This is the multi-page printable view of this section. Click here to print.
Home Services
1 - Getting Started with DNS: The Internet's Address Book
What is DNS?
Welcome to our DNS series! Before diving into the technical details, let’s start with a simple question: What is DNS?
Imagine your phone’s contact list. You don’t need to memorize every friend’s phone number—just their names. When you want to call “Zhang San,” you find the name in your contacts and tap to dial. Your phone automatically looks up Zhang San’s phone number and places the call.
DNS (Domain Name System) plays a similar role as the “contact list of the Internet.” It takes the human-friendly domain names we remember—like www.google.com—and translates them into the IP addresses computers understand, such as 172.217.160.78. Without DNS, we’d have to memorize long, random strings of numbers to visit websites, which would be nearly impossible.
How Does DNS Work?
This “translation” happens behind the scenes in the blink of an eye. When you type a web address in your browser, the process roughly follows these steps:
- Request: Your computer or phone sends a request to a DNS resolver: “What’s the IP address of
www.example.com?” - Query: Like a detective, the resolver performs a series of lookups—from the root servers, to the top-level-domain servers, to the authoritative name servers—to find the answer.
- Response: Once it has the answer, the resolver returns the IP address to your computer.
- Connection: Your browser uses this IP address to connect to the website’s server and display the web page in front of you.
What Will We Cover in This Series?
The world of DNS is far richer and more complex than this simple analogy suggests. In this series we’ll take you through everything DNS has to offer:
- Core Concepts: Understand in depth what domain names, IP addresses, and the relationship between them truly are.
- Record Types: Learn the purpose of different DNS records—A, CNAME, MX, and more.
- Server Types: Discover the distinct roles played by recursive servers, authoritative servers, and others.
- DNS Lookup Process: Break down every step of a full DNS query in detail.
- DNS Caching: See how DNS caching speeds up website access.
- Private DNS: How to set up and use a private DNS service to enhance security and privacy on your network.
Whether you’re brand-new to networking or a developer who wants to solidify the fundamentals, this series will provide clear, easy-to-follow guidance.
Let’s begin our journey into DNS!
1.1 - DoT vs DoH vs DoQ
DoT
DNS over TLS (DoT) is a DNS encryption protocol based on TLS. TLS 1.2 requires at least four round-trips, TLS 1.3 requires at least three round-trips, while DNS requests only need one round-trip.
Timeline
↓
┌───────────────────────────────────────────────────────────────────────┐
│ Client Server
│ │
│ Client sends SYN segment │
│ ────────────────────────────────────────────────────────────────────▶│
│ SYN = 1, Seq = x │
│ │
│ ←─────────────────────────────────────────────────────────────────────│
│ Server responds with SYN-ACK segment │
│ SYN = 1, ACK = 1, Seq = y, Ack = x + 1 │
│ │
│ Client sends ACK segment │
│ ────────────────────────────────────────────────────────────────────▶│
│ ACK = 1, Seq = x + 1, Ack = y + 1 │
│ │
│ TCP connection established │
│ Client sends ClientHello │
│ ────────────────────────────────────────────────────────────────────▶│
│ │
│ ←─────────────────────────────────────────────────────────────────────│
│ Server responds with ServerHello │
│ Server sends certificate chain │
│ │
│ Client sends key exchange message │
│ ────────────────────────────────────────────────────────────────────▶│
│ │
│ Server sends key exchange message │
│ ←─────────────────────────────────────────────────────────────────────│
│ │
│ Client sends Finished │
│ ────────────────────────────────────────────────────────────────────▶│
│ │
│ Server sends Finished │
│ ←─────────────────────────────────────────────────────────────────────│
│ │
│ TLS handshake completed │
│ Client sends DNS query │
│ ────────────────────────────────────────────────────────────────────▶│
│ │
│ ←─────────────────────────────────────────────────────────────────────│
│ Server responds with DNS query │
│ │
└───────────────────────────────────────────────────────────────────────┘
TLS 1.2 handshake requires at least two round-trip times (RTT): client sends ClientHello, server replies with ServerHello and certificates, then client sends ClientKeyExchange and ChangeCipherSpec, finally server sends Finished. TLS 1.3 simplifies the handshake to one round-trip (1-RTT). When sending ClientHello, client can include key share information (ClientKeyShare), server also includes key share information in ServerHello response, completing key negotiation and handshake within the first round-trip.
DoH
DNS over HTTPS (DoH) is a DNS encryption protocol based on HTTPS. HTTPS, being TCP-based, requires at least three round-trips to establish a connection while DNS requests only need one round-trip. Therefore, DoH is the slowest among the three encrypted DNS protocols.
Compared to DoT, DoH has higher protocol overhead due to additional HTTP protocol headers, making it slightly slower than DoT. Other aspects are similar to DoT.
