs"? And why does that affect streaming speed negatively?
The list is not so much interesting for the options that it presents, as far as I am concerned, but for the things that it reveals. Every single entry that is explicitly marked 'China' also has 'operates under Chinese regulations'; which is, in 2026, something that is of concern for more than just the Chinese entries on the list, to people on my continent for starters.
'Run by one individual in Denmark.' is an interesting statement of bus factor, but I don't think that all of the other entries should be assumed to be better just because they are mute on the point. There's far less information about who is behind DNS.Watch than there is about Thomas Steen Rasmussen. And it appears that DNS.Watch went off the air at least once in recent years, so it is a legitimate concern.
Then there are all sorts of things not on this list that might matter to people, such as Quad101 looking like it has geographic restrictions on whom it is available to and Gcore being an AI company.
I find it more interesting as a statement about organizational oversight. If there are multiple people involved in operations, they can keep an eye on each other and speak up if they see anything weird going on (e.g. a DNS resolver implementing selective logging or interfering with results). If there's only one person running the show, there's no one to call them out.
(And if you're thinking, "but so-and-so is a principled person, they would never do anything like that" - pressure from law enforcement can be a powerful thing.)
Many public wifi network works need you to use their DNS, so they can redirect you to a gated "accept ToS" screen (and may even require re-approval every 30-60 minutes).
To resolve the issue is so frustrating:
1. realize the internet stopped working 2. ping google.com, wait for timeouts to show up. 3. try to guess if its a ISP issue, but then realize the wifi probably timed out. 4. Switch the dns. Flush DNS. 5. try to access a non-TLS domain 6. approve the gate 7. switch the DNS back
There has to be something that manages this
https://doh.lvv.me/
That’s what I’ve been using for years and never had any issues with public hotspots.
Plus it’s reliable and fast from basically anywhere (which is harder to achieve if I ran my own resolvers in the cloud, and anyway I don’t want to have to maintain that).
I pre-cache all the domains I use hourly via cron. My ISP is not going to dork with my DNS requests and their employees are bigger deviants than I. If I ever started browsing the web from a phone I would just set up my own public DoH server. It only takes a few minutes and gives me my own query logs for debugging weird issues.
[1] - https://tls-ech.dev/
It's just a "me" thing. Others can and should do whatever they think will work for them. If everyone does this a little different that is probably best.
How does this look? Shell script querying a list of hostnames? What qualifies as a domain you use?
[1] - https://nochan.net/b/Internet-Crap/20260602-Set-Up-Your-Own-...
Imagine seeing response times at P90 for a series of random lookups and comparing the median response times.
All the big DNS servers are in the 5-6ms range for me, but that hasn’t always been the case. My ISPs DNS is about the same but with crazy variance and spikes of up to 50ms, even though they should be able to be the fastest.
[1] - https://github.com/cleanbrowsing/dnsperftest
Once Quad9 blocked Halo MCC XBOX Live -> Steam achievements, several fileshare services (probably used for malware somewhere but not my usage) etc...
1.1.1.1 blocked archive.is or got blocked by them or something...
Gone back to Google DNS (gasp) for now, yes as a European... no blocking, fast, never goes down.
https://download.dnscrypt.info/dnscrypt-resolvers/v3/public-...
Some like cloudflare doesn’t support that in the name of privacy.
EDNS lets the dns server of the site you are visiting know from where you are connecting and can give you the closest server. 1.1.1.1 does not do that. This breaks all sorts of ISP cache and peering arrangements.
Here’s an example: My ISP’s google global cache is broken every time I use cloudflare. With google dns, opendns, isp’s own dns I get my ISP’s own ip address for the domain “googlevideo.com” which is where youtube videos load from. With cloudflare dns I get an ip address of an actual google server which may or may not be in my country. Result: my downloads from google drive/youtube/play store all are faster with a dns server with proper EDNS support.
Now imagine this on a global scale for smaller websites, your request might go to a different continent.
I understand the product decision for cloudflare and I don’t want them to change but this is something people should know about. There are numerous reports on their forums which are always locked with no activity.
I am not saying it’s a conspiracy but this doesn’t affect sites on cloudflare btw due to their global anycast routing/infra setup which I don’t know enough to explain.
Even if it's configuring something for boomer family, that sounds like a recipe for "why is this website not working"?