what is the best free DNS server that is (secure / private / no analytics / no tracking)

IAmForum

Weaksauce
Joined
Jan 17, 2020
Messages
94
I have been using quad9 (9.9.9.9)
I was wondering what is the best dns server that is
secure
private
does not track me or keep a log of my dns requests
 
You will never truely know if they log or not, they will claim they do not, but can you prove they do not?

Maybe move to using TOR browser?
 
If best is defined as secure and private then the answer is roll your own. Then you control the logging or lack thereof. Understand that there will still be DNS servers above you as that is simply how DNS works. There is no single database that resolves everything. The dns server takes your request, checks cache for a current and will resolve it if found otherwise try to resolve using the root hints. You will need to take that into consideration when deciding where to host. It would be pretty trivial to stand up a dns server in one of the public clouds. At the end of the day you will eventually realize that once a packet leaves your network there is little (read nothing) you can do to control what happens to it. You'd be better off worrying about whether or not a DNS provider returns proper values and messages that match your queries and does not alter the results. Your real worry when it comes to privacy should be the content providers. Once they get sorted out then worry about dns.
 
Grab yourself a Raspberry Pi and slap Pi-hole with Unbound on it.

You could set up Unbound as a recursive resolver that goes directly to the root/authoritative servers. Only issue there is that any communication between your server and theirs must be unencrypted. There is currently no supported protocol for encrypting this communication, and DoT/DoH do not work here. This means that your ISP and/or anyone else can see your queries (and possibly MitM them and change results).

Right now, the only way I can think of to reduce tracking of DNS queries is to set up Stubby/Unbound/etc. as a caching stub resolver, and point it at as many different providers as possible to spread everything around. But then, given enough time, it's theoretically possible that multiple providers will have a picture of your commonly accessed sites. So... yeah, maybe not really any better off.

If/when Authoritative DoT or similar becomes a thing, I'm all over it.
 
You could set up Unbound as a recursive resolver that goes directly to the root/authoritative servers. Only issue there is that any communication between your server and theirs must be unencrypted. There is currently no supported protocol for encrypting this communication, and DoT/DoH do not work here. This means that your ISP and/or anyone else can see your queries (and possibly MitM them and change results).

Right now, the only way I can think of to reduce tracking of DNS queries is to set up Stubby/Unbound/etc. as a caching stub resolver, and point it at as many different providers as possible to spread everything around. But then, given enough time, it's theoretically possible that multiple providers will have a picture of your commonly accessed sites. So... yeah, maybe not really any better off.

If/when Authoritative DoT or similar becomes a thing, I'm all over it.

Using Unbound with Pi-hole makes you your own DNS server. Not much can make it more secure. DoH and DoT are great but your ISP can still see where you go by IP address if they so desire. The DNS provider you use you also have to trust to some degree even if using DoH. At some point that DNS query becomes plain text and who knows what somebody may be doing with that information.

You could also setup Pi-hole with cloudflared and go DoH but I prefer Unbound with Pi-Hole:
  1. No upstream DNS provider has my DNS history.
  2. The results are unfiltered.
  3. I have equal assurance that the DNS traffic has not been altered in transit.
  4. There is no less privacy from the ISP. They can still see my final destination IP address.
  5. Much faster.
  6. I have complete control over my DNS resolver.
 
  1. No upstream DNS provider has my DNS history.
  2. The results are unfiltered.
  3. I have equal assurance that the DNS traffic has not been altered in transit.
  4. There is no less privacy from the ISP. They can still see my final destination IP address.
  5. Much faster.
  6. I have complete control over my DNS resolver.

  1. But your ISP can, FWIW.
  2. Hopefully. If the query/response is unencrypted there's little stopping someone from filtering results.
  3. Assuming everyone sets up DNSSEC properly. I'm guessing you don't receive any kind of real-time alert if the DNSSEC check fails?
  4. Given hosting providers, shared servers, CDNs, etc. host IP address is mostly irrelevant to privacy. I'd be more worried about the SNI.
  5. Maybe, maybe not. Using a provider potentially adds a fraction of a second. If asking for a site they've already cached, then the total query time could be faster. Once you've cached the query result locally it's irrelevant.
  6. Fair enough. Though FWIW, using a provider can get you additional services, such as Cloudflare's or Quad9's malware site blocking.
There's no perfect solution right now. If running your own recursive resolver works best for you, cool. Just be aware of the limitations and trade-offs.
 
