1. Introduction: Why DNS Is Changing
The DNS ecosystem has evolved rapidly due to technologies like HTTP/3, QUIC, and SVCB/HTTPS records (RR65).
These new mechanisms change how browsers and operating systems query the network,
increasing both complexity and query volume.
The consequence is clear: traditional home resolvers are no longer enough.
As I explains in
“Optimization of DNS Resolvers in the HTTP/3 Era: Mitigating the Impact of HTTPS (SVCB) Queries on Cache Performance”,
most domains still do not publish HTTPS/SVCB records, yet browsers request them massively anyway.
This generates a huge number of negative responses (NXDOMAIN / NODATA)
that degrades cache efficiency and increases resolution load.
In this context, tools like Technitium, AdGuardHome, and Pi-hole are beginning to show limitations.
On the other hand, modern resolvers such as Unbound, Knot Resolver, and PowerDNS Recursor
are designed to support this new infrastructure.
2. What SVCB/HTTPS Records Are and Why They Transform DNS
SVCB and HTTPS records (RFC 9460) allow clients to obtain advanced service information
before initiating a connection. This includes support for HTTP/3/QUIC, ALPN parameters,
alternative endpoints, and keys required for technologies like ECH.
Example query:
_https.example.com. IN HTTPS
This reduces latency, optimizes server negotiation, and improves security.
However, since most domains still don’t publish these records, most queries result in NXDOMAIN.
3. Why Browsers Query HTTPS/SVCB First and A/AAAA Afterwards
Modern browsers follow this sequence:
- Query SVCB/HTTPS.
- If present, use that information to decide whether to use HTTP/3, QUIC, and other parameters.
- Only if HTTPS records do not exist, query A/AAAA.
They do this because:
- It reduces round trips.
- It enables HTTP/3 from the first packet.
- It optimizes routing and performance.
- It improves privacy through ECH compatibility.
While this behavior is ideal for users, it creates new technical load for resolvers.
4. Technical Limitations of Technitium, Pi-hole, and AdGuardHome
These solutions are excellent for ad blocking and simple DNS management.
However, they were never designed to handle massive NXDOMAIN/NODATA loads produced by HTTPS/SVCB queries in modern networks.
They lack:
- Explicit negative cache limits (cache-max-negative-ttl).
- Aggressive NSEC/NSEC3 to synthesize negative responses.
- Advanced prefetching based on real popularity.
- Controlled serve-expired.
- Configurable minimum/maximum TTLs.
- Type-specific policies (HTTPS vs A/AAAA).
The result is higher latency, bandwidth waste, unnecessary recursions,
and lower overall DNS performance.
5. Negative Caching and the TTL Problem in TLDs
TLDs like .com or .net often return SOA records with TTLs of 1800–3600 seconds.
Lightweight resolvers respect that TTL without adjustment, causing two problems:
- Changes in HTTPS/SVCB records may not be visible for an hour.
- Negative queries are repeated if the cache is cold or poorly optimized.
Dagorret’s analysis shows real examples where these negative responses saturate infrastructure
and degrade resolver efficiency.
6. Why Unbound and Advanced Resolvers Handle This Scenario Correctly
Resolvers like Unbound, Knot Resolver, and PowerDNS Recursor are built for the new DNS reality.
They incorporate:
- Configurable negative cache limits (cache-max-negative-ttl).
- Aggressive NSEC/NSEC3 to synthesize NXDOMAIN without querying upstream.
- Intelligent prefetch based on real popularity.
- Serve-expired to reduce latency under load.
- Configurable minimum and maximum TTLs.
- Mature, full DNSSEC support.
- Efficient QNAME minimization.
In short: these are resolvers capable of supporting HTTP/3, QUIC, and the new DNS infrastructure.
7. Recommended Architectures (Educational + Practical)
7.1 Filtering Layer (Pi-hole / Technitium / AGH) + Unbound as Recursor
Clients → Pi-hole / Technitium / AdGuardHome → Unbound → Root/TLD
Advantages:
- Convenient admin interface.
- Centralized filtering.
- Modern and efficient recursion.
7.2 Unbound as the Sole Resolver
Ideal for technical networks, servers, homelabs, and critical infrastructure.
8. Conclusion
The shift toward HTTP/3, QUIC, and SVCB/HTTPS records requires DNS resolvers capable of handling
mass negative queries, flexible TTLs, and modern caching techniques.
Lightweight resolvers were not built for this new load,
while Unbound and equivalent resolvers do provide the necessary tools.
Dagorret’s work highlights the importance of updating DNS architecture to maintain
performance, stability, and compatibility with the modern web infrastructure.
