Looking for some good private DNS servers to use. Any suggestions?
Checkout Quad9 and NextDNS. I use NextDNS. The free tier NextDNS account is more than ample; I’ve never come close to exceeding it.
AdGuardDNS
almost the same as NextDNS feature wise
Limit is also 300k per month. Plus additional device and server limitation.
Added benefit is they send you weekly status mail.
A word of advice, don’t leave their dashboard open for too long. The page request thousands of DNS request within minutes (to check for the connectivity status).
i use Quad9 in everything which has uBlock Origin as an available extension, otherwise NextDNS with OISD and/or Hagezi Normal. (hagezi pro broke some images for me which were not ads or trackers)
for a quick and easy set and forget ad and tracker blocking DNS, definitely Adguard. i set this DNS on my parents devices like phone and firesticks. i set the router DNS to Quad9 to serve as a phising and malware blocker for anyone on the network.
there is a Roku in my household which can’t have DNS specifically changed, so i have to use NextDNS for my router (Adguard would work too), though ideally i just want Quad9 in most places due to the Swiss law enforced privacy policy which promises no personally identifiable logging
All of the suggestions here are good but I would not put too much stock in where you get your DNS from if your reasons are for privacy. If anything, using anything beyond your ISP’s DNS could decrease your privacy, because now you are giving info to 2 providers (DNS and ISP)
No matter what DNS server you use, your ISP can see every single IP you connect to and doing reverse lookups is extremely trivial for them of course.
My advice is to use a good VPN provider. Any reputable one will also provide its own DNS servers as well.
Mullvad DNS.
In combination with Mullvad VPN, it is amazing.
Depends on how you want to use it. For home use, I’d say setup a Pi-Hole with Unbound. You can add your own blocklists and it cuts out the middle man.
The question still remains because what upstream DNS server in Pi-hole will you use? You’ll always need to use a DNS server on the internet unless you use hyperlocal.
With Unbound, you can set it up as a recursive DNS server. Hence, cutting out the middle man. https://docs.pi-hole.net/guides/dns/unbound/
You don’t cut the middle man, you create the middle man with Unbound. And Unbound needs to ask other DNS servers on the internet to resolve DNS queries. Your local DNS server can’t just magically know which IP is behind a domain like for example google.com. It needs to ask other DNS servers that know the answer. So unless you’re not using hyperlocal you will always need a DNS server on the internet to browse the web.
tl;dr: Cut out Cloudfare’s recursive resolver (or anyone else’s) and run your own via PiHole and Unbound.
You don’t cut the middle man, you create the middle man with Unbound.
Umm, Unbound is on your machine. So you’re saying you are your own middle man lol…which is the same as cutting out the middle man as you (rather, your server) are you.
And Unbound needs to ask other DNS servers on the internet to resolve DNS queries.
It asks the authoritative nameservers, which is who external DNS servers ask. By using Unbound, you are cutting out those external DNS servers, because you/Unbound is the DNS server. You are asking the authoritative name server directly instead of inserting someone else to ask on your behalf.
Here’s an explanation by Cloudflare: A recursive resolver (also known as a DNS recursor) is the first stop in a DNS query. The recursive resolver acts as a middleman between a client and a DNS nameserver…Most Internet users use a recursive resolver provided by their ISP, but there are other options available; for example Cloudflare’s 1.1.1.1.
I copy/pasted the above quote from the article you linked. Again, Unbound (your machine) is asking the DNS nameserver. You’re saying you are your own middleman lol. I’m saying cut out Cloudfare’s recursive resolver and run your own via PiHole and Unbound. Did you read the article I linked?
tl;dr: Cut out Cloudfare’s recursive resolver (or anyone else’s) and run your own via PiHole and Unbound.
Tell me you didn’t read the article without telling me you didn’t read the article. Let me point out the relevant part for you:
“A recursive resolver (also known as a DNS recursor) is the first stop in a DNS query. The recursive resolver acts as a middleman between a client and a DNS nameserver. After receiving a DNS query from a web client, a recursive resolver will either respond with cached data, or send a request to a root nameserver, […]”See that last part with “or send a request to a root nameserver”? That is the DNS server on the internet your Unbound DNS server will ask if it doesn’t have the answer cached for you already.
Umm, Unbound is on your machine. So you’re saying you are your own middle man lol…
Exactly! Since the Unbound DNS server is your server you created your middle man server yourself. “middle man” has a very negative taste but in this case it really isn’t bad at all.