  1. But your ISP can, FWIW.
  2. Hopefully. If the query/response is unencrypted there's little stopping someone from filtering results.
  3. Assuming everyone sets up DNSSEC properly. I'm guessing you don't receive any kind of real-time alert if the DNSSEC check fails?
  4. Given hosting providers, shared servers, CDNs, etc. host IP address is mostly irrelevant to privacy. I'd be more worried about the SNI.
  5. Maybe, maybe not. Using a provider potentially adds a fraction of a second. If asking for a site they've already cached, then the total query time could be faster. Once you've cached the query result locally it's irrelevant.
  6. Fair enough. Though FWIW, using a provider can get you additional services, such as Cloudflare's or Quad9's malware site blocking.
There's no perfect solution right now. If running your own recursive resolver works best for you, cool. Just be aware of the limitations and trade-offs.

1. And that's no different than any other DNS out there. DoH/DoT. It doesn't matter. If your ISP want's to know where you go it can see that period. At least with Pi-hole with Unbound my DNS queries don't leave my LAN except in very rare cases where Unbound may have to reach out to the authoritative nameservers for the answer. To date I've never seen it do that.
2. My query/response is all internal to my network. The only way anything would get filtered is if the prime authoritative nameservers have been compromised/filtered.
3. Why do I need a DNSSEC check if I run my own DNS server? I don't. My DNS queries never leave my LAN except in very rare cases where Unbound may have to reach out to the authoritative nameservers for the answer. To date I've never seen it do that.
4. Agreed but unsure what that has to do with DNS queries and privacy by hiding those from your ISP which you can't really do (which is what I said).
5. My DNS queries are much faster since it's all local. I latency to my DNS server? 4ms or less. latency to Google/Quad9/Cloudflare? 20+ easy. So I see faster lookups but I will concede that YMMV.
6. I'm using Pi-hole...that crap is all filtered on the default lists as well. There's also more that you can add and block even more crap. I guarantee my Pi-hole blocks more shit than Quad9 or Cloudflare ever will.
7. I use Wireguard via my OPNsense firewall and send all my devices (including all chilldren devices like their iPads) back through my home network when not at the house. My family and I get my safe, secure DNS filtering everywhere we go and have the added bonus of a secure VPN back into a network I trust. Hotels, open WiFi and the rest can piss off. :)
 
1. And that's no different than any other DNS out there. DoH/DoT. It doesn't matter. If your ISP want's to know where you go it can see that period. At least with Pi-hole with Unbound my DNS queries don't leave my LAN except in very rare cases where Unbound may have to reach out to the authoritative nameservers for the answer. To date I've never seen it do that.

Huh? How do you explain your DNS resolver actually resolving anything/everything outside your LAN if it's not going to the outside world? Either root/authoritative servers, or a DNS service, at some point your resolver has to be hitting up someone on the outside for answers.

An exercise: Restart Unbound/Pi-Hole and verify they've both dumped their caches. Fire up tcpdump on your resolver and have it listen on udp/53, it'll show a bunch of queries going to the outside world. It'll slow down some once queries are cached again. I'm guessing Unbound has some kind of logging that'll show the same.

DoT/DoH is one mechanism for obfuscating to the ISP what sites you're hitting. When HTTPS/TLS encrypted SNI becomes widespread, combined with 3rd-party encrypted DNS it'll be very difficult to impossible for an ISP to track where you're going. But yeah, currently, it's imperfect.


2. My query/response is all internal to my network. The only way anything would get filtered is if the prime authoritative nameservers have been compromised/filtered.

Or, as I mentioned, potentially anyone in between because the connection between your resolver and the root/authoritative is unencrypted. DNSSEC is supposed to help here, but it only validates responses and isn't perfect, and it's often not set up on one/both ends and no one is watching for DNSSEC failures in real-time.

Same could happen to a DNS provider's queries in theory. Though given their resources I'd expect they'd find such a compromise far faster that you or I acting alone could.

This is one thing Authoritative DoT looks to resolve.


3. Why do I need a DNSSEC check if I run my own DNS server? I don't. My DNS queries never leave my LAN except in very rare cases where Unbound may have to reach out to the authoritative nameservers for the answer. To date I've never seen it do that.

