Contemplating DNS Resolvers

FlipSid · March 4, 2024, 7:00pm

Since I have changed my setup, for now, away from VPN, with GrapheneOS I have been contemplating a suitable DNS Resolver.
For now I am using Quad9, and “happy” so far but have dns0 .eu and dns0.eu/zero as runner up.
Since the contemplating is starting to cause me to think about it more than I want to, haha I figured I would ask here to try and get more insight, other than what I am able to find online.
They all seem reputable, have good partnership with threat intelligence companies…
The main question I have, does it matter? Or is it just one of those "over thought things and no problem as long as one stays in a certain gathering of them?
Gathering meaning the list here, or other sources. After checking the privacy policy of course…

exaCORE · March 4, 2024, 7:11pm

Any of the options recommended by PG are good choices. I use Quad9 and Mullvad (for ad blocking) personally and both work well.

FlipSid · March 4, 2024, 7:39pm

Thank you for your reply.
So it seems more or less to “not matter” if one stays in the recommendations?!

Given the distance is not too far as well.

I’ll just leave it with quad9 and just for fun maby try dns0.eu(/zero)

For me Vanadium (or Brave) block the content.
I was (am) looking for added security…

exaCORE · March 4, 2024, 7:53pm

I believe all the recommendations use Anycast which means it selects a server close to you

Yep

archerallstars · March 4, 2024, 8:00pm

I also use Quad9 when I am not on VPN.

Your choice of DNS does matter, see:

Most probably use Cloudflare 1.1.1.1 or Google 8.8.8.8, and probably not even know about 1.1.1.2, Quad9, etc. that can filter out some malware at DNS level. But most importantly, it’s the easiest thing you can do to improve your security, often with zero cost. So, why not?

exaCORE · March 4, 2024, 8:03pm

Right but within the recommendations of PG it doesnt have too much of an issue (malware blocking may be something that @FlipSid would want to consider though).

FlipSid · March 4, 2024, 8:46pm

Not worried about content blocking.
I’ll let the Browser do that. What ever Vanadium (or Brave) has set up.
It’s added security (malware blocking) that is the objective.
It probably would be possible to find a DNS Resolver that can do both. But for my self, I’m focused on a Resolver that is focused on Security
Edit thanks for the video @archerallstars got something to whatch during night shift

Then again, I have no idea what malware blocking my ISP has set up, given I haven’t had any issues with it since I have been using mobile phones.
At least none that I know of…

Anyway thanks for the input

xe3 · March 4, 2024, 10:18pm

Quad 9 or NextDNS are both great options with respect to malware blocking. NextDNS has the added benefit of being useful for ad/tracker blocking as well (or blocking anything else you want to block) and being one of the most configurable and flexible DNS services. It sounds like these other features don’t matter much to you, in which case there isn’t really much reason to prefer one over the other (jurisdiction maybe?),

I believe the video @archerallstars posted goes into more detail on the topic of DNS level malware blocking (if its the same video I am thinking of). Its worth a watch if you want more details. If not, the TL;DR is Quad9 excels at malware blocking, and a well configured NextDNS exceeds quad 9 marginally.

FlipSid · March 4, 2024, 10:59pm

More or less trying to keep it simple @xe3

Maby I’ll check NextDNS out again, just not too sure how far I will get with 300K query’s on the free tier

My phone is basically my PC

archerallstars · March 4, 2024, 11:09pm

My concern with NextDNS, other than the 300K limit, is that the service will keep your log by default, which seems to contrary to its privacy policy #3:

If not specifically requested by the user, no data is logged.

If this is not worse yet, you can’t access the dashboard on your free account after 7 days. Which means, after 7 days, you have no way to know/recheck whether you disabled the logging. The only thing you can do is to create a new profile and make sure the logging is disabled, that’s if you don’t prefer the service to keep your log.

FlipSid · March 4, 2024, 11:24pm

Or create a account…
Other than that I could give RethinkDNS a shot
That is if I wanted to switch from Quad9

xe3 · March 5, 2024, 1:37am

In that case I think there is no reason for you to switch away from Quad9

Aminda · March 9, 2024, 12:58pm

I am mostly using DNS0.eu and Mullvad Base.

I don’t have concern with their privacy policies and I hope to see some benefit of DNS0.eu having private ECS over not having it at all (Mullvad). DNS0 is also nice at family as they are quick to block malicious domains and those can be reported through many methods including webpage (which also allows false positive reporting) and a Telegram bot (although I wish they send some sort of read-receipts).
https://www.dns0.eu/privacy

So far I have seen just two false positives, more significantly git.disroot.org.

Mullvad Base I again mostly use on mobile where there isn’t so diverse selection of content blockers available and my only issue with them is not having a server in Finland, while Sweden is close enough.

