Power outages as soon as I head to bed, nice

This is fine

the good part about power outages is it told me that my NUC's re-done network configuration was actually broken and didn't work correctly on reboot (missing v4 connectivity)

for some reason it was adding the statically configured IPv4 address to the eno1 interface instead of the bridge interface even though it was under the br0 interface

DHCP works fine though so 🤷🏾‍♂️

the correct config:

auto br0
iface br0 inet dhcp
bridge_ports eno1

iface br0 inet6 auto

It is important that my NUC's network connectivity works correctly after it comes back from a power outage since its the primary DNS resolver handed out by DHCP in my LAN.

I have my router's forwarder as the secondary but I'd rather not the home network be in a degraded state.


my home LAN's resolver situation is as follows:

Primary - unbound recursor running on my NUC

Secondary - forwarder running on my router, forwarding to my ISP's PPPoE provided resolvers

I don't really like using the common public resolvers like Google Public DNS/OpenDNS/Cloudflare as a secondary especially when my ISP's resolvers don't NXDOMAIN hijack.



I have said it before but I consider NXDOMAIN hijacking a violation of the trust between an ISP and it's customers.

These ISPs are taking advantage of their customer base to make a few more bucks from them.

A customer base where the majority doesn't know how to run their own recursor or how to change to a different DNS provider, and I argue they don't have to, that's what they are paying you for.

Let me explain NXDOMAIN hijacking:

Say for example, you mistype a domain in your browser's URL bar, normally it would give you 'name not found' or similar error message or depending on how smart your browser is, redirect to a user configured search engine.

With NXDOMAIN hijacking, that typo would result in you landing on a search page provided by your ISP with ads on it which they make money from.

on a technical level it means that instead of the DNS query returning a NXDOMAIN like it should, your ISP's resolver software modifies it to return a server run by the ISP.

okay I'm gonna go out to get some lunch but when I come back, I'm going to offer some solutions if you are in a network with resolvers that hijack NXDOMAINs

okay so while Zelda downloads let's talk about getting around your ISP's NXDOMAIN hijacking

there are two basic ways:

1) using a public resolver service that does not NXDOMAIN hijack (example - Google Public DNS)

2) running your own recursor (example - unbound on your own machine or serving your network if you control the network)

using a public resolver service is the easier choice but comes with the cost of giving your DNS queries to a third party (Google/OpenDNS/Cloudflare)

decide for yourself if this is something you are okay with

How to change DNS settings on Windows 10:




if you control the router and the network, look up your router's documentation on how to change it there

setting up your own recursor is slightly more involved, I recommend unbound:


(ignore the part about compiling it)

you can get unbound in your Linux distro's repositories, so if you have a Raspberry Pi, you can install it there and use DHCP to have your whole LAN use it

if you only need it on a single machine, it can be as simple as

apt install unbound resolvconf

unbound listens and recurses for localhost by default

if you are on Windows, Unbound has a installer that you can use that comes with a Windows service so you can easily stop/start it:


Install it, make sure the service is started, change your resolver to and you should be good to go

that's pretty much it, this thread is long enough already and I should probably put it in a blog post

@staticsafe So many ISPs do this...

It makes me hate them immediately and irreparably.

@staticsafe Even a good "optional" DNS like Norton does this. It's one of the few that uses DNSSEC, and I refuse to use Google's DNS anymore, so I'm stuck with the NXDOMAIN hijacking. Honestly just thinking about forgetting about the DNSSEC so I can get back to a normal "name not found" result.

@staticsafe How much trouble is running your own recursor? I do have an always-online unix machine and it does seem more clean than relying on Google

@elomatreb @staticsafe really easy, especially with Unbound. I used to use dnsmasq but now I use Unbound.

@staticsafe that would be cool. Definitely interested in more of this.

@staticsafe I'm a fan of PowerDNS. Would be interesting to do a compare and contrast.

@nivex I've never actually used pdns' recursor functionality, its worth a look I guess

@staticsafe fun fact!!!! my ISP does this, but there are times where the DNS of their own site doesn't resolve.
it forms a loop until you get an http request too long error and the URL is thousands of characters long

@staticsafe returning a page of search results (with some ads) is more user friendly for nontechnical folks

The ads are my primary concern...

@staticsafe here's a fun thing: around the same time the UK's biggest cable provider started doing NXDOMAIN hijacks (which can at least be opted out, though they are opt *out* rather than opt *in*) they also started rolling out firmware updates to their routers to remove the option to set a custom DNS rather than the ISP's own

@theoutrider @staticsafe honestly screw them so much. i wanted to setup a pi-hole on my network to direct DNS requests to, but i can't do a simple network-wide implementation without setting up an entirely new router! yay!

@007 @staticsafe it's a bit annoying that their router is otherwise quite serviceable, it's *just* enough to not have pushed me into buying my own router

Sign in to participate in the conversation

staticsafe's personal Mastodon instance.