DoQ
DNS over QUIC (DoQ) is a DNS encryption protocol based on QUIC. QUIC, being UDP-based, requires two round-trips to establish a connection while DNS requests only need one round-trip. Therefore, DoQ is the fastest among the three encrypted DNS protocols.
Timeline
↓
┌───────────────────────────────────────────────────────────────────────┐
│ Client Server
│ │
│ Client sends Initial Packet │
│ Contains: QUIC version, Connection ID, encrypted handshake message │
│ (ClientHello), possibly application-layer data │
│ ────────────────────────────────────────────────────────────────────▶│
│ │
│ │
│ ←─────────────────────────────────────────────────────────────────────│
│ Server responds with Initial Packet │
│ Contains: encrypted handshake message (ServerHello, Certificate, │
│ ServerKeyExchange etc.) │
│ May contain confirmation or rejection of client's 0-RTT data │
│ │
│ Client sends encrypted handshake message (EndOfEarlyData, Finished) │
│ ────────────────────────────────────────────────────────────────────▶│
│ │
│ Server sends encrypted handshake message (Finished) │
│ ←─────────────────────────────────────────────────────────────────────│
│ │
│ Handshake completed │
│ Connection established │
│ Data transmission begins │
│ ────────────────────────────────────────────────────────────────────▶│
│ ←─────────────────────────────────────────────────────────────────────│
│ Data transmission │
│ Data transmission │
│ Data transmission │
└───────────────────────────────────────────────────────────────────────┘
QUIC uses TLS 1.3 or higher to secure connections. The encrypted handshake process resembles traditional TLS handshake but is conducted through QUIC’s packet format, allowing data transmission to start simultaneously with handshake. If a client has previously established a QUIC connection with the server, it can immediately send application-layer data in new connection attempts without waiting for server response. This mechanism, called 0-RTT, can significantly reduce interaction latency. However, 0-RTT data might be rejected by servers due to replay attack risks.
QUIC’s design objectives include faster connection establishment and better congestion control compared to TCP, while maintaining compatibility with existing network infrastructure. Through these mechanisms, QUIC achieves fast handshake during first connection and utilizes 0-RTT for reduced latency in subsequent connections.
Conclusion
In stable network environments, DoQ theoretically offers the fastest speed thanks to its UDP and TLS 1.3 foundation. However, in actual networks, UDP’s connectionless nature may lead to random packet drops by ISPs during heavy traffic, causing connection instability. DoT is slightly slower than DoQ but offers more stable TCP-based connections. DoH is slower due to its HTTP-based protocol, but provides richer backend functionality. Choose the appropriate encrypted DNS protocol based on your network environment and requirements.
Reference
1.2 - Fastest DNS
Ordinary users typically measure ping response speed of plaintext DNS IP addresses, but this rarely reflects actual server connection performance. Modern DNS requires encrypted DNS protocols to ensure service integrity against hijacking.
From client to destination, traffic usually passes through 5-8 network devices. Any of these can hijack UDP:53 requests through simple commands. Never rely on plaintext DNS, especially in enterprise environments where hijacking is nearly inevitable.
Example hijacking command:
sudo iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to-destination 1.1.1.1:53
Hijacking setup is trivial. Enterprise internal DNS speeds often stay under single-digit milliseconds while home networks typically see sub-1ms latency. Whatever plaintext DNS you configure, responses ultimately come from local DNS services.
Now discussing encrypted DNS speeds. Three common protocols: DNS over TLS (DoT), DNS over HTTP (DoH), and DNS over QUIC (DoQ).
Theoretical comparison:
- Fastest: DoQ. QUIC (UDP-based) requires 1 round-trip (RTT) for connection + 1 RTT for DNS request
- DoT: TLS 1.2 needs 4 RTT, TLS 1.3 needs 3 RTT connection + 1 RTT DNS request
- DoH: HTTPS requires ≥4 RTT connection + HTTP overhead makes it slower than DoT
- Traditional UDP:53: 0 RTT connection + 1 RTT
Encrypted DNS requires 2-4x longer for initial requests, but matches plaintext DNS speed once connected (ignoring connection timeouts).
Network reality: ISPs randomly drop UDP packets during congestion. TCP’s retransmission mechanism prevents this, making TCP DNS more stable during peak hours.
Connection time alone won’t significantly improve browsing experience. Proper DNS parameter configuration often yields better results than server selection.
Internet access involves two steps: domain IP lookup followed by direct IP communication. Local DNS cache checks happen first - cache queries take nanoseconds. TTL (Time to Live) controls cache duration. For example, TTL=600 keeps records valid 10 minutes. Many enterprises set TTL=10 (10 seconds).