Update: this thread inspired me to look into the DNS page after a long break and I noticed that it doesn’t make distinguishion between private ECS and normal ECS, which made this an issue time

github.com/privacyguides/privacyguides.org

DNS section doesn't consider private ECS

opened 01:12PM - 09 Mar 24 UTC

Mikaela

t:correction

### Affected page https://www.privacyguides.org/dns/ ### Description The page… simultaneously states that AdGuard DNS has ECS, NextDNS and Quad9 make it optional, and PrivacyGuides requirement is that there is no ECS or it can be disabled. This is partially incorrect as both AdGuard and NextDNS privatize it, while Quad9 doesn't. While ECS generally tells the authoritative nameserver the client's subnet, private ECS lies about that a bit and brackets users (see sources below). So what I am suggesting is changing AdGuard's "yes" to "private", NextDNs "optional" to "optionally private" while keeping Quad9 as "optional" and explaining what ECS and private ECS are about if not just linking to upstream sources. ### Sources - https://adguard.com/en/blog/private-dns-v0-3-beta.html - https://medium.com/nextdns/how-we-made-dns-both-fast-and-private-with-ecs-4970d70401e5 - https://scribe.rip/nextdns/how-we-made-dns-both-fast-and-private-with-ecs-4970d70401e5 - https://www.quad9.net/support/faq/#edns (I have been noting these for my personal use [in my dotfiles repo](https://gitea.blesmrt.net/mikaela/shell-things/src/branch/master/etc/resolv.tsv).) ### Before submitting - [X] I am reporting something that is verifiably incorrect, not a suggestion or opinion. - [X] I agree to the [Community Code of Conduct](https://www.privacyguides.org/en/code_of_conduct/).

FlipSid · March 9, 2024, 1:27pm

Yes dns0 is interesting as well.
Decided to run the dns0/zero version, as Vanadium does have content blocking and I trust the dev to “do it or have it right”
Why Zero a test?
The Page reads it’s self interesting, but I don’t know for sure if Quad9 has all the NRD blocked that dns0 writes.
Probably, in the long run, I’ll just use either
When I have more time again I’ll go over the TI partners

Aminda · March 9, 2024, 2:29pm

Be warned that NRD blocking may cause breakage if you use decentralised applications where the other party may control which domain gets used or you attempt to use it on a server that hosts a federated protocol server.

I was trying to use it on a phone for a while, but hit a roadblock with SimpleX when multiple people started selfhosting and changed receiving address for me and I was unable to communicate with them as they wanted to receive messages through a server that DNS0 Zero was blocking

I can imagine similar happening on server side with Matrix, XMPP, ActivityPub or anything similar. Or someone could just be forced to move a domain quickly (like happened to PrivacyGuides itself) and then get locked for you for 30 days.

overdrawn98901 · March 9, 2024, 5:57pm

I go straight to the horses mouth using Unbound with a fallback to Quad9.

BionicBison · March 10, 2024, 4:35am

Where are you getting that information? I see no mention of this limitation on NextDNS’s website, and this was not my experience as a free user a few years ago, nor is it the experience of my friend who is currently a free user.

archerallstars · March 10, 2024, 5:22am

Sorry, it’s a temp. account (which is free also). I mixed it with a free user account.

noodle · March 10, 2024, 9:18am

Any reason why you stopped using a VPN?

FlipSid · March 10, 2024, 1:07pm

After reading these 3 articles, and a slow down in download speed I figured to drop it for now.
Haven’t gone back since. (Well only one month so far.
Before “panic”:
Compare sources and decide what’s best for you.
Anyway enough rambling, here are the links;
https://madaidans-insecurities.github.io/vpns.html

gist.github.com

https://gist.github.com/joepie91/5a9909939e6ce7d09e29

vpn.md

# Don't use VPN services.

No, seriously, don't. You're probably reading this because you've asked what VPN service to use, and this is the answer.

*Note: The content in this post does not apply to using VPN for their intended purpose; that is, as a virtual private (internal) network. It only applies to using it as a glorified proxy, which is what every third-party "VPN provider" does.*

- A Russian translation of this article can be found [here](https://tdemin.github.io/posts/2017-08-13-dont-use-vpn-services_ru), contributed by Timur Demin.
- A Turkish translation can be found [here](https://write.as/nwz9t04yfjwlv0yj.md), contributed by agyild.
- There's also [this article](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) about VPN services, which is honestly better written (and has more cat pictures!) than my article.

This file has been truncated. show original

Maby one day I will go back. Who knows
On a side note, let’s keep this thread contemplating DNS Resolvers

Topic		Replies	Views
RethinkDNS (DNS Provider) Tool Suggestions	1	601	December 6, 2023
Technitium DNS Server (Self-Hosted) Tool Suggestions	4	1058	March 16, 2024
The Privacy DNS Chooser Script (for Linux) Project Showcase	18	776	January 5, 2024
Questions Regarding DNS Questions	61	836	January 21, 2024
Android private DNS vs Adblocking Browser? Privacy	3	803	June 10, 2023

Contemplating DNS Resolvers

Related Topics