All of the suggestions here are good but I would not put too much stock in where you get your DNS from if your reasons are for privacy. If anything, using anything beyond your ISP’s DNS could decrease your privacy, because now you are giving info to 2 providers (DNS and ISP)
No matter what DNS server you use, your ISP can see every single IP you connect to and doing reverse lookups is extremely trivial for them of course.
My advice is to use a good VPN provider. Any reputable one will also provide its own DNS servers as well.
The question still remains because what upstream DNS server in Pi-hole will you use? You’ll always need to use a DNS server on the internet unless you use hyperlocal.
You don’t cut the middle man, you create the middle man with Unbound. And Unbound needs to ask other DNS servers on the internet to resolve DNS queries. Your local DNS server can’t just magically know which IP is behind a domain like for example google.com. It needs to ask other DNS servers that know the answer. So unless you’re not using hyperlocal you will always need a DNS server on the internet to browse the web.
tl;dr: Cut out Cloudfare’s recursive resolver (or anyone else’s) and run your own via PiHole and Unbound.
You don’t cut the middle man, you create the middle man with Unbound.
Umm, Unbound is on your machine. So you’re saying you are your own middle man lol…which is the same as cutting out the middle man as you (rather, your server) are you.
And Unbound needs to ask other DNS servers on the internet to resolve DNS queries.
It asks the authoritative nameservers, which is who external DNS servers ask. By using Unbound, you are cutting out those external DNS servers, because you/Unbound is the DNS server. You are asking the authoritative name server directly instead of inserting someone else to ask on your behalf.
Here’s an explanation by Cloudflare: A recursive resolver (also known as a DNS recursor) is the first stop in a DNS query. The recursive resolver acts as a middleman between a client and a DNS nameserver…Most Internet users use a recursive resolver provided by their ISP, but there are other options available; for example Cloudflare’s 1.1.1.1.
I copy/pasted the above quote from the article you linked. Again, Unbound (your machine) is asking the DNS nameserver. You’re saying you are your own middleman lol. I’m saying cut out Cloudfare’s recursive resolver and run your own via PiHole and Unbound. Did you read the article I linked?
tl;dr: Cut out Cloudfare’s recursive resolver (or anyone else’s) and run your own via PiHole and Unbound.
Tell me you didn’t read the article without telling me you didn’t read the article. Let me point out the relevant part for you:
“A recursive resolver (also known as a DNS recursor) is the first stop in a DNS query. The recursive resolver acts as a middleman between a client and a DNS nameserver. After receiving a DNS query from a web client, a recursive resolver will either respond with cached data, or send a request to a root nameserver, […]”
See that last part with “or send a request to a root nameserver”? That is the DNS server on the internet your Unbound DNS server will ask if it doesn’t have the answer cached for you already.
Umm, Unbound is on your machine. So you’re saying you are your own middle man lol…
Exactly! Since the Unbound DNS server is your server you created your middle man server yourself. “middle man” has a very negative taste but in this case it really isn’t bad at all.
It asks the authoritative nameservers, which is who external DNS servers ask. By using Unbound, you are cutting out those external DNS servers, because you/Unbound is the DNS server. You are asking the authoritative name server directly instead of inserting someone else to ask on your behalf.
Okay, so you get it but you don’t get it fully. Again: Your Unbound DNS server can’t magically know which IPs are behind a domain name. So what does it do? It asks a DNS server on the internet because they know the answer. When you Unbound DNS server got the answer it then tells your computer.
Unbound (your machine) is asking the DNS nameserver.
YES! And where do you think is the DNS server Unbound asks if it doesn’t know the answer because it’s not cached yet? It’s some server on the internet.
You’re saying you are your own middleman lol.
I said you create your own middle man. Unbound is your middle man in this case because you make it look up the IPs behind the domains and it tells your computer these IPs then.
Instead of:
<Client> –> asks –> <DNS server on the internet> –> answers –> <Client>
You do:
<Client> –> asks –> <Unbound DNS (the middle man)> –> asks –> <DNS server on the internet> –> answers –> <Unbound DNS (the middle man)> –> answers –> <Client>
Let me say it again: Your Unbound DNS server being the middle man isn’t a bad thing so please don’t think “middle man” is always a negative term.
I’m saying cut out Cloudfare’s recursive resolver and run your own via PiHole and Unbound.
