UnveilDNS Blog

UnveilDNS Blog https://www.unveildns.com/blog/ DNS security, filtering and privacy — guides, deep-dives and field notes from the UnveilDNS team. en-us Copyright 2026, Unveiltech support@unveiltech.com (UnveilDNS team) support@unveiltech.com (UnveilDNS team) Tue, 09 Jun 2026 13:00:00 +0000 https://www.unveiltech.com/ut32x32.png UnveilDNS Blog https://www.unveildns.com/blog/ DNS and compliance: DNSSEC, ANSSI, NIS2 and GDPR for resolver operators https://www.unveildns.com/blog/dns-compliance-frameworks.html https://www.unveildns.com/blog/dns-compliance-frameworks.html Tue, 09 Jun 2026 13:00:00 +0000 compliance Security frameworks ask you to see more; privacy law asks you to keep less. How DNSSEC, ANSSI, NIS2 and GDPR each touch your resolver — and the concrete controls that satisfy them. DoH, DoT, DoQ, DNSCrypt: which encrypted DNS should you actually run? https://www.unveildns.com/blog/encrypted-dns-protocols.html https://www.unveildns.com/blog/encrypted-dns-protocols.html Tue, 09 Jun 2026 12:55:00 +0000 encrypted DNS Four protocols, two ports, one shared goal. The real trade-offs between DNS-over-TLS, HTTPS, QUIC and DNSCrypt — what each costs, what each leaks, and what we ship by default. How DGA and fast-flux malware hide in DNS — and how we catch them https://www.unveildns.com/blog/dga-fastflux-detection.html https://www.unveildns.com/blog/dga-fastflux-detection.html Tue, 09 Jun 2026 12:50:00 +0000 threat detection Botnets mint thousands of throwaway domains a day and rotate IPs every 60 seconds. Entropy scoring, curated threat feeds and out-of-band reputation checks close the gap. Content filtering that holds up: categories, parental control, and what NIS2 expects https://www.unveildns.com/blog/content-filtering-compliance.html https://www.unveildns.com/blog/content-filtering-compliance.html Tue, 09 Jun 2026 12:45:00 +0000 filtering Category filters, SafeSearch and parental control are easy to switch on and easy to get wrong. The filter-chain order that decides who wins a conflict, plus the compliance angle. The SNI leak encrypted DNS doesn't fix — and what ECH does about it https://www.unveildns.com/blog/ech-sni-leak.html https://www.unveildns.com/blog/ech-sni-leak.html Tue, 09 Jun 2026 12:40:00 +0000 privacy You encrypted your DNS, but the site you visit still leaks through the TLS SNI and the destination IP. What Encrypted Client Hello fixes in 2026 — and what it doesn't. DNS tunneling: exfiltrating data through lookups https://www.unveildns.com/blog/dns-tunneling.html https://www.unveildns.com/blog/dns-tunneling.html Tue, 09 Jun 2026 12:35:00 +0000 threat detection Malware can smuggle data out through the DNS queries themselves, encoded in subdomain labels. How tunneling works, why it persists, and the signals that give it away. CNAME cloaking: the first-party tracking trick https://www.unveildns.com/blog/cname-cloaking.html https://www.unveildns.com/blog/cname-cloaking.html Tue, 09 Jun 2026 12:30:00 +0000 tracking Trackers dodge browser blockers by hiding behind a first-party subdomain that CNAMEs to a third-party host. How the trick works and how DNS follows the chain to unmask it. RPZ explained: Response Policy Zones without the BIND headache https://www.unveildns.com/blog/rpz-explained.html https://www.unveildns.com/blog/rpz-explained.html Tue, 09 Jun 2026 12:25:00 +0000 filtering Response Policy Zones turn DNS into a policy enforcement point. What RPZ is, its action types, and how to use RPZ feeds as blocklists without the classic BIND headache. Ad and tracker blocking at DNS level: what it can and can't do https://www.unveildns.com/blog/ad-tracker-blocking-dns.html https://www.unveildns.com/blog/ad-tracker-blocking-dns.html Tue, 09 Jun 2026 12:20:00 +0000 filtering DNS-level ad and tracker blocking is network-wide and agent-free — but it can't do everything a browser blocker can. An honest map of what it blocks and what it misses. DDoS protection for a resolver: rate-limiting, RRL, auto-blacklist https://www.unveildns.com/blog/ddos-protection-resolver.html https://www.unveildns.com/blog/ddos-protection-resolver.html Tue, 09 Jun 2026 12:15:00 +0000 DDoS A resolver is both a target and a potential amplifier. Response rate limiting, NXDOMAIN protection, auto-blacklisting and query filtering — the defences that keep it serving. Why your ISP's default DNS is a privacy problem https://www.unveildns.com/blog/isp-dns-privacy.html https://www.unveildns.com/blog/isp-dns-privacy.html Tue, 09 Jun 2026 12:10:00 +0000 privacy Your ISP's default resolver sees every domain every device looks up — and can log, monetise or hand it over. Why default DNS is a privacy problem, and what actually fixes it. DNSCrypt stamps decoded: what's really inside sdns:// https://www.unveildns.com/blog/dnscrypt-stamps-decoded.html