Technical Guides

Hands-on guides and how-tos on whatever is worth writing down. Kept current as references, unlike the dated changelog.

Reference

Anatomy of a Hardened DNS Zone

A record-by-record tour of the real dnsdoh.art zone, grouped by what each record defends: DNSSEC identity (ECDSA P-256), DANE pins on four transports, an HTTPS record with monthly-rotated ECH, DDR discovery, mail lockdown and CAA. Every record is public, so every claim comes with the dig command that proves it.

Read guide 16 min read
Runbook

The Missing NSEC: When a Signed Zone Loses Its Delegation

Our signed zone delegates one subdomain, and on one provider every validating resolver refused it: SERVFAIL, EDE 22. The parent was serving the delegation without proving DS absence. The diagnosis across six providers, the report that got a platform-wide fix, the July re-test verifying it, and the five-minute audit to run against your own provider.

Read guide 14 min read
Runbook

When Your Blocklist Bans Googlebot

We import public IP blocklists to shed abusive traffic. One had crowd-listed real Googlebot addresses, our firewall dropped them before nginx, and the site slid out of search. How we saw it (a crawler-only nginx log), how we verified bots (forward-confirmed rDNS), and the exempt-not-whitelist fix that lets crawlers through without opening a spoofing hole.

Read guide 10 min read
Runbook

Verified DDR End to End

Running verified discovery in production: the SVCB answer, why the certificate must carry the resolver IP, Let's Encrypt short-lived IP certificates, a first design with a dedicated discovery name, and the unified certificate that replaced it. Every claim reproducible with three commands.

Read guide 9 min read
Concept

How Devices Discover Encrypted DNS

A network hands your device a resolver as a bare IP address, which says nothing about encryption. DDR lets the device ask that resolver for its encrypted equivalents with one SVCB query; DNR lets the network announce them in DHCP itself. How both routes work, the certificate check that keeps them honest, and a real discovery answer from this site's resolver to read.

Read guide 7 min read
Basics

Does DNS Use TCP or UDP?

Both, on port 53, and the split is deliberate: UDP keeps a lookup to one packet each way, TCP carries the answers that will not fit. The original 512-byte ceiling, how EDNS0 raised it, what the truncation flag does, why operators settled on 1232 bytes, and how encrypted transports rewrote the whole bargain.

Read guide 7 min read
Security

What Is DNS Hijacking?

Hijacking does not forge a packet in a race; it takes over a control point your lookups already pass through: malware on the device, the home router, an ISP that intercepts port 53, or a resolver someone else handed you. The name in the address bar stays right while the destination goes wrong. Where each redirect lives, how to spot one, and why encrypting the link to a resolver you chose removes most of the places it can stand.

Read guide 7 min read
Reference

DNS Record Types Explained

A domain is not a single fact but a small set of records, each answering a different question: where the site lives, how to connect to it, where email goes, which certificates are legitimate. A plain-English reference to A, AAAA, CNAME, MX, TXT, NS, and CAA, plus the modern records that changed DNS: HTTPS and SVCB for HTTP/3 and Encrypted Client Hello, and TLSA (DANE). With worked examples and current best practice.

Read guide 10 min read
Concept

What Is Anycast DNS?

A large public resolver hands out one IP address, yet that single address lives in dozens of cities at once. Anycast lets the network deliver your query to the nearest copy, which is most of why a public resolver feels instant worldwide and stays up while under attack. How one address ends up in many places, and what it does and does not protect.

Read guide 6 min read
How-to

Why Encrypted DNS Breaks on Hotel Wi-Fi

Public Wi-Fi forces you through a sign-in page by hijacking your DNS. Encrypted DNS refuses to be hijacked, so the login never appears and the network looks dead until you authenticate. Why the standoff happens, what your device is doing in the background, and how to get online in seconds without giving up encryption.

Read guide 6 min read
Privacy

What Is QNAME Minimisation?

By default a resolver hands your full domain name to every server it asks, including the root and the TLD that only need the next label. QNAME minimisation trims each question to the minimum, so far fewer operators ever learn the whole name you looked up.

Read guide 6 min read
Privacy

What Is EDNS Client Subnet?

To help content networks send you to a nearby server, your resolver can staple a slice of your IP address onto the queries it forwards, handing a piece of your location to every server behind every name you look up. Why it exists, how precise the leak is, and why encrypting your DNS does not close it on its own.

Read guide 7 min read
Concept

Can DNS Be Blocked or Censored?

