Which DNS service do you use for your computer's network settings?

Devices -> Pi-Hole -> Unbound -> DnsCrypt

Some additional details:

- Outbound internet access over port 53 is blocked for everything on the network, other than the Pi-Hole/Unbound server

- IpTables rule in place to force all outbound traffic over port 53 to go thru the Pi-Hole. This prevents devices from circumventing the Pi-Hole filtering by hard-coding public DNS servers

- Cronjob that polls http://public-dns.info/nameservers-all.txt regularly, and updates an IpTables rule to block all outbound internet traffic over any port/protocol to servers in that list. This is my attempt to block things that try to circumvent DNS filtering by doing DNS over HTTPS

- Unbound makes it possible to bypass DnsCrypt for specific zones, as needed. It also is configured to prefetch records before expiration, which generally eliminates the latency introduced by DnsCrypt

---

This is overkill, but I tried to address privacy concerns as well as ad-blocking with this setup, and it's also been fun to tinker with

I use unbound on a local machine to server my entire LAN, but there is one giant thing to understand about it. It will massively speed up cached queries in a way you won't get with any internet accessible resolver.

BUT, it will slow down everything else simply because its another layer in the lookup cake. Which doesn't sound bad since everything will end up cached, until you notice all the cool people have decided that DNS forms part of their load/failover scheme and have set the TTL to just a few seconds, which effectively either keeps unbound constantly fetching those addresses to keep them fresh, or you pay the unbound overhead penalty all the time on your local machines. And yes, unbound can be configured to ignore TTL's below a certain value, but that has its own problems.

So, yes, run your own resolver, just be aware that it has tradeoffs. One of the big pluses is that you can configure it do to DOH/etc and then serve everything on your network unencrypted DNS that has been previously validated/etc.

~Once a year, I run DNS Benchmark by Gibson Research https://www.grc.com/dns/benchmark.htm and do a local performance benchmark and use the results to pick a top 3 which usually ends up to be a mix of my upstream Internet provider, Cloudflare and/or OpenDNS

Devices -> Pi-Hole -> Unbound (running on Pi). My phone is connected to Pi-Hole via Wireguard, so it gets to take advantage of the ad-blocking as well.

Yes, I would recommend it. Running Unbound means you don't have to trust anyone's upstream DNS servers. Disadvantage is maybe slightly slower resolution, as you don't get to take advantage of the upstream server's caching.

Unbound DNS on my firewall in one of two modes. 99% of the time Unbound talks directly to the root servers and has multiple caches for records and infrastructure information. Defcon 4 or 5. I also keep several of my own DoT servers on the internet commented out in my configuration if I need to switch to local defense condition level 3. Those DoT servers then talk directly to the root servers and also cache all the things. Becomes redundant at dc1/2 as Tinc VPN's are used. I also have scripts to build Unbound zone overrides to act as /etc/hosts for some domains.

Been really happy with NextDNS for my family.

I run an overkill system - a dnsdist instance provides clients on my network with DoH and standard port 53 resolution. Dnsdist forwards to a PowerDNS recursor for resolving internet hosts with root hints. Additionally, the recursor uses a custom Lua script with a Redis backend for firewalling against requests, responses, and nameservers encountered during iteration, and then all traffic is logged through protobuf interfaces with automated analysis that tell's me nothing I don't know since I live alone and baseline everything.

All outbound port 53 TCP/UDP is also forwarded at the firewall through this setup.

My PiHole resolves off to Quad9 and Cloudflare.

Never had any problems with either - I have both selected in case one has issues so that I don't need to immediately deal with "Daaaad the internet's not working!"

Google: 8.8.8.8 and 8.8.4.4. Fast. Problem free. Would recommend to anyone.

One problem I've unfortunately run into with alternative DNS providers is that Akamai apparently also uses DNS to steer you to the right part of their CDN, and that the "default" set of servers returned by alternativ DNS providers apparently has abysmal peering with my ISP (not just slightly slower, but positively unusable during peak hours in the evening).

In theory EDNS Client Subnet (ECS) is supposed to work around this problem, but a) according to https://www.cdnplanet.com/blog/which-cdns-support-edns-clien... Akamai only supports this with Google and OpenDNS and b) alternative DNS providers might not support ECS anyway, whether explicitly for privacy reasons or otherwise…

Which means I'd basically have to set up a custom DNS resolver in order to special-case queries for anything hosted on Akamai's CDN…

Both static addressed devices and DHCP devices point to my internal AdGuard home server.

Both my AdGuard server and the unbound in my Opnsense router use Quad9 over DoT

AdGuard Home Server also point to Opnsense unbound to resolve local addresses

All port 53 traffic not directed at my AdGuard is redirected to it. All port 53 traffic not to or from my adguard or opnsense is blocked.

All DoT and DoH traffic not to or from my AdGuard or Opnsense is blocked.