Self-hosted DNS servers can modify TTL values. Services like www.adguardprivate.com allow DNS customization with extended TTL to reduce queries and improve browsing.
This article only discusses connection speed - DNS services offer many other performance-affecting features.
2 - Devices
This section discusses suitable devices for hosting home services.
Hardware Platforms
There are many options for home-use devices: retired laptops,闲置 desktops, development boards, NAS devices, soft routers, Macs, etc., all of which can host services.
Hardware choices in 2024 no longer need to be limited to x86 platforms. ARM platforms have matured with advantages including low cost, sufficient performance, low power consumption, and rich ecosystems suitable for home use. Unless you must run legacy software, ARM platforms are excellent choices.
Installing Windows/Linux on Apple devices or running Hackintosh on non-Apple hardware requires technical expertise, suitable for users comfortable with system modifications.
Device Selection Criteria
- CPU: Prioritize power efficiency/performance ratio
- Memory: Minimum 4GB baseline
- Storage: Consider redundancy and expandability
- Network: Gigabit Ethernet essential
- Cooling: Reliable thermal management for 24/7 operation
- Noise: Acoustic requirements depend on placement location
Operating Systems
Linux offers the best ecosystem with abundant tools. Command-line operations suit users with technical backgrounds. Non-professional users might consider Ubuntu Desktop. Black NAS systems are viable but require self-troubleshooting.
Windows has the broadest user base. Most requirements can be met through IIS (Internet Information Services) with simple mouse operations.
Windows installation reference: massgrave.dev
Apple’s ARM CPUs make Mac Mini a cost-effective hardware option. However, macOS requires alternating between GUI and command-line interfaces, suitable for technically proficient users.
System Selection Recommendations
- Beginners: Windows + Docker Desktop
- Advanced Users: Ubuntu Server/Debian
- Stability-Centric: RHEL/Rocky Linux
- Specialized Needs:
- Media Server: unRAID
- Storage-Focused: TrueNAS
- Full-Featured NAS: Synology DSM
Recommended Devices & Systems
Professional users have diverse requirements, while non-professionals primarily need NAS devices. Simply search for “NAS” on e-commerce platforms and purchase according to needs.
For budget-conscious users: repurpose闲置 devices or purchase discounted hardware from second-hand markets. Windows Server 2022/2025 or Black NAS systems can be installed with technical effort.
Data Security
Hard Drive Failure
Initial drive failures often manifest as intermittent read errors. Waiting until complete failure risks expensive recovery costs and potential irrecoverable data.
Recommend purchasing a RAID enclosure. With 5-year drive failure rate at 10%, dual-drive RAID reduces effective failure risk to 1%. As long as drives don’t fail simultaneously, data remains recoverable through replacement.
Data Theft
Unencrypted data on stolen drives creates significant risks, especially for sensitive materials like confidential documents and password backups. Enable drive encryption to mitigate losses from theft.
Encryption incurs system resource overhead. Performance-sensitive users might disable encryption but must prioritize physical drive security.
Multiple Backups
Local storage isn’t foolproof - risks include theft, natural disasters, and ransomware attacks. Implement multi-location backups using reliable cloud services for critical data.
Network Security
Avoid Exposing Public IPs
Some network configurations assign public IPv6 addresses to devices, making them vulnerable to port scanning and potential exploits.
Unless specifically required, configure IPv6 in NAT6 mode for address translation to prevent direct IP exposure. For external services, use DMZ hosts. For personal use, consider WireGuard/Tailscale/ZeroTier VPN solutions for secure home network access.
Software Installation Caution
All software (mainstream or niche) may contain vulnerabilities. Regularly update software, remove unused applications, and avoid granting unnecessary privileges.
Firewall Usage
Disabling firewalls creates immediate convenience at the cost of security risks. Invest time in configuring firewall rules rather than leaving them disabled.
Security Software
Free security solutions offer basic protection better than nothing. Consider tools like Huorong Security or 360 Security.
Security Recommendations Summary
- Network Segregation: VLAN Partitioning
- Access Control: Reverse Proxy + Authentication
- Monitoring: Hardware Status Alerts
- Backup Strategy: 3-2-1 Principle
- 3 Copies
- 2 Media Types
- 1 Offsite Copy
2.1 - Device
Here we discuss which devices can be used to host home services.
Hardware Platforms
There are plenty of choices for home-use devices: you can repurpose a retired laptop, an idle desktop, or search online for development boards, NAS devices, soft-routers, Macs, etc.—all of them can run services.
When selecting hardware, don’t obsess over the x86 platform; the ARM platform is already mature, inexpensive, adequately powerful, energy-efficient, and has a rich ecosystem, making it ideal for home use. Unless you must run legacy software, ARM is a solid choice.
