Looking for some good private DNS servers to use. Any suggestions?

  • Karcinogen@discuss.tchncs.de
    link
    fedilink
    English
    arrow-up
    24
    ·
    1 year ago

    Checkout Quad9 and NextDNS. I use NextDNS. The free tier NextDNS account is more than ample; I’ve never come close to exceeding it.

    • tun@lemm.ee
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 year ago

      AdGuardDNS

      almost the same as NextDNS feature wise

      Limit is also 300k per month. Plus additional device and server limitation.

      Added benefit is they send you weekly status mail.

      A word of advice, don’t leave their dashboard open for too long. The page request thousands of DNS request within minutes (to check for the connectivity status).

    • neonspool@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      edit-2
      1 year ago

      i use Quad9 in everything which has uBlock Origin as an available extension, otherwise NextDNS with OISD and/or Hagezi Normal. (hagezi pro broke some images for me which were not ads or trackers)

      for a quick and easy set and forget ad and tracker blocking DNS, definitely Adguard. i set this DNS on my parents devices like phone and firesticks. i set the router DNS to Quad9 to serve as a phising and malware blocker for anyone on the network.

      there is a Roku in my household which can’t have DNS specifically changed, so i have to use NextDNS for my router (Adguard would work too), though ideally i just want Quad9 in most places due to the Swiss law enforced privacy policy which promises no personally identifiable logging

  • privacybro@lemmy.ninja
    link
    fedilink
    English
    arrow-up
    14
    ·
    1 year ago

    All of the suggestions here are good but I would not put too much stock in where you get your DNS from if your reasons are for privacy. If anything, using anything beyond your ISP’s DNS could decrease your privacy, because now you are giving info to 2 providers (DNS and ISP)

    No matter what DNS server you use, your ISP can see every single IP you connect to and doing reverse lookups is extremely trivial for them of course.

    My advice is to use a good VPN provider. Any reputable one will also provide its own DNS servers as well.

  • FutileRecipe@lemmy.world
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 year ago

    Depends on how you want to use it. For home use, I’d say setup a Pi-Hole with Unbound. You can add your own blocklists and it cuts out the middle man.

    • Vexz@kbin.social
      link
      fedilink
      arrow-up
      2
      ·
      1 year ago

      The question still remains because what upstream DNS server in Pi-hole will you use? You’ll always need to use a DNS server on the internet unless you use hyperlocal.

        • Vexz@kbin.social
          link
          fedilink
          arrow-up
          3
          ·
          edit-2
          1 year ago

          You don’t cut the middle man, you create the middle man with Unbound. And Unbound needs to ask other DNS servers on the internet to resolve DNS queries. Your local DNS server can’t just magically know which IP is behind a domain like for example google.com. It needs to ask other DNS servers that know the answer. So unless you’re not using hyperlocal you will always need a DNS server on the internet to browse the web.

          Here’s an explanation by Cloudflare.

          • FutileRecipe@lemmy.world
            link
            fedilink
            English
            arrow-up
            2
            ·
            1 year ago

            tl;dr: Cut out Cloudfare’s recursive resolver (or anyone else’s) and run your own via PiHole and Unbound.

            You don’t cut the middle man, you create the middle man with Unbound.

            Umm, Unbound is on your machine. So you’re saying you are your own middle man lol…which is the same as cutting out the middle man as you (rather, your server) are you.

            And Unbound needs to ask other DNS servers on the internet to resolve DNS queries.

            It asks the authoritative nameservers, which is who external DNS servers ask. By using Unbound, you are cutting out those external DNS servers, because you/Unbound is the DNS server. You are asking the authoritative name server directly instead of inserting someone else to ask on your behalf.

            Here’s an explanation by Cloudflare: A recursive resolver (also known as a DNS recursor) is the first stop in a DNS query. The recursive resolver acts as a middleman between a client and a DNS nameserver…Most Internet users use a recursive resolver provided by their ISP, but there are other options available; for example Cloudflare’s 1.1.1.1.

            I copy/pasted the above quote from the article you linked. Again, Unbound (your machine) is asking the DNS nameserver. You’re saying you are your own middleman lol. I’m saying cut out Cloudfare’s recursive resolver and run your own via PiHole and Unbound. Did you read the article I linked?

            • Vexz@kbin.social
              link
              fedilink
              arrow-up
              1
              ·
              1 year ago

              tl;dr: Cut out Cloudfare’s recursive resolver (or anyone else’s) and run your own via PiHole and Unbound.

              Tell me you didn’t read the article without telling me you didn’t read the article. Let me point out the relevant part for you:
              “A recursive resolver (also known as a DNS recursor) is the first stop in a DNS query. The recursive resolver acts as a middleman between a client and a DNS nameserver. After receiving a DNS query from a web client, a recursive resolver will either respond with cached data, or send a request to a root nameserver, […]”

              See that last part with “or send a request to a root nameserver”? That is the DNS server on the internet your Unbound DNS server will ask if it doesn’t have the answer cached for you already.