Because every connection starts with a lookup, the resolver is the cheapest place to block a site. How ISPs and regulators filter by returning a wrong or empty answer, why the same name resolves differently depending on where you ask, and exactly what encrypted DNS does and does not get around.

Read guide 8 min read
Basics

How DNS Actually Works

Every connection starts with a name-to-number lookup you never see. How a domain name is built as a hierarchy ending in a hidden root dot, the cascade of caches a lookup falls through, what record comes back, and the two things the original design forgot.

Read guide 8 min read
Concept

DNS Spoofing and Cache Poisoning

Plain DNS accepts the first matching reply it gets. If an attacker's forged answer arrives before the real one, the resolver caches it and serves the same lie to everyone, while the address bar still shows the right name. How the race works, and the layers that stop it.

Read guide 7 min read
Privacy

Encrypted DNS vs VPN

They get pitched as rivals, but they work in different places. Encrypted DNS seals one signal on the wire; a VPN moves your whole view to a new provider. What each hides, who you end up trusting, and why running both is a reasonable answer.

Read guide 7 min read
Privacy

Can Your ISP See the Sites You Visit?

With plain DNS your provider can name every site you open without breaking any encryption. What encrypted DNS actually seals, what still leaks through the SNI and the destination IP, and what timing alone gives away.

Read guide 6 min read
Concept

How DNS Ad-Blocking Works

DNS-level blocking refuses to look up known ad, tracker and malware domains, so the request dies before any connection is made. Why one resolver setting covers every app and device, the lists doing the work, and the ads it cannot stop.

Read guide 6 min read
Privacy

What Incognito Mode Actually Hides

Private browsing wipes traces from your own device, but your ISP, your DNS resolver, the sites you visit and your network admin still see the same thing. What incognito does, what it does not, and what actually helps.

Read guide 6 min read
Concept

Harvest Now, Decrypt Later

An attacker can record your encrypted traffic today and decrypt it years from now once quantum computers mature. How post-quantum key exchange (ML-KEM, X25519MLKEM768) closes that window, why it runs as a hybrid, and what it does and does not protect.

Read guide 7 min read
Privacy

Encrypted DNS Still Leaks the Site Name

You encrypted your DNS, but the TLS handshake still names the site you visit in plaintext (SNI). What Encrypted Client Hello fixes, why it depends on encrypted DNS, and what it still cannot hide.

Read guide 7 min read
Privacy

What Your Browser Tells About You

Without cookies or your IP, a site can still recognise you from dozens of small browser details that combine into a near-unique signature. How fingerprinting works, why it survives cookie-clearing, and what actually helps.

Read guide 8 min read
Privacy

What Your IP Address Reveals

An IP shows your rough location, your provider, and your connection type, but not your home address or your identity. What can be read from an IP, how, and what cannot.

Read guide 7 min read
Basics

DNS Caching & TTL Explained

What a DNS cache is, what TTL means, and why a record's TTL might be 0, 300, or 3600. How caching makes DNS fast, and why changes take time to spread.

Read guide 6 min read
Runbook

Build a Validating, Hardened Resolver

A runbook for running your own DNS resolver: Unbound for DNSSEC validation, caching and hardening, with dnscrypt-proxy encrypting the upstream. The directives that matter and how to verify them.

Read guide 8 min read
Concept

What Is DNSSEC?

DNSSEC does not encrypt your DNS, it proves the answer is authentic. What it is, why it is needed, the chain of trust, and how it differs from encrypted DNS.

Read guide 7 min read
Basics

What Is a DNS Resolver?

The component that turns the names you type into addresses, and the one thing that sees every site you visit by name. What it does, what it can and cannot see, and why which one you use matters.

Read guide 6 min read
Comparison

DoH vs DoT vs DNSCrypt vs DoQ

A detailed comparison of the ways to encrypt DNS, DoH, DoT, DoH3, DoQ, and DNSCrypt: how each works, the trade-offs, and which to choose.

Read guide 9 min read
Verification

Does Your VPN Leak DNS?

A VPN encrypts your traffic, but your DNS lookups can take a different path. What a leak is, how to check for one, and how to read the result.

Read guide 5 min read
How-to

You Found a DNS Leak: How to Fix It

A leak is almost always one layer letting lookups out, an app or OS setting. How to pin the layer, fix it app-side or OS-side, and confirm it is closed.

Read guide 6 min read
Concept

How the DNS Leak Test Works

A plain-language look at how our DNS leak test measures which resolver actually handles your lookups, by watching where the query really comes out.

Read guide 4 min read