1. Improve Privacy by Running a DNS Server Without Forwarder

    Wed 25 March 2026

    Disclaimer: no AI was used to write this article.

    If you run a DNS server at home or for an organisation, it is likely that you configured a public DNS server as a forwarder1.

    This is not required!

    Imagine we want to resolve the address 'wikipedia.org'.

    If no forwarder is configured, a DNS server will behave like this:

    1. Query the root server3 for an IP address of the .org top-level domain authoritative DNS server
    2. Query the .org DNS server for an IP address of the wikipedia.org authoritative DNS server
    3. Query the wikipedia.org DNS server for the IP address of 'wikipedia.org'

    This is what the forwarder does when you query a domain that is not cached by said forwarder.

    A forwarder responds faster?!

    Yes, that's probably true, but I think it doesn't matter.

    As a DNS forwarder caches DNS lookups, it will respond directly with the appropriate IP address. Only a single DNS query is required.

    Without a forwarder, a domain lookup that is not cached, will require at least two or three DNS queries, the first time this domain is resolved. After this first set of queries, the domain is cached for the duration of the TTL.

    I've performed a few manual lookups with 'dig' for domains that aren't cached, and most responses are <50ms. Depending on where you live and the quality of the network connection (in terms of latency) it may or may not be noticable, that's up to you to explore.

    So what is the privacy angle?

    You are exposing privacy-sensitive information to Google or other large companies.

    If a DNS forwarder is configured, the forwarder will 'see' all your DNS queries and will be able to build a nice profile about you as a person or organisation.

    It's up to you if you care about this 'risk'.

    Running Pi-hole and BIND9 together

    Pi-hole only supports forwarders?

    Because Pi-hole requires a DNS forwarder to be configured, I'm also running BIND as the actual DNS server that performs the outbound DNS queries.

    Both Pi-hole and BIND want to listen on UDP port 53, which won't work2. In my case, I've configured BIND9 to listen on UDP port 5353 and configured Pi-hole to use 'BIND listen ip address#5353' as a forwarder.

    This setup means that I benefit from the ad blocking by Pi-hole and won't send all my DNS requests to Google.

    Help, my local DNS authoritative '.internal' zone isn't working anymore!

    I'm running a local DNS domain 'xyz.internal' for servers and services in my network. I've also configured my DHCP server to tell clients the search domain is 'xyz.internal', so when I issue ssh server01 this will automatically resolve to server01.xyz.internal.

    So to summarise, my BIND DNS server is both the DNS server that respons to client DNS lookups via Pi-hole for public domains, and it's also authoritative for the 'xyz.internal' domain.

    However, there's a problem with this setup.

    Pi-hole does not forward queries for the '.internal' domain because it considers upstream forwarding DNS servers as potentially hostile. Forwarding queries for '.internal' domains would expose potentially sensitive information.

    This behaviour can be circumvented with the 'Conditional forwarding' option within Pi-hole. This allows DNS clients contacting the Pi-hole server to still query '.internal' domains. This is an example configuration line:

    true,10.10.10.0/24,10.10.10.1#5353,xyz.internal

    In this example, Pi-hole will forward DNS queries for the xyz.internal domain towards 10.10.10.1#5353 and everything will work as expected.

    Q & A

    How does the DNS server know how to contact the .org root server?

    The DNS server is accompanied by a 'root zone file' containing the IP addresses for the root servers. As these IP addresses are not static, they need to be updated periodically. In Debian Linux (for example), this file is automatically updated through APT with the 'dns-root-data' package.

    1. Probably an address from Google, Cloudflare or OpenDNS. 

    2. It's possible to make Pi-hole and BIND listen on different interfaces, thus allowing both of them to use port 53 but that's another story and may not be that handy. 

    3. A root server is not a single physical server but a group of physical servers, but I consider this an implementation detail. 

    If you have any comments email me, see the About page for contact details.

  2. What Will You Do When AI Runs Out of Money and Disappear?

    Fri 23 January 2026

    All major AI services like ChatGPT or Claude are heavily subsidised by investors. It's not just the initial investment — it's the running costs of these major AI services that are also astronomical.1

    At some point the money will run out. Assuming that Ed Zitron is right about his assessment of the AI market (and he's not alone in his assessment), the current big AI services are not sustainable. And there seems to be no realistic path to profitability.

    How are the big AI providers going to make $2 Trillion in the next 4 years?

    So what happens when money runs out? When the music stops, will there be any chairs at all?

    I see two major scenarios:

    1. The AI services are just shutdown overnight
    2. The AI services are priced according to actual cost + profit

    In the first scenario, those who have build their entire workflow on AI support have a serious problem. AI servies as a massive single-point-of-failure. Quite a few very optimistic roadmaps have to be adjusted, I guess.

    The second scenario may be effectively identical to the first, as AI services may become so expensive that their usage can't be justified. For no reason I can think of, the company "VMWare" comes to mind, strange isn't it?

    As there are open-source models available, it may be possible for some smaller players to jump into this market vacuum, but they'll face exactly the same problems: operating AI at scale is stupidly expensive. They can't be as 'cheap' as current AI services. As they can't afford to subsidise their AI service, they may still be too costly. I can see that smaller players can provide 'one-trick pony' AI services, like 'just for programming', as opposed to the generic AI services provided by the large players. But due to market demand they may become priced at: "if you have to ask, you can't afford it."

    Self-hosting an AI with your own hardware is probably just as cost-prohibitive, even if you don't value your time. In part because a ton of people will get this idea at the same time, impacting hardware prices even more. And the operating costs of AI seem significant. Would it even be possible to setup your own AI and achieve the same productivity level?

    Given current circumstances, I can see a scenario where the USA government will step in and subsidise these services. If the AI investors buy some specific crypto coins obviously.

    Quid pro quo, Clarice.2

    Hacker News thread

    1. — You saw what I did there 😘 

    2. If justice would still be a thing, Antrax island would become quite crowded 

    Tagged as : KVM
    If you have any comments email me, see the About page for contact details.

Solar Status

71 TiB NAS

Projects

Categories

Archive

Page 1 / 112