r/dns

So apparently the EU launched this new age verification system to “protect minors online,” but people quickly figured out you can literally bypass it with a VPN. Now there’s talk about tighter VPN regulations and honestly this feels kinda wild. I travel a lot for work and public Wi-Fi is straight up sus sometimes. VPN is basically the only thing keeping my accounts from getting yoinked at airports and cafés. What’s annoying is that governments keep treating VPNs like they’re only used for bypassing restrictions, when a lot of normal people use them for privacy, security, streaming, remote work, etc. Imagine paying for a legit VPN subscription then suddenly needing ID verification just to use it That kinda defeats the whole privacy point ngl. Anybody else think this is getting outta hand or am I trippin’?

Hi,

I have my domain with Bigrock - but its store in shopify

I want to migrate even the "domain name" from bigrock to shopify (dont know its benefits but I guess single platform will be less clutter) - BUT expiration date with bigrock is just after 12 days

Is it too risky to transfer ? or should I renew with bigrock and transfer later or not transfer at all ?

Please guide
Thanks

For people managing DNS zones across multiple providers: how do you currently document why a DNS record exists?

Do you keep notes in your DNS provider, an internal wiki, Git, tickets, or not at all?

I'm building a DNS management tool and trying to understand how teams deal with stale records, SPF/DKIM/DMARC records, and provider-specific workflows.

using a vpn doesn't automatically protect your dns queries. if your provider doesn't route dns through the tunnel, your isp sees every domain you visit. vpn or not.

this is called a dns leak. most people have no idea it's happening. most vpn apps don't tell you either.

test yours at dnsleaktest.com before assuming you're protected. the results might surprise you.

which providers handle dns correctly by default is in the sidebar.

Heyo!

I'd need some help with an issue I'm facing and I'm not sure if I'm not just overseeing something.

I have 3 PowerDNS Servers, one Master (Supermaster) and two Secondaries (Autosecondary).
The sync between them works fine and records are being resolved as expected.

But when the Master is offline for maintenance or whatever, no records at all are getting resolved, not even by the Secondaries.

All zones have the 3 servers as NS records and also as Nameservers for the Domain itself at the Registrar.

Does anyone have an idea what could be the issue here?
Many thanks in advance!

Hey everyone,

I wanted to share a quick guide and open up a discussion on how to get completely free, system-wide ad and tracker blocking on iOS without needing to keep a battery-draining VPN active 24/7.

If you want to block ads inside Safari and native iOS apps/games while using an elite, privacy-respecting DNS, this setup pairs DNSecure (an open-source native iOS profile configuration utility) with Mullvad’s Public Encrypted DNS.
Why this combination?

1. Zero Logs: Mullvad runs their public DNS servers entirely in RAM and keeps absolute zero logs or metadata.
2. Native Performance: Unlike apps that run a local loopback "fake VPN" to filter traffic (which drains battery), DNSecure leverages Apple’s native encrypted DNS framework. Once configured, iOS handles it natively.
3. App-Wide Blocking: It doesn't just block ads in Safari; it blocks tracking and commercial banners inside third-party apps and mobile games.

How to Set It Up

Step 1: Decide on your filtering level
Mullvad provides specific endpoints depending on how aggressive you want the filtering to be. Choose one of these DNS-over-HTTPS (DoH) URLs:
• Ads Only:
IP: 194.242.2.3
URL: https://adblock.dns.mullvad.net/dns-query

• Extended (Ads + Trackers + Malware):
IP: 194.242.2.4
URL: https://extended.dns.mullvad.net/dns-query

Step 2: Configure DNSecure

1. Download DNSecure from the App Store.
   https://apps.apple.com/us/app/dnsecure/id1533413232
2. Open the app and select Custom (or tap the + icon).
3. Set the Protocol to DNS-over-HTTPS.
4. Paste your chosen Mullvad URL from Step 1 into the Server URL field.
5. Tap Save and select your new profile.
   Step 3: Activate in iOS Settings
6. Open your iPhone's native Settings app.
7. Go to General > VPN & Device Management > DNS.
8. Change the checkmark from "Automatic" to DNSecure.