https://www.unveildns.com/blog/dnscrypt-stamps-decoded.html Tue, 09 Jun 2026 12:05:00 +0000 DNSCrypt An sdns:// stamp packs a server address, public key and provider name into one string. Anatomy of a DNSCrypt stamp and why embedded key-pinning beats the public PKI. TTL, caching and prefetch: the three levers behind fast DNS https://www.unveildns.com/blog/ttl-caching-prefetch.html https://www.unveildns.com/blog/ttl-caching-prefetch.html Tue, 09 Jun 2026 12:00:00 +0000 performance DNS feels instant because of three levers: TTL, caching and prefetch. How they interact, where they bite, and how to tune them without serving stale answers. Newly-registered domains are a threat signal https://www.unveildns.com/blog/newly-registered-domains.html https://www.unveildns.com/blog/newly-registered-domains.html Tue, 09 Jun 2026 11:55:00 +0000 threat detection A domain registered three days ago and already sending you links deserves suspicion. Why newly-registered domains are a strong threat signal, and how to use age as a filter. Typosquatting and IDN homographs: when gооgle.com isn't Google https://www.unveildns.com/blog/typosquatting-homographs.html https://www.unveildns.com/blog/typosquatting-homographs.html Tue, 09 Jun 2026 11:50:00 +0000 brand Attackers register your domain misspelled, or in a lookalike script, to phish your users. The mutation strategies, IDN homograph attacks, and how to detect the impostors. Random-subdomain and NXDOMAIN floods: DDoS aimed at DNS https://www.unveildns.com/blog/nxdomain-flood-ddos.html https://www.unveildns.com/blog/nxdomain-flood-ddos.html Tue, 09 Jun 2026 11:45:00 +0000 DDoS Random-subdomain and NXDOMAIN floods weaponise the resolver itself, and the cache can't absorb them. How the attack saturates DNS, and the defences that work. Blocking TikTok and YouTube at the DNS layer — and where it stops https://www.unveildns.com/blog/blocking-services-dns.html https://www.unveildns.com/blog/blocking-services-dns.html Tue, 09 Jun 2026 11:40:00 +0000 filtering Blocking TikTok or YouTube at the resolver is one toggle — but apps fight back with hard-coded IPs and fallback domains. What DNS service-blocking does, and where it stops. Geo-blocking DNS by client country https://www.unveildns.com/blog/geo-blocking-dns.html https://www.unveildns.com/blog/geo-blocking-dns.html Tue, 09 Jun 2026 11:35:00 +0000 filtering Geo-blocking by client country lets a resolver refuse queries from regions you never serve. How GeoIP-based DNS geo-blocking works, sensible use cases, and its limits. A sane personal allow / deny-list strategy https://www.unveildns.com/blog/allow-deny-list-strategy.html https://www.unveildns.com/blog/allow-deny-list-strategy.html Tue, 09 Jun 2026 11:30:00 +0000 filtering Whitelist, blacklist or rewrite? Each has a precedence, and getting the order wrong is why 'I blocked it and it still resolves' happens. A sane strategy for personal DNS lists. Threat intelligence 101: how domain reputation actually works https://www.unveildns.com/blog/threat-intelligence-101.html https://www.unveildns.com/blog/threat-intelligence-101.html Tue, 09 Jun 2026 11:25:00 +0000 threat detection Domain and IP reputation drives a lot of DNS blocking — but 'reputation' is a fuzzy word. How scoring really works, where the data comes from, and why false positives happen. Running DNS at ISP scale: what breaks first https://www.unveildns.com/blog/dns-at-isp-scale.html https://www.unveildns.com/blog/dns-at-isp-scale.html Tue, 09 Jun 2026 11:20:00 +0000 performance Tens of thousands of queries a second change what matters: stats leave SQL, dashboards stop running heavy joins, and the cache becomes everything. Lessons from DNS at scale. Redirecting all network DNS to your resolver (router / NAT) https://www.unveildns.com/blog/redirect-network-dns.html https://www.unveildns.com/blog/redirect-network-dns.html Tue, 09 Jun 2026 11:15:00 +0000 operations A DNS policy only works if every device actually uses your resolver. Forcing all network DNS through it with router/NAT redirection — and closing the bypass routes. DNS log retention done right: a GDPR-friendly policy https://www.unveildns.com/blog/dns-log-retention-gdpr.html https://www.unveildns.com/blog/dns-log-retention-gdpr.html Tue, 09 Jun 2026 11:10:00 +0000 compliance DNS logs are personal data and unusually revealing. A GDPR-friendly retention policy: lawful basis, minimisation, aggregation, and the window that keeps you useful and compliant. DNS filtering for schools and families https://www.unveildns.com/blog/dns-filtering-schools-families.html https://www.unveildns.com/blog/dns-filtering-schools-families.html Tue, 09 Jun 2026 11:05:00 +0000 parental A practical guide to DNS filtering for schools and homes: category and adult filtering, SafeSearch enforcement, the two YouTube-restriction gotchas, and closing the bypasses.