UnveilDNS Blog

Security frameworks ask you to see more; privacy law asks you to keep less. How DNSSEC, ANSSI, NIS2 and GDPR each touch your resolver — and the concrete controls that satisfy them.

Four protocols, two ports, one shared goal. The real trade-offs between DNS-over-TLS, HTTPS, QUIC and DNSCrypt — what each costs, what each leaks, and what we ship by default.

Botnets mint thousands of throwaway domains a day and rotate IPs every 60 seconds. Entropy scoring, curated threat feeds and out-of-band reputation checks close the gap.

Category filters, SafeSearch and parental control are easy to switch on and easy to get wrong. The filter-chain order that decides who wins a conflict, plus the compliance angle.

You encrypted your DNS, but the site you visit still leaks through the TLS SNI and the destination IP. What Encrypted Client Hello fixes in 2026 — and what it doesn't.

Malware can smuggle data out through the DNS queries themselves, encoded in subdomain labels. How tunneling works, why it persists, and the signals that give it away.

Trackers dodge browser blockers by hiding behind a first-party subdomain that CNAMEs to a third-party host. How the trick works and how DNS follows the chain to unmask it.

Response Policy Zones turn DNS into a policy enforcement point. What RPZ is, its action types, and how to use RPZ feeds as blocklists without the classic BIND headache.

DNS-level ad and tracker blocking is network-wide and agent-free — but it can't do everything a browser blocker can. An honest map of what it blocks and what it misses.

A resolver is both a target and a potential amplifier. Response rate limiting, NXDOMAIN protection, auto-blacklisting and query filtering — the defences that keep it serving.

Your ISP's default resolver sees every domain every device looks up — and can log, monetise or hand it over. Why default DNS is a privacy problem, and what actually fixes it.

An sdns:// stamp packs a server address, public key and provider name into one string. Anatomy of a DNSCrypt stamp and why embedded key-pinning beats the public PKI.

DNS feels instant because of three levers: TTL, caching and prefetch. How they interact, where they bite, and how to tune them without serving stale answers.

A domain registered three days ago and already sending you links deserves suspicion. Why newly-registered domains are a strong threat signal, and how to use age as a filter.

Attackers register your domain misspelled, or in a lookalike script, to phish your users. The mutation strategies, IDN homograph attacks, and how to detect the impostors.

Random-subdomain and NXDOMAIN floods weaponise the resolver itself, and the cache can't absorb them. How the attack saturates DNS, and the defences that work.

Blocking TikTok or YouTube at the resolver is one toggle — but apps fight back with hard-coded IPs and fallback domains. What DNS service-blocking does, and where it stops.

Geo-blocking by client country lets a resolver refuse queries from regions you never serve. How GeoIP-based DNS geo-blocking works, sensible use cases, and its limits.

Whitelist, blacklist or rewrite? Each has a precedence, and getting the order wrong is why 'I blocked it and it still resolves' happens. A sane strategy for personal DNS lists.

Domain and IP reputation drives a lot of DNS blocking — but 'reputation' is a fuzzy word. How scoring really works, where the data comes from, and why false positives happen.

Tens of thousands of queries a second change what matters: stats leave SQL, dashboards stop running heavy joins, and the cache becomes everything. Lessons from DNS at scale.

A DNS policy only works if every device actually uses your resolver. Forcing all network DNS through it with router/NAT redirection — and closing the bypass routes.

DNS logs are personal data and unusually revealing. A GDPR-friendly retention policy: lawful basis, minimisation, aggregation, and the window that keeps you useful and compliant.

A practical guide to DNS filtering for schools and homes: category and adult filtering, SafeSearch enforcement, the two YouTube-restriction gotchas, and closing the bypasses.