Best DNS for Privacy, Performance & ODoH Support?

I’m on a quest for a DNS solution that balances:

• Moderate anonymity
• Robust privacy and security
• Effective blocking of trackers, malware, and ads

Here’s my journey so far:

• Invizible Pro: Loved the anonymity with ODoH and Tor, but performance took a hit+vulnerablities.
• RethinkDNS: Switched for better performance, but missing official ODoH support.
• NextDNS: Offers great features, but lacks ODoH. Its cloud-based centralization concerns me.

Given these experiences, could you recommend a DNS+VPN service that:

• Supports ODoH for enhanced privacy
• Maintains high performance
• Effectively filters unwanted content

Or, is there a way to configure my current setup to achieve these goals? Any guidance would be awesome!

Thanks a ton!

The only option I know of is if your willing to self-host you could setup a dnscrypt-proxy that uses ODoH

The whole point of ODoH is that the DNS provider doesn’t know who you are. So I don’t see how a customizable ad and tracker blocking DNS provider can support ODoH. For them to know what your blocking preferences are they need to know who you are.

Your only solution, which I think is what @Parish2555 is leading to, is to run your own ad and tracker blocking DNS server. For example a self hosted PiHole instance. And then have local DNS server that is under your control get its information from a ODoH server.

I got it.

Can I know what u personally use? (just curious) + If I neglect DNS level anonymity and stick with encrypted DNS, which one I listed above would be the best trustworthy choice?

What vulnerabilities?

rdns dev here

Rethink DNS + Firewall, the Android app, supports ODoH (code).

Goto Configure → DNS → Other DNS → ODoH.

On the server side, we run a by-invitation-only ODoH Proxy (not the ODoH resolver), for anti-censorship purposes. We open-sourced our ODoH proxy implementation, which is somewhat easily hostable by anyone and is super lightweight (code repo).

An ODoH DNS resolver can unmask an ODoH client.

1. If the ODoH client sends identifiers as part of ODoH or DNS requests.
2. If the ODoH resolver requires identifiers in an ODoH request (like as part of the hostname or URL).
3. If the ODoH proxy doesn’t use connection pooling.
4. If the ODoH resolver controls DNS Zones (domain names that it controls) a ODoH client is querying.
5. If the ODoH resolver maliciously sends middleware IPs (IPs that it controls) in response to A/AAAA/HTTPS/SVCB records.
6. If the ODoH resolver and the ODoH proxy are both compromised or are colluding.
7. Via traffic analysis.

(Points 1&2, if they constitute “authentication”, are explicitly disallowed by the ODoH RFC)

Ref: RFC 9230 - Oblivious DNS over HTTPS

A wierd phenomenon happened with me which I considered as a vulnerability.

I was using Libretube and selected region which is not my country. One day, I suddenly started getting recommendations tailored to my country. I contacted the Dev of libretube, told him about it and shared the settings I was using.

He told me, “That must be your network then, LibreTube doesn’t do any fingerprinting of the client.”

how are you sure it isn’t just your network?

I think of inviziblePro as A layer(like a cube, but empty inside) of my network(thinking network as a cube) that is capable hiding my networks IP and block unwanted domains through selected pathways.

If the layer is penetrated somehow, my network details would be exposed to both installed apps and websites.

Apps installed can get to know my IP(even if they are privacy friendly) when they pass data through that hole.

Thats just my analogy, I could be wrong. I would appreciate any sort of corrections here.