‘DNS’ articles from Ctrl blog

DNS

I value the Domain Name System’d independence from the major tech companies. I blog about the evolving DNS standards and features that make the internet work.

Follow by feed or email.

Common mistakes in BIMI early-adopter implementations

The Brand Indicators for Message Identification (BIMI) standard has strict requirements for an email sender’s logo to show up in your inbox. 65,1% gets it wrong.

What domain name to use for your home network

Always use the ‘.home.arpa’ top-level domain (RFC 8375), and don’t use the special-purpose ‘.local,’ or made-up undelegated domain names like ‘.lan’ or ‘.home.’

.blog vs .com TLD performance

Traditional and established top-level domain resolves faster than the newfangled .blog top-level domain. Unsurprising, but worrisome.

What to `<link rel=dns-prefetch>` and when to use `preconnect`

Learn the difference between dns-prefecth vs preconnect, how to work around browser bugs, and when to use which? iOS and Safari requires special attention.

How to disable outgoing mDNS broadcasts on Linux

Tutorial for quieting Multicast DNS using various firewall front-ends for Linux’s iptables firewall such as FirewallD and Ubuntu’s UFW.

Hurricane Electric secondary DNS adds support for TSIG authentication

I asked HE DNS if they had plans to support TSIG authenticated AXFR requests. Weeks later they rolled out support for the feature.

Well-Known URI vs DNS-SD for distributed web service-discovery

I compare the resilience of DNS Service-Discovery vs HTTPS Well-Known URIs when routing distributed internet traffic around censorship.

Secondary authoritative DNS service providers compared

A comparison of the security features and other features offerings (AXFR, DNSSEC, TSIG, IPv6) at 14 different secondary/slave DNS providers.

Compared DNS caching/TTL of different CDNs

Short DNS TTL times are great for failover but can be detrimental to DNS performance. Here’s a comparison of the DNS TTL caching durations of popular CDNs.

A survey of DNS caching and TTL in end-user client software

Web browsers and other clients vary greatly in their handling of DNS TTL caching hints. Some follow TTL hints, limit it at 2 seconds, or apply their own logic.

Embrace `systemd-resolved`

systemd-resolved improves DNS performance with query-caching. Learn how to configure it to increase system privacy and security with DNS over TLS and DNSSEC.

Turkey blocks BunnyCDN; Ctrl blog and 14 000 websites inaccessible

Ctrl blog was inaccessible in Turkey for five days as the country inadvertently blocked the BunnyCDN content delivery network.

How I blocked myself from obtaining a Let’s Encrypt TLS certificates

A misapplied DNS CAA record blocked Certbot from obtaining a Let’s Encrypt certificate for my domain name. Ouch. Have a fallback strategy!

DNSLink and IPNS availability survey

I surveyed millions of websites to discover which domains were set up with an DNSLink address for the IPFS peer-to-peer alternative to the internet.

Actually secure DNS over TLS in Unbound

Resolve a common DNS over TLS configuration mistake in the Unbound DNS server that makes you vulnerable to attacker-in-the-middle resolver interceptions.

How to randomize DNS resolver selection in Knot Resolver

Improve your privacy by spreading DNS resolution requests out among many recursive DNS resolvers. No single provider will know all you do online.