I also have a second AdGuard Home instance hosted in a VPS that i use for my mobile devices when outside my home network. I use a whitelist of ClientIDs so only my devices can use this server, weak authentication but it has worked so far.

My home network is configured so that my devices will be redirected to my internal AdGuard server when at my home network and so they will use my public AdGuard server automaticaly when they are anywhere else.

My firefox, edge and chrome at my laptops have a similar configuration using their own DoT/DoH resolver. For the OS i let it use whatever the DNS from the local network.

In the near future i plan on replacing the Quad9 with my own recursive server hosted in the same VPS.

Cloudflare 1.1.1.1 backed up by Google's 8.8.8.8.

This way, if I ever forget my browsing history, I can ask either company to remind me ;)

Seriously though, they're both fast (especially Cloudflare) and reliable, and won't do DNS injection attacks like local ISPs do. Not really concerned about the privacy angle since I already use Chrome and Google Searched logged in.

NextDNS with either their app to set an DoH profile on devices or DHCP giving out their specific IPs for my config.

I use PowerDNS's dnsdist[1] which forwards to a blocky[2] server which then resolves from a local PowerDNS recursor. dnsdist is there mainly to provide a fallback if the local server is unavailable so I don't lose complete functionality.

I would generally recommend using anything other than your ISP's DNS servers.

AdGuard has a pretty good list of available providers: https://adguard-dns.io/kb/general/dns-providers/

[1] https://dnsdist.org/ [2] https://0xerr0r.github.io/blocky/

Coming in a bit late, I'm surprised I haven't seen anyone mention that if you run your own recursive dns server you can now have it download a copy of the DNS root zone (following RFC8806) if you are so inclined.

See https://localroot.isi.edu/about/ for one site that will let you register to receive a DNS Notify when the root zone changes.

I think the answer might depend on your ISP and where you are based in the world

In the EU/aligned countries, selling your data and injecting shit into DNS is very much a frowned on thing. More over, as there is competition, you can migrate away to some other ISP that isn't shit.

I currently use my ISP's DNS as an upstream, as they are reliably, fast and not shit. I'm temtped by adding a pi-hole. But I've not fully tested it yet, and I'm reluctant to migrate away from pfsense's DNS, as I have lots of local hosts that need resolving.

I'm using NextDNS, it's like having a cloud based PiHole with no hassle, more reliable, plus parental controls, network tracking, etc.

I use the one from my ISP, unless they're having issues (hardly ever happens). The reason for this, is that in my country, my ISP is tied to strict regulations on (for example) resale of data. Switching to another DNS provider opens me up to all kinds of shenanigans that my ISP would be held responsible for.

This is the same reason I don't use a VPN by default at home.

In this order...

- Google 8.8.8.8

- Cloudflare 1.1.1.1

I use PrivateInternetAccess as an always-on VPN and use their DNS servers. I also use AdGuard which is working great (a lot of people here are commenting on Pi-hole which you don't specifically ask about, so thought I'd share this as well).

Anyone have issues with PIA's dns?

Pihole to 1.1.1.1 and 9.9.9.9.

I'm in the process of taking control of my network again, after having a more laissez-faire attitude towards network access. I'll probably install something like opensense on top of my edgerouter.

What is "default DNS"?

I use Quad9 (9.9.9.9) and Freenom (80.80.80.80)

NextDNS on the router, and DNS-over-HTTPS for all the devices that supports it so that the configuration applies to them even outside of the home network.

Unbound locally and forwarding to NextDNS for filtering

NextDNS on all devices and the router (Draytek) too.

I use level3, since it seems very fast:

4.2.2.2

4.2.2.3

NextDNS

devices -> AdGuard Home -> NextDNS,

And devices -> NextDNS as a fallback.

I see a lot of mentions for Pi-Hole, which is more or less the same thing as AdGuard Home. I just like AdGuard Home a little bit more:

- single binary go app

- easy to run in nonroot container (Pi-Hole only started supporting this last year)

- Native support for DoH upstream resolver

- YAML as configuration language with good versioning scheme and skew practices.

I use https://www.opennic.org

I use dnscrypt-proxy in the default configuration and let it choose what's best for my current network.

I use unbound, with a bunch of local IP/hostnames, then forward to mullavad dns for adblock.

NextDNS (and Quad9 and Cloudflare often as backups). I run NextDNS on my phone as well.

I proxy my ISP's DNS on my main server and all of my other machines use my proxy.

I use a DNS (over HTTPS) that allows me to spoof my geolocation for specific services.

Running my own doh-proxy, so I use it for my android phone, and firefox browser.

I use DNSCrypt which alternates between a list of anonymous DNS servers.

127.0.0.1

Really, installing Unbound is piece of cake both on Windows and Linux.

The one the my DHCP gives me, that is my ISP's

Full recursive DNS, that is, unbound.

Run your own.

It's not hard. It uses minimal resources. It can be enhanced with ad-block lists similar to pi-hole so your whole network benefits.

I run Bind at home.

quad9 -- 9.9.9.9