[Solved] Quad9/other upstream DNS vs running your own DNS resolver

So I've been running Unbound for a while as my DNSSEC capable DNS resolver, but I've noticed that (given the smaller 'audience' it has to serve) DNS lookups can take a while and of course not a lot of stuff is cached in the beginning. I read about Quad9 recently and have to say it looks very interesting. However, I'm wondering what's wiser. Running your own DNS of course means that people need to break into your box to mess with your DNS (at least, for DNSSEC enabled domains...), but if it breaks all by itself, you get to clean it up all by yourself as well. Quad9 does DNSSEC and seems to filter for malware domains etc as well, so it looks very enticing. So what's the smartest thing to do?

Also - I have set the dnsmasq DHCP option to feed both Quad9 and my local Unbound server to DHCP clients, but they only seem to pick the local DNS server. How do I fix this? Seems NetworkManager (Linux) likes to do its own thing :roll_eyes:.

# uci show dhcp|grep option
dhcp.lan.dhcp_option='3,' '6,' '6,'


Anyone? :slightly_smiling_face:

Well, as a follow-up to myself, the UCI add_list option takes multiple comma separated arguments. So for it to work it needs to be

uci add_list dhcp.lan.dhcp_option='6,,'

Or the other way around, of course, if you want your local DNS to be consulted first :).

1 Like