Critical Limitations to Know
• First-Party Ads: This will not block ads inside YouTube, Instagram, or Facebook. Because those platforms serve ads from the exact same domains as their actual content, DNS filtering cannot separate them.

• Carrier Blocks: Some strict mobile carriers block non-standard DNS endpoints. If you apply the profile and your cellular data completely stops working, it means your carrier is blocking Mullvad’s IP blocks. 

Alternative Note: If Mullvad fails due to a carrier block, ADguard is an incredibly reliable fallback that uses heavily whitelisted infrastructure. And it’s already available in DNSecure predefined list.

**I would suggest you to do some research on the best private DNS filtering based on your region.

Curious to hear if anyone else is running this setup, or if you've run into any specific carrier blocks with Mullvad's endpoints on mobile data!

https://github.com/kkebo/DNSecure

Interesting paper on a fairly under-discussed issue in DNS: what happens to expired or repurposed domain names that remain embedded in DNS dependencies across systems. The core finding is that these “orphaned” or changed domains can persist in resolution paths and integrations long after their original context is gone, creating real security and reliability implications.

My take: this becomes even more relevant in modern AI systems, where agents, tools, plugins, and third-party APIs are rapidly stitched together. In that environment, domain names and DNS-level dependencies can quietly extend the AI supply chain attack surface in ways that are easy to overlook.

Paper: https://arxiv.org/abs/2605.06880

Yo what’s up everyone,

Just wanted to share a quick appreciation post for the mobile setup I finally got dialed in on my phone. I used to bounce around between different premium paid VPNs, but I was getting tired of the random slowdowns and clunky apps.

I decided to piece together a custom stack using three free tools, and honestly, the performance is blowing me away. Here’s what’s under the hood:

## How it actually works:

I tap a link ➔ NextDNS strips out the ads and tracking junk ➔ RethinkDNS processes it ➔ Cloudflare WARP wraps it all up in a super fast WireGuard tunnel.

## Why this setup goes so hard:

* Literally $0: Getting enterprise-grade privacy and global infrastructure for free feels like a total cheat code.

* Stupidly Fast: Traditional VPNs always add a bit of lag when servers get crowded. WARP connects straight to Cloudflare's massive edge network. My traffic routes through Atlanta but pins me locally to Jacksonville—the ping is basically nonexistent. Web pages load way snappier than they ever did on premium VPNs.

* Ghosting my ISP: My real mobile carrier/ISP sees absolutely zero browsing data. Websites just see a generic Cloudflare data center IP instead of my actual location.

* Battery Saver: WireGuard is super lightweight on Android, and because NextDNS is stopping heavy ad scripts from downloading, my phone isn't cooking itself or wasting data.

You get a rock-solid firewall and full traffic encryption, you should definitely look into this combo.

Disclaimer: I wrote the actual content and tech breakdown, but ran it through AI to clean up the formatting/markdown so it doesn't look like a wall of text. Let's talk about the DNS setup, not the grammar.

Wanted to share a great learning opportunity! From May 19 - June 11, Infoblox is hosting two free webinar series on DDI and DNS Security, open to everyone. The sessions are led by Joshua Kuo, co-author of The Hidden Potential of DNS In Security.

Register here: https://linktr.ee/InfobloxEducation

https://preview.redd.it/lm9ja8r4lr1h1.png?width=1200&format=png&auto=webp&s=1ab63699b6db661bc90ad954825ac167a259098e

I have migrated a domain from domain.local to domain.de, I cleaned sites and DNS but still get a error message like that:

Anyone here how can tell me, where I can find this leftovers?

Die dynamische Registrierung oder das Löschen einer oder mehrerer DNS-Einträge, die mit der DNS-Domäne "domain.local." verknüpft sind, ist gescheitert. Diese Einträge werden von anderen Computern verwendet, damit diese Server entweder als Domänencontroller (wenn die angegebene Domäne eine Active Directory-Domäne ist) oder als LDAP-Server (wenn die angegebene Domäne eine Anwendungspartition ist) ermittelt werden können

Mögliche Ursachen für den Fehler:

- TCP/IP-Eigenschaften der Netzwerkverbindungen des Computers enthalten falsche IP-Adressen der bevorzugten und alternativen DNS-Server.