I just linked Cloudflare’s article about it because they explain it well. Doesn’t mean one must use Cloudflare’s DNS servers.
Did you read the article I linked?
Yes, I did. But I knew what a recursive resolver is before I checked the link because I’m a professional IT administrator and I know how DNS works. It’s part of my job.
Trust me, I fully get it. You are trying to be pedantic and “technically correct,” Um Actually style. I am speaking from the perspective of this sub (privacy and enhancing it). You are your network. You are not a middleman in the context of yourself or your network. You are not losing privacy in relation to yourself. That’s being ridiculous. It’s like saying “I didn’t cook this steak at my house, um actually, my stove and pan did. Well, they (and I and the butter/oil) were the middleman. Let’s not forget the fire. Etc.” Again, ridiculous.
Also, you’re right in that you have to ask a DNS server to resolve a name to an IP. But in this context, DNS servers ask the root name server. Those DNS servers are the middlemen, rootname is not. With Unbound and recursive, you are asking the authoritative root name server. They are not a middleman to themselves…they are the authority in DNS (it’s in the name). Also, Unbound as Recursive does answer the question of OP which was “what DNS to use?” When you configure a recursive resolver, you don’t (shouldn’t) change it away from the root nameservers and insert a middleman (someone/something you don’t control), and it doesn’t do it by default. OP was clearly asking about non-authoritative DNS servers to use aka “should I use Quad9, CloudFlare, etc?” And my answer was…none. Cut out those middlemen that don’t need to be there/asked (which takes away some privacy as you’re asking a person who doesn’t need asked), and ask the root nameservers yourself via Unbound recursively.
You seem to be stuck talking from the perspective of the client/PC. Next, are you gonna say “you’re not actually going to the site. You’re going to the switch, then the router, and a firewall, maybe traversing a DMZ, could be a proxy in there, then going through the core backbone routers of the internet, down into their network. Of course, if there’s a VPN in there, that changes things. Let’s not forget the middleman of your own NIC and CPU, not to mention the keyboard, motherboard, mouse, etc. Oh, of course fiber and cabling. Those are all middlemen.” Do you see how fundamentally ridiculous that is?
Anyway, sorry for not reading all of that, but I’ll make it short and stop discussing because I feel like this is leading nowhere.
Unless you’re using hyperlocal and cover all TLDs and wanna browse the internet there’s technically no way around but to use an online DNS server. So coming back to the privacy aspect of this topic the question is: Which one do you trust?
Seconding this, especially if you enjoy homelab/DIY tech projects. It’s super simple with tons of guides around. Plus you get the added benefit of fewer ads and junk.
i use Quad9 in everything which has uBlock Origin as an available extension, otherwise NextDNS with OISD and/or Hagezi Normal. (hagezi pro broke some images for me which were not ads or trackers)
for a quick and easy set and forget ad and tracker blocking DNS, definitely Adguard. i set this DNS on my parents devices like phone and firesticks. i set the router DNS to Quad9 to serve as a phising and malware blocker for anyone on the network.
there is a Roku in my household which can’t have DNS specifically changed, so i have to use NextDNS for my router (Adguard would work too), though ideally i just want Quad9 in most places due to the Swiss law enforced privacy policy which promises no personally identifiable logging
Limit is also 300k per month. Plus additional device and server limitation.
Added benefit is they send you weekly status mail.
A word of advice, don’t leave their dashboard open for too long. The page request thousands of DNS request within minutes (to check for the connectivity status).
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !privacyguides@lemmy.one
In the digital age, protecting your personal information might seem like an impossible task. We’re here to help.
This is a community for sharing news about privacy, posting information about cool privacy tools and services, and getting advice about your privacy journey.
You can subscribe to this community from any Kbin or Lemmy instance:
Check out our website at privacyguides.org before asking your questions here. We’ve tried answering the common questions and recommendations there!
Want to get involved? The website is open-source on GitHub, and your help would be appreciated!
This community is the “official” Privacy Guides community on Lemmy, which can be verified here. Other “Privacy Guides” communities on other Lemmy servers are not moderated by this team or associated with the website.
Moderation Rules:
We prefer posting about open-source software whenever possible.
No soliciting engagement: Don’t ask for upvotes, follows, etc.
Surveys, Fundraising, and Petitions must be pre-approved by the mod team.
Be civil, no violence, hate speech. Assume people here are posting in good faith.
Don’t repost topics which have already been covered here.
