This is a good time to mention that dnsmasq lets you setup several DNS servers, ...

anthonyryan1 · 2025-07-16T12:38:55 1752669535

Additionally, as long as you don't set strict-order, dnsmasq will automatically use all-servers for retries.

If you were using systemd-resolved however, it retries all servers in the order they were specified, so it's important to interleave upstreams.

Using the servers in the above example, and assuming IPv4 + IPv6:

    1.1.1.1
    2001:4860:4860::8888
    9.9.9.9
    2606:4700:4700::1111
    8.8.8.8
    2620:fe::fe
    1.0.0.1
    2001:4860:4860::8844
    149.112.112.112
    2606:4700:4700::1001
    8.8.4.4
    2620:fe::9

will failover faster and more successfully on systemd-resolved, than if you specify all Cloudflare IPs together, then all Google IPs, etc.

Also note that Quad9 is default filtering on this IP while the other two or not, so you could get intermittent differences in resolution behavior. If this is a problem, don't mix filtered and unfiltered resolvers. You definitely shouldn't mix DNSSEC validatng and not DNSSEC validating resolvers if you care about that (all of the above are DNSSEC validating).

matthewtse · 2025-07-16T20:16:10 1752696970

wow good tip

I was handling an incident due to this outage. I ended up adding Google DNS resolvers using systemd-resolved, but I didn't think to interleave them!

whitehexagon · 2025-07-16T15:25:48 1752679548

That sounds good in principle, but is there a more private configuration that doesnt send DNS resolutions to cloudfare, google et al. ie. avoid BigTech tracking, and not wanting DOH.

dnsmasq with a list of smaller trusted DNS providers sounds perfect, as long as it is not considered bad etiquette to spam multiple DNS providers for every resolution?

But where to find a trusted list of privacy focused DNS resolvers. The couple I tried from random internet advice seemed unstable.

agolliver · 2025-07-16T15:34:29 1752680069

There are no good private DNS configurations, but if you don't trust the big caching recursive resolvers then I'd consider just running your own at home. Unbound is easy to set up and you'll probably never notice a speed difference.

hdgvhicv · 2025-07-16T22:03:06 1752703386

I trust my isp far more than I trust cloudflare and google

bagels · 2025-07-16T22:11:17 1752703877

Why? Some were injecting ads, blocking services, degrading video and other wrongdoings.

sanxiyn · 2025-07-16T23:09:40 1752707380

Maybe their ISPs don't do that. There are many ISPs on the Earth.

hdgvhicv · 2025-07-17T08:22:22 1752740542

Mine doesn’t do that, mine is very transparent about what they do, what they will support, what laws they have to follow, what guidelines they can ignore, what logging they do, and if I have issues I jump on IRC and talk to them.

If I have issues with cloudflare what do I do?

mcpherrinm · 2025-07-16T17:52:21 1752688341

I've reviewed the privacy policy and performance of various DoH servers, and determined in my opinion that Cloudflare and Google both provide privacy-respecting policies.

I believe that they follow their published policies and have reasonable security teams. They're also both popular services, which mitigates many of the other types of DNS tracking possible.

https://developers.google.com/speed/public-dns/privacy https://developers.cloudflare.com/1.1.1.1/privacy/public-dns...

hamandcheese · 2025-07-16T19:49:28 1752695368

NextDNS. Generous free tier, very affordable paid tier. Happy customer for several years and I've never noticed an outage.

malnourish · 2025-07-17T01:02:01 1752714121

Likewise; they make it easy to use across my devices, each with bespoke configuration.

Melatonic · 2025-07-16T21:11:02 1752700262

Yeri · 2025-07-16T17:50:45 1752688245

https://www.dns0.eu/ is an option

bsilvereagle · 2025-07-16T18:07:21 1752689241

I haven’t had any problems with OpenNIC: https://opennic.org/

> OpenNIC (also referred to as the OpenNIC Project) is a user owned and controlled top-level Network Information Center offering a non-national alternative to traditional Top-Level Domain (TLD) registries; such as ICANN.

paradao · 2025-07-16T20:42:19 1752698539

Using DNSCrypt with anonymized DNS could be an option: https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-D...

Tmpod · 2025-07-16T16:54:37 1752684877

Quad9 and NextDNS are usually thrown around.

sophacles · 2025-07-16T15:45:42 1752680742

You can just run unbound or similar and do your own recursive resolving.

localtoast · 2025-07-16T20:55:30 1752699330

dnsforge.de comes to mind.

karmakaze · 2025-07-16T14:57:17 1752677837

I don't consider these interchangeable. They have different priorities and policies. If anything I'd choose one and use my ISP default as fallback.

outworlder · 2025-07-16T19:27:51 1752694071

My ISP (one of the largest in the US) like to hijack DNS responses (specially NXDOMAIN) and serve crap. No thanks. Which is also why I have to use encryption to talk to public DNS servers otherwise they will hijack anyways.

eli · 2025-07-16T17:45:29 1752687929

My ISP has already been caught selling personally identifiable customer data. I trust them less than any of those companies.

sumtechguy · 2025-07-16T18:51:24 1752691884

My ISP one got kicked to the curb once they started returning results for anything including invalid sites. Basically to try to steer you towards their search.

nemonemo · 2025-07-16T17:39:23 1752687563

Agreed in principle, but has anyone seen any practical difference between these DNS services? What would be a more detailed downside for using these in parallel instead of the ISP default as a fallback?

astrange · 2025-07-16T23:34:05 1752708845

Some of them are so privacy-preserving they block sending your own location to the original DNS server, which makes anycast not work, so you get slower connections to the site.

mnordhoff · 2025-07-16T12:37:33 1752669453

Even without "all-servers", DNSMasq will race servers frequently (after 20 seconds, unless it's changed), and when retrying. A sudden outage should only affect you for a few seconds, if at all.

karel-3d · 2025-07-16T13:38:59 1752673139

dnsdist is AMAZINGLY easy to set up as a secure local resolver that forwards all queries to DoH (and checks SSL) and checks liveliness every second

I need to do a write-up one day

jzebedee · 2025-07-16T14:53:08 1752677588

Please do. I'd be curious what a secure-by-default self hosted resolver would look like.

daneel_w · 2025-07-16T19:53:34 1752695614

For what it may be worth, here's a most basic (but fully working) config for running Unbound as a DoT-only forwarder:

  server:
      logfile: ""
      log-queries: no
  
      # adjust as necessary
      interface: 127.0.0.1@53
      access-control: 127.0.0.0/8 allow
  
      infra-keep-probing: yes
  
      tls-system-cert: yes
  
  forward-zone:
      name: "."
      forward-tls-upstream: yes
      forward-addr: 9.9.9.9@853#dns.quad9.net
      forward-addr: 193.110.81.9@853#zero.dns0.eu
      forward-addr: 149.112.112.112@853#dns.quad9.net
      forward-addr: 185.253.5.9@853#zero.dns0.eu

heavyset_go · 2025-07-16T22:16:31 1752704191

I think systemd-resolved does something similar if you use that. Does DoT and DNSSEC by default.

If you want to eschew centralized DNS altogether, if you run a Tor daemon, it has an option to expose a DNS resolver to your network. Multiple resolvers if you want them.

xyst · 2025-07-16T15:45:55 1752680755

Probably great for users. Awful for trying to reproduce an issue. I prefer a more deterministic approach myself.

itscrush · 2025-07-16T15:46:10 1752680770

Looks like AdGuard allows for same, thanks for mentioning dnsmasq support! I overlooked it on setup.