As mentioned, your resolver is talking to root/authoritative resolvers All. The. Time. DNSSEC provides a layer of validation (admittedly imperfect) that the answers your resolver gets are from the proper source and correct. DNSSEC has nothing to do with the communication between a local host and your resolver.


4. Agreed but unsure what that has to do with DNS queries and privacy by hiding those from your ISP which you can't really do (which is what I said).

You tied host IP addresses to accessed sites and privacy. My point was that's an improper connection due to the way internet services are offered today.


5. My DNS queries are much faster since it's all local. I latency to my DNS server? 4ms or less. latency to Google/Quad9/Cloudflare? 20+ easy. So I see faster lookups but I will concede that YMMV.

Assuming it stays local because the local resolver has already cached the answer from a prior query.

Another exercise: With the resolver caches cleared time the query against your resolver using dig. This can be done at the same time as the one above. A couple queries against a FQDN will probably look similar to the following:

This is from my laptop -> Pi-Hole -> Stubby -> Cloudflare. The first the answer is uncached locally (but almost certainly is by Cloudflare), the second cached by Pi-Hole (Stubby has no caching mechanisms). FWIW, I couldn't feel a difference between the two.

Code:
$ dig @192.168.1.31 www.apple.com

<snip>

;; Query time: 83 msec
;; SERVER: 192.168.1.31#53(192.168.1.31)
;; WHEN: Thu Jun 17 22:06:26 PDT 2021
;; MSG SIZE  rcvd: 309


$ dig @192.168.1.31 www.apple.com                                                                                                                          

<snip>

;; Query time: 3 msec
;; SERVER: 192.168.1.31#53(192.168.1.31)
;; WHEN: Thu Jun 17 22:06:28 PDT 2021
;; MSG SIZE  rcvd: 198


6. I'm using Pi-hole...that crap is all filtered on the default lists as well. There's also more that you can add and block even more crap. I guarantee my Pi-hole blocks more shit than Quad9 or Cloudflare ever will.

Oh, almost certainly. I run Pi-Hole (plus Stubby for DoT to a DNS provider) for the same reason (plus the ad-blocking of course). Pointing the local resolver (be it Pi-Hole direct, Unbound, a typical consumer router, etc.) at those is just another layer of protection.

And there are a lot of people who are not capable of setting up their own local resolver/Pi-Hole/etc. (beyond that contained in their router), so DNS services that provide such filtering are useful.


7. I use Wireguard via my OPNsense firewall and send all my devices (including all chilldren devices like their iPads) back through my home network when not at the house. My family and I get my safe, secure DNS filtering everywhere we go and have the added bonus of a secure VPN back into a network I trust. Hotels, open WiFi and the rest can piss off. :)

Wireguard is great, isn't it? I have a similar setup going.
 
Why hasn't anyone mentioned AdGuard DNS? AdGuard DNS is just everything you'd want - secure, private, no logs, minimal metadata for DNS-over-HTTPS, stable, DNSSEC support, blocks ads and analytics domains, located in Cyprus, works with VPN's. AdGuard team scans the internet for CNAME ad domains to also block them. AdGuard Home is similar to Pi-Hole, but has built DNS-over-HTTPS, DNS-over-QUIC, DHCP capabilities, and some other cool features.
 
ADGaurd Home = 72$ a year
pi-hole = free

How is ADGuard worth the cost, compared to pi-hole ?
 
ADGaurd Home = 72$ a year
pi-hole = free

How is ADGuard worth the cost, compared to pi-hole ?
Adguard Home you can install on Linux for free. It can be installed as a Snap, manually, or as a Docker container. Hell you can build it from source if you want.

In the end they both do the same thing. They just do certain things differently. I find that the community backing Pi-hole is larger and far more active so I stick with Pi-hole.
 
ADGaurd Home = 72$ a year
pi-hole = free

How is ADGuard worth the cost, compared to pi-hole ?
AdGuard APP for Android and whichever OS is not free, but AdGuard Home is free. AdGuard APP is not open source and it does more than AdGuard Home and/or Pi-Hole. AdGuard Home and Pi-Hole filter based on domain resolution. It is a very brute method. AdGuard APP filters not only based on domains, but other factors for a neater experience.
 
Back
Top