a.x61.sh

What, if any, Public DNS is preferred?
from splintertank@lemmy.world to privacy@lemmy.ml on 04 Feb 2025 18:50
https://lemmy.world/post/25125720

My ISP is AT&T (located in the U.S.) and I have issues loading random websites. Currently have Google DNS set in my router, which works great. But I’m guessing there’s a better, more private, option?

#privacy

threaded - newest

carl_dungeon@lemmy.world on 04 Feb 2025 19:00 next collapse

I use the cloudflare dns, but there are all kinds of adguard ones too. The Adguard app itself has a big list of options for the fallback.

If you’ve never used adguard, check it out, it can run as a container or on a pi, you just point your router dns at it

umami_wasbi@lemmy.ml on 04 Feb 2025 19:04 next collapse

I recently switched to NextDNS. I used to run my own AdGuard Home with multiple DNS provider as upstream.

shreddy_scientist@lemmy.ml on 04 Feb 2025 19:18 collapse

NextDNS is the move, the clients are open sourced and they encrypt everything. Plus their free option covers all my devices, no problem. Highly recommended!

ISOmorph@feddit.org on 04 Feb 2025 19:08 next collapse

I use Mullvad DNS when I’m mobile and unbound on my pi when I’m at home

Darkassassin07@lemmy.ca on 04 Feb 2025 19:21 next collapse

Regular DNS can be monitored, intercepted, and modified however your ISP decides, even with you specifying custom DNS servers.

I run pihole on my LAN, with cloudflared as its upstream DNS. Cloudflared translates regular DNS into DOH using cloudflare and quad9 as the upstream DOH providers (configurable).

Pihole DOH with cloudflared

Finally I block all port 53 (dns) traffic at the router so it cannot leave my LAN. All LAN devices that want regular DNS are forced to use the LAN DNS server which wraps their requests in DOH for them. (as well as blocking ads, tracking/telemetry, and known malware sites)

MangoPenguin@lemmy.blahaj.zone on 04 Feb 2025 22:11 next collapse

Adguard Home supports TLS, HTTPs, QUIC and other stuff natively, in case anyone reading wants to set up a pihole equivalent with less work for encrypted DNS.

github.com/AdguardTeam/…/Configuration#upstreams

drspod@lemmy.ml on 04 Feb 2025 23:05 next collapse

What ISP do you use that makes you trust Cloudflare more than your ISP? You must really be between a rock and a hard place.

Darkassassin07@lemmy.ca on 05 Feb 2025 10:43 collapse

I’m not all that concerned about either tbh; I was just already capturing DNS traffic and funneling it through pihole for the customizable blocking, and figured I may as well add DOH while I’m at it.

Just sharing the knowledge for those that are interested. You can use any DOH provider you like.

fmstrat@lemmy.nowsci.com on 06 Feb 2025 13:56 collapse

You can run Unbound with PiHole, that way its upstream is root servers instead of a single site.

Ooops@feddit.org on 06 Feb 2025 16:01 collapse

But at that point pihole is just a fancy web interface with some nice looking but for most purposes useless graphs. I just let Unbound filter stuff with the same filter lists pihole would use.

fmstrat@lemmy.nowsci.com on 06 Feb 2025 20:33 collapse

True, but there’s use in the UI. I.E. manual blocking/unblocking is simplified. Some use ot for DHCP, too.

Lemmchen@feddit.org on 05 Feb 2025 10:31 collapse

Why would you need cloudflared? Can’t you justbset DoH/DoT servers as a backend in Pi-Hole?

Darkassassin07@lemmy.ca on 05 Feb 2025 10:36 collapse

Pihole doesn’t directly support DOH. What I linked is their official guide for implementing it: using cloudflared.

There is other ways you can do this. This is just what I’ve been uaing.

sic_semper_tyrannis@lemmy.today on 04 Feb 2025 19:27 next collapse

A simple solution is Quad9 aka 9.9.9.9. NextDNS is fairly simple but allows customization.

some_guy@lemmy.sdf.org on 04 Feb 2025 19:32 next collapse

Cloudflare 1.1.1.1 Google 8.8.8.8 or 8.8.4.4

sunzu2@thebrainbin.org on 04 Feb 2025 20:04 next collapse

Don't use these unless you are properly configure them but even then... They are used for tracking

Mullvad and quad9 are better for privacy people

There are others tho

Stomata@sh.itjust.works on 06 Feb 2025 19:30 collapse

You are suggesting trackers

shortwavesurfer@lemmy.zip on 04 Feb 2025 20:40 next collapse

Controld.com. I use their free version that blocks ads and online tracking and malware.

Psythik@lemmy.world on 04 Feb 2025 20:47 next collapse

Adguard DNS, so I can block ads in my entire house without having to invest in a PiHole. dns.adguard-dns.com More IPs

vk6flab@lemmy.radio on 04 Feb 2025 21:51 collapse

I’ve been using Adguard public DNS for over a year across my LAN and it works great, with much less hassle than a pihole, which I previously used for years.

I miss the ability to add random hosts to either black or white lists, but in reality only used it sporadically.

abominable_panda@lemmy.world on 04 Feb 2025 21:47 next collapse

Check out PrivacyGuides. They have recommendations for DNS including what others have commented

irotsoma@lemmy.blahaj.zone on 04 Feb 2025 22:23 next collapse

I use a local unbound DNS server on my router with Quad9 as upstream. I actually have google DNS entirely blocked/rerouted on my router because google uses it for advertising tracking, but I get creepers out by targeted ads showing up in random places when I do do something on a totally unrelated site. Most important thing, though, is to use ~~DNSSEC~~ DNS over TLS or DNS over HTTPS to reduce middlemen from using your DNS info to track what sites you visit and sell that data. Of course ISPs still see the destination of all of your data for tracking what sites you visit unless you use a VPN or similar tools, so you can’t hide it from them that way.

