a.x61.sh

Some DNS questions
from GolfNovemberUniform@lemmy.ml to privacy@lemmy.ml on 31 Aug 12:59
https://lemmy.ml/post/19772261

I already know that private DNS is important for privacy. I’m using Quad9 btw.

But recently I hear a lot about NextDNS and similar providers that give more advanced features such as custom filters and domain blocking. I’m getting interested in that topic now as I have to use some proprietary apps with a lot of trackers in them.

However I’m really struggling to find useful information about what domains to block, what settings to use in one or another use case etc. I don’t have much experience with firewalls and server stuff either which makes it even harder.

So, could anyone share some good resources on this so I can get started? Or should I just not worry about it and use a whole other system such as firewall?

#privacy

threaded - newest

hackerwacker@lemmy.ml on 31 Aug 13:54 next collapse

There are host lists out there you can use, eg github.com/StevenBlack/hosts

tl;dr you append it to your OS hosts file. On Linux it’s /etc/hosts

shortwavesurfer@lemmy.zip on 31 Aug 13:56 next collapse

I suggest ControlD.com p2 server as its free and kills known malware, trackers, and ads with no work other than adding it. They have a p3 that blocks big social and p0 blocks nothing.

Cheradenine@sh.itjust.works on 31 Aug 15:16 collapse

ControlD is good, I have it setup at work. Their paid plans allow more fine control.

They can also be used to unlock geoblocking both on free and paid plans.

Coworkers need TikTok, YouTube, and Twitter, otherwise I would block that crap too.

shortwavesurfer@lemmy.zip on 31 Aug 21:08 collapse

I added ControlD p2 server for blocking ads, trackers, and malwRe to my familys’ phones, my phone, and my router. The fact that it blocks known malware by default is a big selling point for me.

MrCamel999@programming.dev on 31 Aug 14:26 next collapse

Here’s a video covering basically all of NextDNS’ settings! www.youtube.com/watch?v=WUG57ynLb8I

Cornflake_Dog@lemmy.wtf on 31 Aug 14:45 collapse

This is the video that convinced me to get NextDNS and I don’t regret having made that decision

geography082@lemm.ee on 31 Aug 14:26 next collapse

Been using Nexdns and is great . It adds the part of adblocking and maybe more agresive and granular filtering . Tried controlid but looks like a fancy version and less customized of it.

Cheradenine@sh.itjust.works on 31 Aug 15:10 next collapse

Have a look at RethinkDNS, docs.rethinkdns.com/dns/ their wiki is pretty good. They have recommended block lists, and also have a feature that let’s you search inside block lists to see what they actually cover.

If you are on Android they have a companion app, you do not need to use it though. The app adds a good firewall (capture and redirect port 53 for example) and detailed logs if you want. You can block domains and specific IP addresses.

It’s all FOSS too

N0x0n@lemmy.ml on 31 Aug 15:21 next collapse

+1 for the android app ! If you’re “paranoid” you can block all apps by default and only allow apps you trust to connect to the internet. You can even for each app allow certain domains or IP’s, even wildcard domains for exemple to allow googles video chain like r3—sn-25glene6.googlevideo.com for only certain apps and not others… Like it’s fully customizable !!!

You can even hook your personal wireguard connection with DNS server like pihole…

RethinkDNS is awsome !

Cheradenine@sh.itjust.works on 31 Aug 15:27 collapse

I really like the block all apps by default. I read release notes, download something, scan with App Manager. If that’s all good then it can connect to the internet.

And I use the Wikipedia app so I can block intake-analytics.wikimedia.org and the app still works.

f4f4f4f4f4f4f4f4@sopuli.xyz on 02 Sep 20:36 collapse

I was recommended by a well-known privacy guide to use Rethink with AhaDNS Blitz, but it seems to fail often; nothing resolves until the VPN is stopped and restarted. Any ideas or advice?

Cheradenine@sh.itjust.works on 03 Sep 07:36 collapse

I don’t have any experience with AhaDNS Blitz.

With RethinkDNS I have had occasional failures on their Max resolver, changing to Sky then works. That has only happened two times though, and was fixed with a few hours.

Sorry I can’t be more help.

user224@lemmy.sdf.org on 31 Aug 15:20 next collapse

Well, why don’t you just try NextDNS? Don’t like signing up to try a service? You don’t have to. Go to nextdns.io, click “Try it now” and there you go. No account required for 7 days.

You don’t need to add domains yourself, you just choose from existing blocklists they provide. Each have some description, just like all the settings.

Alternatively, Mullvad freely provides DNS with some blocking too, but you can’t edit anything.

bokherif@lemmy.world on 31 Aug 16:40 next collapse

Look into DNS over HTTPS. Otherwise no matter what provider you use, DNS is just unencrypted.

masterofn001@lemmy.ca on 31 Aug 18:38 next collapse

Dnscrypt-proxy supports DNS over https (doh), oblivious DNS over https (odoh), DNS over TLS (dot), and dnscrypt (encrypted and anonymous DNS).

IP and domain blacklist. IP whitelist.

End to end encrypted.

You can use quad9, cloudflare, etc, or any provider you like.

I use dnscrypt.ca/about.shtml for my doh and as one of my dnscrypt servers.

Depending on your os it’s pretty simple to setup.

zer0bitz@lemmy.world on 31 Aug 22:22 collapse

This is the way.

Upstream7564@discuss.tchncs.de on 01 Sep 01:32 next collapse

This might be useful:

github.com/yokoffing/NextDNS-Config

neat.tube/w/19r4YnE6fpce6e2B9MepnB

Importmant if you seen the video: github.com/techlore/channel-content/issues/43

Disclaimer: I do not fully agree with what the authors say and disagree with some parts, but overall it’s useful information.

JameUwU@lemmy.ml on 01 Sep 04:04 next collapse

IMHO An old PC or Raspberry Pi + Pi-Hole or AdGuard Home is the way to go. Set up Wireguard if you need to use it outside of home, or if Youre adventurous you could buy a domain and expose DoH over port 443. Both softwares provide you with built in block lists. Then you can use quad9, adguard, nextdns, mullvad, really any provider with a good privacy policy you trust for that DNS server you set up. Hell you could even do your own with unbound

seaotter113@lemmy.world on 02 Sep 18:32 next collapse

+1 for RethinkDNS with DNSCrypt and anon relays

yak@lmy.brx.io on 03 Sep 09:51 collapse

I’ve used this list generating package for years now with great results: github.com/opencoff/unbound-adblock/tree/master

It is designed to generate blocking lists that can be used with unbound, the DNS resolver. There are even instructions for how to configure unbound so if you are new to it all you can follow along.

I use the resulting lists in my two local DNS name servers, running unbound.

The way it works is that if a query for a blocked address comes in to one of thenlocal DNS servers it returns a domain not found result. If the address is not on the block list then it forwards the query on to an internet DNS resolver securely using DoT.

You can gain further control over your DNS results by choosing those upstream resolvers carefully. Quad9 and Cloudflare etc all offer DoT resolving, along with some further filtering (eg. for malware), or completely unfiltered DNS if that’s what you want.

Services like cleanbrowsing.org offer more fine grained filtering, useful if you want a family-friendly set of DNS results, based off categorify.org. You can pay for really fine tuned results, or there is a free layer which provides still very useful basic categories.

Combining the two forms of filtering, local advert and tracking blocking, along with open internet content categorisation, seems to be very effective.

I get complaints about too many adverts when my kids are on WiFi away from home. I take it as a compliment.