Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
gerdesj 4 days ago

You can't go too far wrong with unbound and it is seriously fast and light.

Real men cry into their text editors with BIND and PowerDNS but you do get the whole toy box with these beasties. I've whizzed up many BIND daemons. I once ran a pair of PDNS servers with a MySQL replicated back end.

I currently have an internet exposed and rather locked down PDNS for ACME DNS-01 (Lets Encrypt). The CA consortium are insisting on SSL certs going down to 40 odd day lifetimes within about three years. I look after quite a few SSL certs for my customers. Anyway.

For home labbers, you might consider a Pi Hole (doesn't have to run on a Pi - a VM will do) or, a bit more hard core: https://technitium.com/dns/ (web GUI - yay!) pfSense has Unbound built in and I think OPNSense does too - both are fine choices of router. OpenWRT probably has unbound in it.

When I say, you can't go too far wrong with unbound, I mean it. If it works then it is almost certainly configured correctly.

sgc 4 days ago | parent | next [-]

I am just using adguard home as my dns server (installed as a plugin in opnsense). Am I naively doing something wrong, or is that a relatively decent choice as well?

gerdesj 2 days ago | parent | next [-]

Great choice mate.

I really must get around to looking into opnsense again. I look after 50 odd pfSense boxes (about half on Netgate gear) across the UK but I am a believer in choice and I remember when opensense sort of split from pfSense. Its great to see the project thriving.

When you deploy a well respected alternative to your ISP provided equipment and get it to work, you generally get it right. They (pfSense, opnsense, openwrt and all the rest) will not do an insecure config out of the box. You do have to try quite hard to get it wrong!

Adguard, pfBlocker, pi-hole and co. all largely do a similar job and that is keeping your devices away from the seamier parts of the internet and the seamier sides of the internet away from your network. They are not perfect but are really good at it.

Think steel bound three inch thick front door, with really good hinges and a lock that would give a professional a hard time, rather than PVC or wooden panel with a mortice lock. Do keep an eye on the windows though ... 8)

Keep it and everything else reasonably up to date and you are probably golden.

sgc 19 hours ago | parent [-]

That sounds like it would be a fun challenge - with the occasional extremely hairy day. Do you manage people's home networks, or small business, etc? I understand if that is not info for hn of course.

LilBytes 3 days ago | parent | prev | next [-]

Not doing anything wrong, different flavours for different folks. I tried Adguard Home but, found myself liking PiHole a little more. They're both excellent, and both are open source. I'd suggest, anyone that says AdGuard Home or PiHole is betterm, is as objective as saying "starberry is the most superior flavour of ice cream". :)

That said! I haven't used AdGuard Home in a very long time, might be time for me to revisit.

joshbetz 4 days ago | parent | prev [-]

I prefer AdGuard home as well

humanfromearth9 3 days ago | parent | prev [-]

"Real men..." Really? It's 2025, shouldn't we be past such misogynist expressions?

gerdesj 2 days ago | parent [-]

It's a silly old meme from the days before Mr Dawkins invented the word meme.

We were sadly not past expressions like that in say the 70s or 80s but by the 90s, that phrase was definitely considered ironic (in the modern sense). Back then irony was merely one metallic mouth feel, along with steely, coppery and brassic.