News posts must be related to privacy and security, and your post title must match the article headline exactly. Do not editorialize titles, you can post your opinions in the post body or a comment.
Memes/images/video posts that could be summarized as text explanations should not be posted. Infographics and conference talks from reputable sources are acceptable.
No help vampires: This is not a tech support subreddit, don’t abuse our community’s willingness to help. Questions related to privacy, security or privacy/security related software and their configurations are acceptable.
No misinformation: Extraordinary claims must be matched with evidence.
Do not post about VPNs or cryptocurrencies which are not listed on privacyguides.org. See Rule 2 for info on adding new recommendations to the website.
General guides or software lists are not permitted. Original sources and research about specific topics are allowed as long as they are high quality and factual. We are not providing a platform for poorly-vetted, out-of-date or conflicting recommendations.
There’s a guide for exactly this on the privacy guides website
All of the suggestions here are good but I would not put too much stock in where you get your DNS from if your reasons are for privacy. If anything, using anything beyond your ISP’s DNS could decrease your privacy, because now you are giving info to 2 providers (DNS and ISP)
No matter what DNS server you use, your ISP can see every single IP you connect to and doing reverse lookups is extremely trivial for them of course.
My advice is to use a good VPN provider. Any reputable one will also provide its own DNS servers as well.
https://rethinkdns.com/ pick from a set list, Tracking, Malware etc. or pick individual lists i.e. just Facebook.
‘Rethink DNS supports over 190+ blocklists, some of which power popular adblockers like uBlockOrigin.’
deleted by creator
I’ve used Aha and ControlD for the longest time, and just recently switched to Mullvad’s new DoH service.
Depends on how you want to use it. For home use, I’d say setup a Pi-Hole with Unbound. You can add your own blocklists and it cuts out the middle man.
The question still remains because what upstream DNS server in Pi-hole will you use? You’ll always need to use a DNS server on the internet unless you use hyperlocal.
With Unbound, you can set it up as a recursive DNS server. Hence, cutting out the middle man. https://docs.pi-hole.net/guides/dns/unbound/
You don’t cut the middle man, you create the middle man with Unbound. And Unbound needs to ask other DNS servers on the internet to resolve DNS queries. Your local DNS server can’t just magically know which IP is behind a domain like for example google.com. It needs to ask other DNS servers that know the answer. So unless you’re not using hyperlocal you will always need a DNS server on the internet to browse the web.
Here’s an explanation by Cloudflare.
tl;dr: Cut out Cloudfare’s recursive resolver (or anyone else’s) and run your own via PiHole and Unbound.
Umm, Unbound is on your machine. So you’re saying you are your own middle man lol…which is the same as cutting out the middle man as you (rather, your server) are you.
It asks the authoritative nameservers, which is who external DNS servers ask. By using Unbound, you are cutting out those external DNS servers, because you/Unbound is the DNS server. You are asking the authoritative name server directly instead of inserting someone else to ask on your behalf.
I copy/pasted the above quote from the article you linked. Again, Unbound (your machine) is asking the DNS nameserver. You’re saying you are your own middleman lol. I’m saying cut out Cloudfare’s recursive resolver and run your own via PiHole and Unbound. Did you read the article I linked?
Tell me you didn’t read the article without telling me you didn’t read the article. Let me point out the relevant part for you:
“A recursive resolver (also known as a DNS recursor) is the first stop in a DNS query. The recursive resolver acts as a middleman between a client and a DNS nameserver. After receiving a DNS query from a web client, a recursive resolver will either respond with cached data, or send a request to a root nameserver, […]”
See that last part with “or send a request to a root nameserver”? That is the DNS server on the internet your Unbound DNS server will ask if it doesn’t have the answer cached for you already.
Exactly! Since the Unbound DNS server is your server you created your middle man server yourself. “middle man” has a very negative taste but in this case it really isn’t bad at all.
Okay, so you get it but you don’t get it fully. Again: Your Unbound DNS server can’t magically know which IPs are behind a domain name. So what does it do? It asks a DNS server on the internet because they know the answer. When you Unbound DNS server got the answer it then tells your computer.
YES! And where do you think is the DNS server Unbound asks if it doesn’t know the answer because it’s not cached yet? It’s some server on the internet.
I said you create your own middle man. Unbound is your middle man in this case because you make it look up the IPs behind the domains and it tells your computer these IPs then.
