Gentoo: Easy way to ditch your ISP nameserver

My linode is now my personal DNS resolver. I have officially ditched the ISP nameservers from this point forward now that I found unbound. Unbound is a lightweight, recursive resolver that is perfect for your LAN, co-located host, or even a single host.

For your single host, emerge unbound, start the service, add 127.0.0.1 to the first nameserver in /etc/resolv.conf. Unbound is setup (by default) to accept connections from localhost and refuse anything else. If you are using dhcp at home (likely) then also emerge openresolv and uncomment name_servers=127.0.0.1 in /etc/resolvconf.conf, openresolv then “intercepts” dhcpcd when it tries to write to /etc/resolv.conf and adds 127.0.0.1 as your first nameserver :) For your LAN, just configure your router to look to the host that you setup unbound on, with additional configuration.

Finally, you can also have unbound run on your co-located host. Just edit /etc/unbound/unbound.conf to a) listen on an outside interface and b) allow your other host to query it. This will be left as an exercise for the reader, it is easy to figure out.

Lastly, a shout-out to Linux Gazette for an excellent write-up on GoogleDNS (and why you should use something like unbound) and DNS/LAN metaphors. Suggested reading if you feel out of your league with DNS internals, like me. :)

A quote from the above linked article: Why outsource to anyone, when you can do a better job locally, at basically no cost in effort? and really, that is the truth. Have fun.

Leave a comment ?

14 Comments.

  1. Thank you. It’s a good idea.
    I didn’t install openresolv. I modified the line
    dhcp_eth0=”nodns nosendhost”
    in /etc/conf.d/net so dhcp doesn’t modified my resolv.conf

  2. Another way is to use net-misc/dhcpcd and customize /etc/resolv.conf.{head,tail} files.

  3. Thank you, very enlightening content and links.

    I’d be interested to learn if you have noticed a performance increase (either with your own eyes or with a tool to measure network/DNS performance).

  4. Personally I use tinydns’ dnscache – works very fast! very reliable! installed in minutes as well.
    I don’t get why use Google’s DNS on different continent when you can use your own one near you? :)

  5. I have been using dnsmasq which also provides DHCP to LAN clients along with DNS

    • Well, dnsmasq is just a forwarder. So, it is not the one that is doing any lookups. dnsmasq is running on my router as well, it gets it data from a resolver (unbound in my case).

  6. Thanks for this, Jeremy. I’m now using unbound locally as well. Those linked articles went a long way in helping me understand DNS better. There has always been a bit of a mystery there for me.

  7. All well and good, but remember that caching DNS server’s are there in your ISP’s network for a good reason. If everyone started doing this the extra load on the root servers (See http://www.root-servers.org/) would go up and could adversely impact the service they provide. Granted it would take a fair few networks to do it but the root servers really shouldn’t be requested against directly unless need demands it (or you are, for an example, a major ISP).

    It’s all about spreading the load properly around the networks.

    Note also, that while lookup’s after the first request will be quicker (that’s a given, it’s cached and on your network sub 1ms from your machine in most cases) the first request can, and does at times, take a long time compared to hitting the ISP DNS Cache. Something that isn’t mentioned above.

    Don’t forget that many ISP’s will also not provide support if you have “non-standard” network setups so you may want to note the old settings for testing if something goes wrong…

    • Convince ISPs to get their act together then. Until that happens, I’m going to use something that works…

    • This is not exactly true. We query the root servers for the TLDs. They redirect our request to the appropriate TLD operator. This happens whether we use our local DNS caching servers, the ISP owned, or an open DNS service.

      What matters however is the way we treat and maintain the cache, and the amount of time it takes for the first response. With so many web services relying on DNS round-robin selection for some sort of load balancing, the TTLs for the records are extremely low (5mins or less). This is a serious problem for you AND your ISP.

      I have tweaked unbound a bit and I have tested it side-to-side with BIND. It seems that the prefetching of RRs (in order to keep the TTL counters high) and the capability to tweak minimum TTLs can give very big gains to your web-experience.

  8. dnsmasq is not just a forwarder; it caches as many external lookups as you configure it to, and it maintains local records (e.g., for local use behind NAT). So it does do its own lookups, both from cache and from local records; if forwards requests for whatever it doesn’t have a record of.

    Also, you do some benchmarking, you’ll find that using GoogleDNS is almost never the fastest option, and that using local ISP nameservers is almost always the fastest option. Google’s benchmarking app only pays attention to the actual transaction time (the lookup time), and while their centralized servers (and the centralized servers of similar providers, such as opendns) do perform faster lookups, this time reduction is more than offset by the increase in the time it takes for packets to get back and forth between you and their servers. Try is by comparing a few ‘time nslookup xxx.xxx.xxx.xxx’ operations (being sure to avoid caching artificialities).

  9. Thanks for the article, it’s exactly what I needed. I had something set up like this previously with djbdns but got lost in a system upgrade and never found the time to do it again. These instructions were nice and easy.

    To the people who say to use the ISP nameserver: my ISP nameservers are horribly slow and often timeout, they resolve invalid hostames (to point to their ad-infested error page), sometimes resolve valid hostnames as their ad-page as well, and they sell customer’s DNS lookup history to companies for targeted advertising. No thanks!

  10. John Chronister

    Another good thing to do to make sure that your “/etc/resolv.conf” is not modified is to do the following:

    chattr +i /etc/resolv.conf

    This will make it immutable so that it cannot be modified, deleted, moved, whatever. :O)

Leave a Reply