- Die angegebenen bevorzugte und alternative DNS-Server werden nicht ausgeführt.

- DNS-Server, die primär für die zu registrierenden Einträge vorgesehen sind, werden nicht ausgeführt.

- Bevorzugte oder alternative DNS-Server sind mit falschen Stammhinweisen konfiguriert.

- Übergeordnete DNS-Zone enthält falsche Delegierung auf die untergeordnete autorisierende Zone für die DNS-Einträge, bei deren Registrierung ein Fehler aufgetreten ist.

BENUTZERAKTION

Beheben Sie die oben angegebenen Fehlkonfigurationen

--------------------------------------------------------------------------------

Verzeichnisserverdiagnose

Anfangssetup wird ausgeführt:

* Die Verbindung mit dem Verzeichnisdienst auf Server DC wird hergestellt.

Auf dem Server DC ist bei der Attributsuche der LDAP-Suchfunktion ein Fehler

aufgetreten. Rückgabewert = 81

Der Host DC konnte nicht zu einer IP-Adresse aufgelöst werden. überprüfen

Sie DNS-Server, DHCP, Servername, usw.

Edit:
after long time of not finding a solution, I solved it toady with simply rerun rendom /clean

I might also update this after the announcement is out.

Anyway, once it's out, also expect updated/patched versions of BIND 9 to shortly follow for various operating systems, "appliances", devices, etc.

https://lists.isc.org/pipermail/bind-announce/2026-May/001294.html

>From: Victoria Risk <vicky@isc.org>
Subject: Pre-announcement of BIND 9 security issues scheduled for disclosure 20 May 2026
Date: Wed, 13 May 2026 09:34:22 -0400
To: bind-announce@lists.isc.org

BIND users

As part of ISC's policy of pre-notification of upcoming security releases, we are writing to inform you that the May 2026 BIND 9 maintenance release(s) that will be published on Wednesday, 20 May, will contain fixes for security vulnerabilities affecting stable BIND 9 release branch(es).

Further details about those vulnerabilities will be publicly disclosed at the time the release(s) are published. It is our hope that this pre-announcement will aid BIND 9 administrators in preparing for that disclosure when it occurs. If you have feedback or questions concerning this policy, please open a confidential GitLab issue at https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issue[confidential]=true (preferred) or send an email to bind-security@isc.org.
--
bind-announce mailing list
bind-announce@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-announce

Just saw some news saying Europe might start tightening rules on VPNs because people are using them to get around online age verification stuff. Ever since the UK’s Online Safety Act dropped VPN downloads apparently went crazy ngl this lowkey affects me a lot. i use a VPN almost daily whenever I’m connected to public WiFi because ain’t no way I’m trusting random café, airport, or mall networks with my accounts I’m literally just trying to stay safe online and avoid shady tracking, not out here doing criminal mastermind activities lmao. Sometimes i even need it because my ISP routing is straight-up trash. Without a VPN my ping goes full potato mode while gaming and everything starts lagging like crazy

Hi Team,

We have a hybrid environment and are not planning to remove our on-prem DNS at this stage because we still have dependencies with on-premise.

We have Fortinet firewalls across all branch offices. Would it be a good approach to use FortiGate as the DNS server for Entra-joined endpoints?

My main question is:

What is the best way to reduce or remove on-prem dependency for Entra-joined endpoints while still maintaining access to these on-prem resources?

I have run into some shenanigans where vendors are using load balancers or spilit brain DNS to provide an A record response sometimes and a CNAME response at other times for the same hostname.

Doing this is against the CNAME and other data, but functions because its not being done on the same DNS servers.

The issue becomes sometimes my DNS server asks for the CNAME instead of the A record and if that happens against the servers providing the A record I get NOERROR/NODATA as would be expected.

As I try to determine what is the trigger for BIND specifically requesting the CNAME rather than the A, I am looking toward cache timers and need to understand which TTL is used on a NOERROR/NODATA response. Is it the "positive" TTL like on a successful query with an answer section, is it the ncache TTL used on nxdomain, or something else entirely?

I ask because when this occurs the client my network who wants the name can take a while to recover.