[johnklos]

"Should you ever operate your recursive resolver on only one network? Specifically, should it be limited to the IPv4 or IPv6 network? The general answer for the year 2025 is: NO, you shouldn't."

I wholeheartedly disagree. When given the choice between our ISP's DNS, DNS served by a for-profit company that wants to be a monopoly (such as Cloudflare or Google), or running your own DNSSEC enabled, fully recursive DNS server, you should absolutely run your own, if you're even slightly technical.

If your network is only IPv6, then you already have plenty of issues with general Internet use and should know your caveats. If you're using only IPv4, then you know to run BIND with "-4".

Either way, if you only have one or the other, then you have much more control over what happens when you run your own recursive resolver, regardless of whether it's BIND, Unbound or something else.

The author may've made some money being slightly passive aggressive about running BIND and pretending to not know about "-4", but that's more a self own than a slight on BIND, in my opinion.

[LinuxBender]

I wholeheartedly disagree.

Same. There are plenty of example configurations for less technical people to stand up their own server. As a bonus they can learn from it with time and also help family members block some malicious sites.

My Unbound daemon talks to the root servers. I keep some DoT I also run on standby and various VPS and rental server providers just in case. Having my own daemon I can log to a ramdisk all the responses and see when apps are doing something dodgy. Despite popular belief here on HN it is trivial to block all the DoH servers despite being on HTTPS 443. Another perk of running my own server is I have full control over caching and blocking of domains. For most sites my response time is sub 0ms.

Sending all the DNS traffic to the big corporate capture servers is bonkers in my view. That allows both the ISP via SNI and the big government created sites to capture everything. ECH support is still very limited outside of Cloudflare. People claim that ISP's tamper with DNS but very few do in first world countries. I empathize with the people that have crap ISP's but mine will behave properly. I also only use IPv4 on my ISP. Even on VPS and rental servers the only role I also use IPv6 is my public authoritative DNS servers. Web and others are just IPv4. It's much easier to block bots having to only deal with one version.

For completeness sake I should also add that Unbound has options to mimick the BIND 8, BIND 9 or Unbound prefetch and retry algorithms.