[Bender]

I use Unbound locally as a DoH server. The Alpine Linux Unbound package is compiled with libnghttp2, required for the built in DoH listener. That's more than enough to enable ECH [1].

I pre-cache all the domains I use hourly via cron. My ISP is not going to dork with my DNS requests and their employees are bigger deviants than I. If I ever started browsing the web from a phone I would just set up my own public DoH server. It only takes a few minutes and gives me my own query logs for debugging weird issues.

[1] - https://tls-ech.dev/

[harshreality]

Why pre-cache? For speed... what is it, 30-50ms at most? If the authoritative server's TTL is <60minutes, do you force it to 3600? Do you audit all the connections that occur for every website you visit, collect all the domains hosting assets, and pre-cache those as well, or is the main site's domain the only critical one because that affects perceived latency the most?

[Bender]

I pre-cache for speed, verifying records that have expired since I retain the expired records for sites that have intermittent DNS issues and also to throw in domains that I do not use in the off chance someone is logging where I go and when. They will see the Cloudflare top 20K domains hourly. Myself and family members have been able to access sites when others around the internet can not due to infrastructure related DNS problems. In other words, when others will say "It's always DNS" for myself and family members that is rarely the case as DNS records do not change as often as people seem to think they do.

[abcdefg12]

Or you could use dnscrypt so ISP doesn’t see your lookups at all

[Bender]

When all the authoritative servers support TLS I can enable TLS outbound but very few of them do at the moment. At some point someone is decrypting, turtles all the way down. I could of course just do DoT to another instance of Unbound somewhere else but I do not need to do that as my ISP does not care about my queries. I used to keep standby DoT Unbound servers around but I have never once seen a US ISP tinker with my traffic. If they did I would put up billboards saying they what they are doing.

[petee]

Unbound has "prefetch" which will refresh near-expired cached records, and various other cache/ttl knobs. "serve-expired" seemed to work well too

[Bender]

I use both of those as well in Unbound.

[petee]

I was thinking that if you preload your 50k list and override the min-ttl, the prefetch would let you relax the cron schedule a little

[Bender]

I could but I like to run everything in cron hourly to force trigger the retry mechanisms on the expired records and make a bunch of noise so that my network always looks active.

It's just a "me" thing. Others can and should do whatever they think will work for them. If everyone does this a little different that is probably best.

[kingo55]

> I pre-cache all the domains I use hourly via cron.

How does this look? Shell script querying a list of hostnames? What qualifies as a domain you use?

[Bender]

It looks like this [1] I enable query logging to a tmpfs RAM disk and then every month I update a list of domains that I have queries more than {n} times. I mix that in with a list of the Cloudflare top 20K domains after removing the broken ones and some TLD's.

[1] - https://nochan.net/b/Internet-Crap/20260602-Set-Up-Your-Own-...