Edit: DNS over TLS not DNSSEC, totally different thing…

calamityjanitor@lemmy.world on 05 Feb 2025 00:24 next collapse

Do you have the local unbound server respond to DoH so that the browser also uses encrypted client hello?

irotsoma@lemmy.blahaj.zone on 05 Feb 2025 22:30 collapse

No. I don’t use DoH inside my network because I redirect DNS traffic on my primary VLAN to a pihole for ad and malware reducing. But I also control what has access to that VLAN pretty strictly. I have another VLAN for guests and untrusted devices that doesn’t use the redirecting, but does use the Unbound server as the default DNS, just doesn’t enforce it. And I have an even more locked down VLAN for self-hosted servers that also doesn’t use the pihole, but does use Unbound.

calamityjanitor@lemmy.world on 06 Feb 2025 04:55 collapse

Yeah fair. I tried setting it up, but honestly probably not worth the effort in home networks. Problem is browsers don’t know that the other end of the unbound DNS server is DoH, so it won’t use ECH. Even once set up, most browsers need to be manually configured to use the local DoH server. Once there’s better OS support and auto config via DDR and/or DNR it’ll be more worth bothering with.

ITeeTechMonkey@lemmy.world on 05 Feb 2025 10:28 collapse

DNSSEC is a means of authenticating the data receives was not tampered with, such as MITM attacks, thus ensuring data integrity. It uses PKI but it’s not an alternative to DoH or DoT which encrypts the DNS traffic, either over HTTPS or TLS, providing confidentiality.

DNSSEC can be used in conjunction with DoH or DoT to achieve the Security CIA triad - Confidentiality, Integrity, Authenticity.

irotsoma@lemmy.blahaj.zone on 05 Feb 2025 22:32 collapse

Thanks for the correction, that was a typo based on a long work day screwing with my brain processing acronyms. I meant to say DNS over TLS or DNS over HTTPS.

drspod@lemmy.ml on 04 Feb 2025 23:07 next collapse

In regards to all the answers in this thread, consider: If you’re not paying for it with money, then what are you paying for it with?

The most private DNS is a recursive resolver.

Andromxda@lemmy.dbzer0.com on 04 Feb 2025 23:19 next collapse

If you need a traditional, unencrypted DNS service, check out Quad9 and AdGuard’s Public DNS. If you can use DoT or DoH, use LibreDNS or Mullvad DNS. If you want more customization, check out NextDNS.

dahpu@feddit.org on 05 Feb 2025 10:25 collapse

Quad9 does also offer DoT and DoH.

Lemmchen@feddit.org on 05 Feb 2025 10:26 collapse

Even DNSCrypt, but I think nobody really uses that.

yuki@programming.dev on 05 Feb 2025 10:01 next collapse

nextdns or mullvad？

kekmacska@lemmy.zip on 05 Feb 2025 16:30 next collapse

quad9, blahdns, dnscry.pt, ibksturm, koki, litepay.ch serbica

Xanza@lemm.ee on 06 Feb 2025 05:09 next collapse

Light + TIF                     https://sky.rethinkdns.com/1:AAkACAQA
Normal + TIF                https://sky.rethinkdns.com/1:AAkACAgA
Pro + TIF                 https://sky.rethinkdns.com/1:AAoACBAA
Pro plus + TIF               https://sky.rethinkdns.com/1:AAoACAgA
Ultimate + TIF              https://sky.rethinkdns.com/1:gAgACABA

Light + TIF                 https://dns.dnswarden.com/00000000000000000000048  
Normal + TIF                 https://dns.dnswarden.com/00000000000000000000028  
Pro + TIF                 https://dns.dnswarden.com/00000000000000000000018  
Pro plus + TIF               https://dns.dnswarden.com/0000000000000000000000o  
Ultimate + TIF              https://dns.dnswarden.com/0000000000000000000000804  

Light                https://freedns.controld.com/x-hagezi-light
Normal                https://freedns.controld.com/x-hagezi-normal
Pro                https://freedns.controld.com/x-hagezi-pro  
Pro plus                https://freedns.controld.com/x-hagezi-proplus  
Ultimate                https://freedns.controld.com/x-hagezi-ultimate
TIF                https://freedns.controld.com/x-hagezi-tif

Rethink DNS, DNS Warden, and ControlD with Hagezi blocklists via DoH/3. I highly recommend the ‘+ TIF’ as they are threat intelligence feeds which are up to date lists of bad actors/malware.

nonentity@sh.itjust.works on 06 Feb 2025 14:11 next collapse

Go directly to the root.

const_void@lemmy.ml on 06 Feb 2025 17:03 next collapse

NextDNS has the ability to change the logging region to one that’s outside your governments jurisdiction

ComicSads@lemmy.blahaj.zone on 06 Feb 2025 20:17 next collapse

I use 1.1.1.1 as my dns because I don’t forget it. Should I not be?

truthfultemporarily@feddit.org on 08 Feb 2025 21:59 collapse

The question to ask yourself is why is cloudflare offering that service for free? Probably because they get something out of it, like analysing the data.

datavoid@lemmy.ml on 06 Feb 2025 20:21 collapse

Quad9 (9.9.9.9) is my go to.

This tool is great for figuring out which one is the fastest for you: www.grc.com/dns/benchmark.htm