Running Windows/Linux on Apple hardware, or installing Hackintosh/Hackintosh-based systems like BlackSynology on non-Apple machines, requires some research and suits technically inclined users who enjoy tinkering. Frankly, though, it’s usually unnecessary.
Reference Specs for Choosing a Device
- CPU: prioritize power-to-performance ratio
- RAM: start with at least 4 GB
- Storage: consider redundancy and expandability
- Network: gigabit NIC is the baseline
- Cooling: 24/7 operation demands reliable cooling
- Noise: placement determines the noise tolerance
Operating System
The richest ecosystem and widest selection of tools is Linux. For certain users the command line is simpler than a GUI, and automating tasks on Linux is straightforward—ideal for users with some experience.
Among the many Linux distributions, non-experts might start with Ubuntu Desktop. You could also choose a BlackSynology system, but you’ll need to solve problems on your own.
Windows has the largest user base; most needs can be met within its IIS (Internet Information Services), and countless features are just a few mouse clicks away.
For Windows installation, refer to massgrave.dev.
Apple’s ARM CPUs perform very well, making the Mac Mini a cost-effective hardware option. macOS, however, requires alternating between GUI and command line—neither can be fully discarded—so it suits users with some technical background.
OS Recommendations
- Beginners: Windows + Docker Desktop
- Intermediate users: Ubuntu Server / Debian
- High stability requirements: RHEL / Rocky Linux
- Specific needs:
- Media server: unRAID
- Storage-focused: TrueNAS
- All-in-one NAS: Synology DSM
Recommended Devices & Systems
Professional users have varied requirements; what non-professionals typically need boils down to a NAS. Just search online for NAS and buy the one that fits your needs.
To save money, repurpose idle hardware at home or pick up inexpensive hosts on second-hand marketplaces and install Windows Server 2022/2025 or try your hand at BlackSynology.
Data Security
Disk Failure
Disk failure usually starts with occasional read errors; waiting until it becomes completely unreadable will make data recovery expensive—if it’s even possible, since some manufacturers can’t recover it.
Purchasing a disk array enclosure and setting up a RAID is recommended. If the five-year failure rate for a single disk is 10 %, the failure rate for a two-disk RAID drops to 1 %; as long as the disks don’t fail simultaneously, you can just replace the failed one and keep your data.
Data Theft
If the disks are stolen and all data is unencrypted, the consequences can be catastrophic—especially for private data like confidential documents or password backups. Enable full-disk encryption to minimize damage if disks are stolen.
Encryption incurs a small overhead; resource-constrained users can skip it, but extra attention to physical security is then required.
Off-site Backups
Home storage isn’t 100 % safe—thieves, children, earthquakes, floods, or ransomware could destroy it. Implement off-site backups by finding a reliable cloud service to back up critical data.
Network Security
Don’t Expose Direct IPs Lightly
Some router configurations hand out public IPv6 addresses that can be scanned. Once ports are found, services with vulnerabilities may be exploited.
Unless there is a clear need, configure your home network to use NAT6 (address translation) to avoid direct IPv6 exposure. If you must expose services, designate a DMZ host.
For self-use only, consider setting up a VPN with WireGuard, Tailscale, ZeroTier, or Cloudflare to reach your services securely.
Don’t Install Software Randomly
Both popular and obscure software can have vulnerabilities. Stay on top of updates, patch promptly, and uninstall unused software. Never grant elevated privileges casually.
Use a Firewall
Disabling the firewall feels convenient—until the day you’re breached. Spend a little time learning the rule set instead of simply turning it off.
Use Security Software
Some security products are free and offer at least basic protection—better than running nothing at all.
Security Checklist
- Network segmentation: VLAN zoning
- Access control: reverse proxy + authentication
- Monitoring & alerts: hardware health monitoring
- Backup strategy: 3-2-1 rule
- 3 copies
- 2 different media types
- 1 off-site
2.2 - Device Classification
- Device Classification
Popular network devices such as NAS, soft routers, Mac minis, and traditional routers are unified as “devices”. Users don’t need to focus on their naming or physical forms, but should primarily consider four aspects: processor, storage, networking, and application ecosystem.
The most important consideration for processors is architecture, with x86 and ARM being the most commonly used. Other architectures are not recommended for non-professionals due to their limited ecosystems which increase learning and usage difficulties.
You might hear people saying ARM is typically used in low-power devices suitable for home use, while x86 is used in high-performance devices suitable for enterprises. However, by 2024 this view is outdated. We should base our decisions on ecosystem considerations. Currently, the ARM ecosystem has become very rich with better cost-performance ratios, making it worth considering. For non-professionals, we recommend choosing ARM architecture devices - taking Alibaba Cloud as an example, ARM devices cost only half as much as x86 devices while providing sufficient performance for home use. Professionals can choose x86 architecture devices based on their specific needs.