Home    All Articles    About    carlos@bueno.org    RSS

Install a DNS resolver on your laptop

26 February 2009
  1. I have since been lectured sternly (and correctly) that running your own resolver is a rude thing to do. If you want an alternative, try using as your DNS servers instead.
  2. a Meraki employee pointed out that they are at the mercy of whatever resolvers the ISPs of their volunteers use. I remain unconvinced as they seem to add an extra layer of indirection. Also, they run their own hardware and software. There is no reason why they couldn't use alternate DNS servers or even run their own.

Free hotspot internet providers (eg Meraki) can have pretty good bandwidth but still feel slow because their DNS resolvers suck and they don't know it. You'll have great response from an SSH session or webmail but clicking a link to a new site will pause or fail.

Even large ISPs get this wrong. I tried for several years to convince BellSouth that one of their DNS resolvers was down:

"No, my internet is not down. The DNS server is down. I can ping. DNS. Dee Enn Ess. Pee Eye Enn Gee. Do you understand I'm trying to tell you about a bad problem with your system? One of your DNS servers is down. It's been down since 2003 but it's still in rotation. Yes, I restarted my router. Yes, my connection is now working but that's not the poi--". Click. Good times.

Solution: install your own damned resolver. I recommend Dr Berstein's excellent dnscache, part of daemontools djbdns (which itself runs under daemontools). Incidentally, this is also a good idea for your servers if you do any crawling, image fetching, etc. You'd be surprised how much it can help.

Excellent installation instructions here:



Credit to tlack, who taught me this trick back when I was still figuring out bash.

I had a similar problem with my charter internet. (For no apparent reason they would resolve everything except youtube at one point)

I just started using OpenDNS (https://www.opendns.com/start/)

No offense intended, but it seems like a simpler solution to just set your DNS server than to install/configure a DNS resolver.
I use both: dnsmasq AND OpenDSN.

dnsmasq is fast and easy to setup, in Ubuntu at least:


OpenDNS protects you from typos in the urls, phishing and sites that install badware.
Yep, I configure my routers to use OpenDNS (initially to block pr0n) and have seen a pretty good improvement in lookup speeds. Have been very pleased with their other services (keyword mapping, misspelling catcher, reporting) too. Ended up installing at a couple organizations I help with and haven't had to think twice since then.

I certainly understanding wanting to manage the whole thing yourself, and do so locally as much as possible. But OpenDNS is a good solution for a less technical crowd.
I've been running my own DNS cache for years. Almost always it works better than the ISP-supplied resolvers.

I used to run DJB's software before, but now there's no point in doing that. Bind has cleaned up their act and it's usable nowadays.
...(by the way dnscache is part of djbdns, not daemontools)...

running a good local smart resolver is a good idea if you have a little DNS knowlegde to troubleshoot it if you need to.

Don't forget to change your OS resolver configuration so that you make use of the local smart resolver (/etc/resolv.conf or TCP/IP Settings).

I can recommend "unbound", which is a very fast and secure resolving/caching only DNS Server (a smart resolver, not an authoritative DNS Server like BIND).

It is fast as BIND in most instances, has a more modern design as djbdns and is from the feature set probably the most secure resolving DNS Server today (supports DNSSEC). Give it a try!
Forget the link: Unbound can be found at http://unbound.net

"Unbound is a validating, recursive, and caching DNS resolver.

The C implementation of Unbound is developed and maintained by NLnet Labs. It is based on ideas and algorithms taken from a java prototype developed by Verisign labs, Nominet, Kirei and ep.net.

Unbound is designed as a set of modular components, so that also DNSSEC (secure DNS) validation and stub-resolvers (that do not run as a server, but are linked into an application) are easily possible.

The source code is under a BSD License."
"You'll have great response from an SSH session"
If that's the case already, just forward everything over a dynamic SOCKS proxy on your SSH connection and use remote DNS. Much safer, too. (Provided you own/trust the remote SSH.)