Instead of:
<Client> –> asks –> <DNS server on the internet> –> answers –> <Client>
You do:
<Client> –> asks –> <Unbound DNS (the middle man)> –> asks –> <DNS server on the internet> –> answers –> <Unbound DNS (the middle man)> –> answers –> <Client>
Let me say it again: Your Unbound DNS server being the middle man isn’t a bad thing so please don’t think “middle man” is always a negative term.
I just linked Cloudflare’s article about it because they explain it well. Doesn’t mean one must use Cloudflare’s DNS servers.
Yes, I did. But I knew what a recursive resolver is before I checked the link because I’m a professional IT administrator and I know how DNS works. It’s part of my job.
Trust me, I fully get it. You are trying to be pedantic and “technically correct,” Um Actually style. I am speaking from the perspective of this sub (privacy and enhancing it). You are your network. You are not a middleman in the context of yourself or your network. You are not losing privacy in relation to yourself. That’s being ridiculous. It’s like saying “I didn’t cook this steak at my house, um actually, my stove and pan did. Well, they (and I and the butter/oil) were the middleman. Let’s not forget the fire. Etc.” Again, ridiculous.
Also, you’re right in that you have to ask a DNS server to resolve a name to an IP. But in this context, DNS servers ask the root name server. Those DNS servers are the middlemen, rootname is not. With Unbound and recursive, you are asking the authoritative root name server. They are not a middleman to themselves…they are the authority in DNS (it’s in the name). Also, Unbound as Recursive does answer the question of OP which was “what DNS to use?” When you configure a recursive resolver, you don’t (shouldn’t) change it away from the root nameservers and insert a middleman (someone/something you don’t control), and it doesn’t do it by default. OP was clearly asking about non-authoritative DNS servers to use aka “should I use Quad9, CloudFlare, etc?” And my answer was…none. Cut out those middlemen that don’t need to be there/asked (which takes away some privacy as you’re asking a person who doesn’t need asked), and ask the root nameservers yourself via Unbound recursively.
You seem to be stuck talking from the perspective of the client/PC. Next, are you gonna say “you’re not actually going to the site. You’re going to the switch, then the router, and a firewall, maybe traversing a DMZ, could be a proxy in there, then going through the core backbone routers of the internet, down into their network. Of course, if there’s a VPN in there, that changes things. Let’s not forget the middleman of your own NIC and CPU, not to mention the keyboard, motherboard, mouse, etc. Oh, of course fiber and cabling. Those are all middlemen.” Do you see how fundamentally ridiculous that is?
Looks like my answer wasn’t saved, great…
Anyway, sorry for not reading all of that, but I’ll make it short and stop discussing because I feel like this is leading nowhere.
Unless you’re using hyperlocal and cover all TLDs and wanna browse the internet there’s technically no way around but to use an online DNS server. So coming back to the privacy aspect of this topic the question is: Which one do you trust?
Seconding this, especially if you enjoy homelab/DIY tech projects. It’s super simple with tons of guides around. Plus you get the added benefit of fewer ads and junk.
Adguard DNS at least they are good adblocking
Ad guard DNS is super easy to set up, too. Basically ad blocking with zero tradeoff
Quad9, controld and nextdns
Mullvad DNS.
In combination with Mullvad VPN, it is amazing.
/etc/hosts
Checkout Quad9 and NextDNS. I use NextDNS. The free tier NextDNS account is more than ample; I’ve never come close to exceeding it.
i use Quad9 in everything which has uBlock Origin as an available extension, otherwise NextDNS with OISD and/or Hagezi Normal. (hagezi pro broke some images for me which were not ads or trackers)
for a quick and easy set and forget ad and tracker blocking DNS, definitely Adguard. i set this DNS on my parents devices like phone and firesticks. i set the router DNS to Quad9 to serve as a phising and malware blocker for anyone on the network.
there is a Roku in my household which can’t have DNS specifically changed, so i have to use NextDNS for my router (Adguard would work too), though ideally i just want Quad9 in most places due to the Swiss law enforced privacy policy which promises no personally identifiable logging
AdGuardDNS
almost the same as NextDNS feature wise
Limit is also 300k per month. Plus additional device and server limitation.
Added benefit is they send you weekly status mail.
A word of advice, don’t leave their dashboard open for too long. The page request thousands of DNS request within minutes (to check for the connectivity status).
Perhaps these :
https://www.fdn.fr/actions/dns/