Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
Grab yourself a Raspberry Pi and slap Pi-hole with Unbound on it.
You could set up Unbound as a recursive resolver that goes directly to the root/authoritative servers. Only issue there is that any communication between your server and theirs must be unencrypted. There is currently no supported protocol for encrypting this communication, and DoT/DoH do not work here. This means that your ISP and/or anyone else can see your queries (and possibly MitM them and change results).
Right now, the only way I can think of to reduce tracking of DNS queries is to set up Stubby/Unbound/etc. as a caching stub resolver, and point it at as many different providers as possible to spread everything around. But then, given enough time, it's theoretically possible that multiple providers will have a picture of your commonly accessed sites. So... yeah, maybe not really any better off.
If/when Authoritative DoT or similar becomes a thing, I'm all over it.
- No upstream DNS provider has my DNS history.
- The results are unfiltered.
- I have equal assurance that the DNS traffic has not been altered in transit.
- There is no less privacy from the ISP. They can still see my final destination IP address.
- Much faster.
- I have complete control over my DNS resolver.
There's no perfect solution right now. If running your own recursive resolver works best for you, cool. Just be aware of the limitations and trade-offs.
- But your ISP can, FWIW.
- Hopefully. If the query/response is unencrypted there's little stopping someone from filtering results.
- Assuming everyone sets up DNSSEC properly. I'm guessing you don't receive any kind of real-time alert if the DNSSEC check fails?
- Given hosting providers, shared servers, CDNs, etc. host IP address is mostly irrelevant to privacy. I'd be more worried about the SNI.
- Maybe, maybe not. Using a provider potentially adds a fraction of a second. If asking for a site they've already cached, then the total query time could be faster. Once you've cached the query result locally it's irrelevant.
- Fair enough. Though FWIW, using a provider can get you additional services, such as Cloudflare's or Quad9's malware site blocking.
1. And that's no different than any other DNS out there. DoH/DoT. It doesn't matter. If your ISP want's to know where you go it can see that period. At least with Pi-hole with Unbound my DNS queries don't leave my LAN except in very rare cases where Unbound may have to reach out to the authoritative nameservers for the answer. To date I've never seen it do that.
tcpdump
on your resolver and have it listen on udp/53, it'll show a bunch of queries going to the outside world. It'll slow down some once queries are cached again. I'm guessing Unbound has some kind of logging that'll show the same.2. My query/response is all internal to my network. The only way anything would get filtered is if the prime authoritative nameservers have been compromised/filtered.
3. Why do I need a DNSSEC check if I run my own DNS server? I don't. My DNS queries never leave my LAN except in very rare cases where Unbound may have to reach out to the authoritative nameservers for the answer. To date I've never seen it do that.
4. Agreed but unsure what that has to do with DNS queries and privacy by hiding those from your ISP which you can't really do (which is what I said).
5. My DNS queries are much faster since it's all local. I latency to my DNS server? 4ms or less. latency to Google/Quad9/Cloudflare? 20+ easy. So I see faster lookups but I will concede that YMMV.
dig
. This can be done at the same time as the one above. A couple queries against a FQDN will probably look similar to the following:$ dig @192.168.1.31 www.apple.com
<snip>
;; Query time: 83 msec
;; SERVER: 192.168.1.31#53(192.168.1.31)
;; WHEN: Thu Jun 17 22:06:26 PDT 2021
;; MSG SIZE rcvd: 309
$ dig @192.168.1.31 www.apple.com
<snip>
;; Query time: 3 msec
;; SERVER: 192.168.1.31#53(192.168.1.31)
;; WHEN: Thu Jun 17 22:06:28 PDT 2021
;; MSG SIZE rcvd: 198
6. I'm using Pi-hole...that crap is all filtered on the default lists as well. There's also more that you can add and block even more crap. I guarantee my Pi-hole blocks more shit than Quad9 or Cloudflare ever will.
7. I use Wireguard via my OPNsense firewall and send all my devices (including all chilldren devices like their iPads) back through my home network when not at the house. My family and I get my safe, secure DNS filtering everywhere we go and have the added bonus of a secure VPN back into a network I trust. Hotels, open WiFi and the rest can piss off.
Adguard Home you can install on Linux for free. It can be installed as a Snap, manually, or as a Docker container. Hell you can build it from source if you want.ADGaurd Home = 72$ a year
pi-hole = free
How is ADGuard worth the cost, compared to pi-hole ?
AdGuard APP for Android and whichever OS is not free, but AdGuard Home is free. AdGuard APP is not open source and it does more than AdGuard Home and/or Pi-Hole. AdGuard Home and Pi-Hole filter based on domain resolution. It is a very brute method. AdGuard APP filters not only based on domains, but other factors for a neater experience.ADGaurd Home = 72$ a year
pi-hole = free
How is ADGuard worth the cost, compared to pi-hole ?