DNS Servers

I was just wondering what readers here use as their DNS Servers and their reasons for doing so.

In reply to a post by trolleybus:

I was just wondering what readers here use as their DNS Servers and their reasons for doing so.

Recommend using pihole as it filters trackers and malware etc.

Upstream, whatever. Personally use adguard. Not fond of ISP provided DNS and wouldn't be giving more data than necessary to the likes of google.

https://adguard-dns.io/en/blog/adguard-dns-new-addre...

Reasons? Too much needless data flows all over the place, prefer to cut it off at source.

Keep meaning to setup unbound to do my own recursive but never quite get around to it!

Quad9 with ECS (the '11 variant):
https://quad9.net/service/service-addresses-and-feat...

I use AdGuard and unbound. AdGuard is like pi-hole, the best ad filtering DNS software and it queries a local Unbound DNS server which is a fully recursive DNSSEC-enabled DNS server. They both just run in a small docker container on my Mikrotik router.

What does fully recursive DNS mean? unbound isn't a service provided by Google/Cloudflare or Quad9, it does their job for you instead. It finds the authoritative DNS from the root DNS servers, so it gets the DNS record directly from the person who owns the domain, rather than a middle man. So it has to do more work, but you can be sure (because of DNSSEC, a bit like SSL for DNS that authenticates - not encrypts) that the IP it resolves is authentic. pfSense and OPNsense have unbound built-in as their default DNS servers too.

Why do I use it? Speed and Control. While snoopers could monitor my udp/53 traffic, DNSSEC will simply disallow any tampered DNS, and only I get to filter what I don't want (eg ads). It even blocks ads in apps on my phone. If, as a parent for example, you want other blocklists and filters, AdGuard and pi-hole both have full support of these. If you're paranoid, unbound can also support DNS-over-HTTPS and DNS-over-TLS for full encryption, but I don't as by design they are at least twice as slow, and DNS should as fast as possible.

How fast? It's a little slower at the beginning as it has to do considerably more work to find all the authoritative DNS servers to query, but once the cache has filled up, it's faster than anything Google/Cloudflare/Quad9 can provide simply due to proximity by being on your LAN. Even though Google's 8.8.8.8 resolves at 1.8ms from my ISP which is seriously (and impressively) fast, unbound resolves at <0.1ms because it's on my LAN.

The downside is you need a device to run it on and you have to configure it. Like I said, I run it in a container in a Mikrotik router, but how you run it is up to you. A Raspberry Pi, a NAS or a little PC running Linux will all be more than capable.

Here's an article how to set up if you're interested: https://medium.com/@life-is-short-so-enjoy-it/homela...

You can use pi-hole instead of AdGuard as well. Here's how to use pi-hole with unbound: https://docs.pi-hole.net/guides/dns/unbound/

If you can't set up a local DNS and have to choose the best public DNS server, my recommendation is to benchmark them - different ISPs will have different speeds and routes to upstream DNS, so while we can recommend, the only way to know the 'ideal' DNS for you is to benchmark from your location. In all honesty there's no difference between Google, Cloudflare, Hurricane Electric or Quad9 or any of the others.

Simply download and run Steve Gibson's free DNS Benchmark here and follow instructions to find out yours: https://www.grc.com/dns/benchmark.htm

In reply to a post by zzing123:

In all honesty there's no difference between Google, Cloudflare, Hurricane Electric or Quad9 or any of the others.

I believe you're only referring to *performance* there.

When it comes to *privacy* - i.e. what they do with all that information about which domain names you have been looking up - then there are big differences. Best way is to go read what they each say about it.

The other is around filtering features. For example, quad9 does malware filtering by default. With cloudflare, 1.1.1.2 blocks malware, and 1.1.1.3 blocks malware and "adult" sites (for whatever their definition of "adult" content is).

In reply to a post by trolleybus:

I was just wondering what readers here use as their DNS Servers and their reasons for doing so.

9.9.9.9 because:
1) it has simple malware blocking
2) it is not google or cloudflare
3) it is in switzerland
4) it was faster than my ISP

GRC.COM has a DNS Bench tool that is interesting if you are looking for fastest. Running a local DNS cache on your network using something like pihole is worth investigating too.

In reply to a post by richi:

Quad9 with ECS (the '11 variant):
https://quad9.net/service/service-addresses-and-feat...

That I hadn't seen, thanks for link!

Pihole and unbound here too

Yes of course. Like I said in the original post, my #1 concern is performance. If you snooped my DNS it's pretty normal consumer with a bit of techie stuff, so I feel quite safe hiding in plain sight. There is one *ahem* device that's both completely isolated from my LAN and on it's own VPN.

Really good list of public DNS servers and their various filtering capabilities and whether they have DoH and DoT capability, all on one page in AdGuard's docs: https://adguard-dns.io/kb/general/dns-providers/