It asks the authoritative nameservers, which is who external DNS servers ask. By using Unbound, you are cutting out those external DNS servers, because you/Unbound is the DNS server. You are asking the authoritative name server directly instead of inserting someone else to ask on your behalf.
Okay, so you get it but you don’t get it fully. Again: Your Unbound DNS server can’t magically know which IPs are behind a domain name. So what does it do? It asks a DNS server on the internet because they know the answer. When you Unbound DNS server got the answer it then tells your computer.
Unbound (your machine) is asking the DNS nameserver.
YES! And where do you think is the DNS server Unbound asks if it doesn’t know the answer because it’s not cached yet? It’s some server on the internet.
You’re saying you are your own middleman lol.
I said you create your own middle man. Unbound is your middle man in this case because you make it look up the IPs behind the domains and it tells your computer these IPs then.
Instead of:
\ –> asks –> \ –> answers –> \ You do:
\ –> asks –> \ –> asks –> \ –> answers –> \ –> answers –> \ Let me say it again: Your Unbound DNS server being the middle man isn’t a bad thing so please don’t think “middle man” is always a negative term.I’m saying cut out Cloudfare’s recursive resolver and run your own via PiHole and Unbound.
I just linked Cloudflare’s article about it because they explain it well. Doesn’t mean one must use Cloudflare’s DNS servers.
Did you read the article I linked?
Yes, I did. But I knew what a recursive resolver is before I checked the link because I’m a professional IT administrator and I know how DNS works. It’s part of my job.
Trust me, I fully get it. You are trying to be pedantic and “technically correct,” Um Actually style. I am speaking from the perspective of this sub (privacy and enhancing it). You are your network. You are not a middleman in the context of yourself or your network. You are not losing privacy in relation to yourself. That’s being ridiculous. It’s like saying “I didn’t cook this steak at my house, um actually, my stove and pan did. Well, they (and I and the butter/oil) were the middleman. Let’s not forget the fire. Etc.” Again, ridiculous.
Also, you’re right in that you have to ask a DNS server to resolve a name to an IP. But in this context, DNS servers ask the root name server. Those DNS servers are the middlemen, rootname is not. With Unbound and recursive, you are asking the authoritative root name server. They are not a middleman to themselves…they are the authority in DNS (it’s in the name). Also, Unbound as Recursive does answer the question of OP which was “what DNS to use?” When you configure a recursive resolver, you don’t (shouldn’t) change it away from the root nameservers and insert a middleman (someone/something you don’t control), and it doesn’t do it by default. OP was clearly asking about non-authoritative DNS servers to use aka “should I use Quad9, CloudFlare, etc?” And my answer was…none. Cut out those middlemen that don’t need to be there/asked (which takes away some privacy as you’re asking a person who doesn’t need asked), and ask the root nameservers yourself via Unbound recursively.
You seem to be stuck talking from the perspective of the client/PC. Next, are you gonna say “you’re not actually going to the site. You’re going to the switch, then the router, and a firewall, maybe traversing a DMZ, could be a proxy in there, then going through the core backbone routers of the internet, down into their network. Of course, if there’s a VPN in there, that changes things. Let’s not forget the middleman of your own NIC and CPU, not to mention the keyboard, motherboard, mouse, etc. Oh, of course fiber and cabling. Those are all middlemen.” Do you see how fundamentally ridiculous that is?
Looks like my answer wasn’t saved, great…
Anyway, sorry for not reading all of that, but I’ll make it short and stop discussing because I feel like this is leading nowhere.
Unless you’re using hyperlocal and cover all TLDs and wanna browse the internet there’s technically no way around but to use an online DNS server. So coming back to the privacy aspect of this topic the question is: Which one do you trust?
Seconding this, especially if you enjoy homelab/DIY tech projects. It’s super simple with tons of guides around. Plus you get the added benefit of fewer ads and junk.
https://rethinkdns.com/ pick from a set list, Tracking, Malware etc. or pick individual lists i.e. just Facebook.
‘Rethink DNS supports over 190+ blocklists, some of which power popular adblockers like uBlockOrigin.’
deleted by creator
/etc/hosts
Adguard DNS at least they are good adblocking
Ad guard DNS is super easy to set up, too. Basically ad blocking with zero tradeoff
Quad9, controld and nextdns
Perhaps these :
I’ve used Aha and ControlD for the longest time, and just recently switched to Mullvad’s new DoH service.
There’s a guide for exactly this on the privacy guides website