              Umm, Unbound is on your machine. So you’re saying you are your own middle man lol…

              Exactly! Since the Unbound DNS server is your server you created your middle man server yourself. “middle man” has a very negative taste but in this case it really isn’t bad at all.

              It asks the authoritative nameservers, which is who external DNS servers ask. By using Unbound, you are cutting out those external DNS servers, because you/Unbound is the DNS server. You are asking the authoritative name server directly instead of inserting someone else to ask on your behalf.

              Okay, so you get it but you don’t get it fully. Again: Your Unbound DNS server can’t magically know which IPs are behind a domain name. So what does it do? It asks a DNS server on the internet because they know the answer. When you Unbound DNS server got the answer it then tells your computer.

              Unbound (your machine) is asking the DNS nameserver.

              YES! And where do you think is the DNS server Unbound asks if it doesn’t know the answer because it’s not cached yet? It’s some server on the internet.

              You’re saying you are your own middleman lol.

              I said you create your own middle man. Unbound is your middle man in this case because you make it look up the IPs behind the domains and it tells your computer these IPs then.

              Instead of:
              \ –> asks –> \ –> answers –> \ You do:
              \ –> asks –> \ –> asks –> \ –> answers –> \ –> answers –> \ Let me say it again: Your Unbound DNS server being the middle man isn’t a bad thing so please don’t think “middle man” is always a negative term.

              I’m saying cut out Cloudfare’s recursive resolver and run your own via PiHole and Unbound.

              I just linked Cloudflare’s article about it because they explain it well. Doesn’t mean one must use Cloudflare’s DNS servers.

              Did you read the article I linked?

              Yes, I did. But I knew what a recursive resolver is before I checked the link because I’m a professional IT administrator and I know how DNS works. It’s part of my job.

              • FutileRecipe@lemmy.world
                link
                fedilink
                English
                arrow-up
                1
                ·
                1 year ago

                Trust me, I fully get it. You are trying to be pedantic and “technically correct,” Um Actually style. I am speaking from the perspective of this sub (privacy and enhancing it). You are your network. You are not a middleman in the context of yourself or your network. You are not losing privacy in relation to yourself. That’s being ridiculous. It’s like saying “I didn’t cook this steak at my house, um actually, my stove and pan did. Well, they (and I and the butter/oil) were the middleman. Let’s not forget the fire. Etc.” Again, ridiculous.

                Also, you’re right in that you have to ask a DNS server to resolve a name to an IP. But in this context, DNS servers ask the root name server. Those DNS servers are the middlemen, rootname is not. With Unbound and recursive, you are asking the authoritative root name server. They are not a middleman to themselves…they are the authority in DNS (it’s in the name). Also, Unbound as Recursive does answer the question of OP which was “what DNS to use?” When you configure a recursive resolver, you don’t (shouldn’t) change it away from the root nameservers and insert a middleman (someone/something you don’t control), and it doesn’t do it by default. OP was clearly asking about non-authoritative DNS servers to use aka “should I use Quad9, CloudFlare, etc?” And my answer was…none. Cut out those middlemen that don’t need to be there/asked (which takes away some privacy as you’re asking a person who doesn’t need asked), and ask the root nameservers yourself via Unbound recursively.

                You seem to be stuck talking from the perspective of the client/PC. Next, are you gonna say “you’re not actually going to the site. You’re going to the switch, then the router, and a firewall, maybe traversing a DMZ, could be a proxy in there, then going through the core backbone routers of the internet, down into their network. Of course, if there’s a VPN in there, that changes things. Let’s not forget the middleman of your own NIC and CPU, not to mention the keyboard, motherboard, mouse, etc. Oh, of course fiber and cabling. Those are all middlemen.” Do you see how fundamentally ridiculous that is?

                • Vexz@kbin.social
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  1 year ago

                  Looks like my answer wasn’t saved, great…

                  Anyway, sorry for not reading all of that, but I’ll make it short and stop discussing because I feel like this is leading nowhere.

                  Unless you’re using hyperlocal and cover all TLDs and wanna browse the internet there’s technically no way around but to use an online DNS server. So coming back to the privacy aspect of this topic the question is: Which one do you trust?

    • jecht360@lemmy.world
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Seconding this, especially if you enjoy homelab/DIY tech projects. It’s super simple with tons of guides around. Plus you get the added benefit of fewer ads and junk.

  • edric@lemm.ee
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I’ve used Aha and ControlD for the longest time, and just recently switched to Mullvad’s new DoH service.