I read a bit about using a different DNS for Privacy and I think the best one should be quad9? Or is there anything better except self hosting a DNS?
Check out this guide on How to configure NextDNS
The one from your ISP. Your ISP can see your traffic anyway, so you gain nothing by using a third-party DNS server.
Even if you use DOH for upstream servers?
In the end it comes down to what your goals is. DOH indeed hides DNS queries from sniffers and your ISP, but the traffic between you and your destination is still visible for the ISP (unless you use a VPN or TOR).
If you only care about the content blocking aspect a third party resolver may make sense as @CrazyClown@lemmy.ca explained below.
Yes, my question was just referred to DNS queries. Thank you for your reply.
That’s not true at all. If you’re after the fastest DNS for loading / response times then the ISP DNS would be ideal. For privacy you’d want one that can offer ad and tracking protection like NextDNS.
Okay, maybe I got the question wrong. If you care about content blocking, then you are right (though I’d prefer self-hosted resolvers like pi-hole or AdGuard Home over third party resolvers).
You can use pihole as your main resolver and NextDNS as your down stream resolver as well for layered protection. That’s what I do. Works well. NextDNS is free protection up to 300,000 queries a month. If you go over it just acts like any regular resolver. The paid plan is inexpensive too.
If you use the same or similar blocklist it does not provide additional protection though.
That’s true yes.
As far as I read (I’m no expert!) they could check the SNI of the TLS handshake if they want. But using the DNS of the ISP is handing them the data right in a way they can analyze/use them very easily afaik?
Still learning about this topic!
They route your traffic, hence they can see all IP addresses you communicate with. With a reverse lookup you can then usually find out the address too.
deleted by creator
glowing hard
Use your own. I use unbound.
Yes, but what does it use?
Authoritative name servers.
Good enough write-up about it here: https://docs.pi-hole.net/guides/dns/unbound/
Thanks! Good write-up indeed.
The only problem there is that if you are going for privacy all of the traffic between your unbound and the authoritative servers is unencrypted. It us certainly a trade-off involving trusting a 3rd party, but with a busier public DNS server there can be a level of plausible deniability due to the aggregation and shared caching involved.
Kinda. You can always route your traffic over a VPN. Further, from the unbound page:
To help increase online privacy, Unbound supports DNS-over-TLS and DNS-over-HTTPS which allows clients to encrypt their communication. In addition, it supports various modern standards that limit the amount of data exchanged with authoritative servers. These standards do not only improve privacy but also help making the DNS more robust. The most important are Query Name Minimisation, the Aggressive Use of DNSSEC-Validated Cache and support for authority zones, which can be used to load a copy of the root zone.
Edit: to be clear, I run unbound but I don’t recall how much I hardened it. The config file is fairly large and I was mostly focusing on speed and efficiency since it’s running on an already busy raspberry pi.
Sure, which at least increases the burden from observing just your traffic to your ISP to observing your ISP and your VPN provider. That traffic is still unencrypted upon egress from your VPN. If you’re going through the effort of using a VPN I think using a public DNS server could make more sense as they can’t tie your query to your actual IP. (Also this is all thinking about an upstream for PiHole or similar, so always some sort of local server for your clients to use)
The question was about privacy. Routing your DNS traffic through a VPN puts your unencrypted traffic out of an endpoint with all sorts of other connections. That’s a privacy gain.
Further, using DNS-over-TLS or DNS-over-Https encrypts your query end-to-end.
Using both in concert prevents the DNS servers from knowing your IP and anyone along the route from knowing your query.
Sure, but we were talking about using Unbound, or some other recursive resolver, locally. Unbound doesn’t use DoH or DoT for its queries, and most/all authoritative servers don’t offer DoT/DoH.
You would have to use some local stub resolver, route its traffic over a VPN, and then use public resolver(s) that provide DoH/DoT (and those still use plaintext DNS to do their resolution, the benefit you get there is the shared cache and semi-anonymization due to aggregation). Whether that is good enough is up to you.
You run a local resolver for your household and enable DNS encryption where supported. Using a VPN for everything removes your ISP from the loop. It’s a matter of privacy layers and your threat model. If you want to play with TLAs you’ll need to try way harder.
If my threat model realistically involved TLAs or other state-sponsored actors I would not be advertising what I do or do not know on a public forum such as Lemmy, haha.
This conversation was in the conext of running Unbound, which is a recursive resolver and AFAIK DNS “encryption” isn’t a thing in a way that helps in this scenario… DoH, DoT, and DNSCrypt are all only concerned/deployed by recursive servers, meaning unbound isn’t using those. DNSSEC only provides authentication (preventing tampering) of the response, not any sort of encryption/hiding.
There’s OpenNIC, which is run by a community.
Using NextDNS for quite long time
I’m not an expert on what makes a “good DNS”, but I have been using a pi-hole for about 5 years and it has been super stable the whole time, despite my best efforts.
I use Quad9 for my upstream.
Removed by mod
I use cloudflare dns
I use DNS from Applied Privacy i don’t know if it good or not and Intra app for android.
I’m using dnscrypt combined with a firewall app. RethinkDNS on android and postmaster on pc.
