2y ago

Best DNS for privacy?

I read a bit about using a different DNS for Privacy and I think the best one should be quad9? Or is there anything better except self hosting a DNS?

47 comments

- Yes, but what does it use?
  
  Authoritative name servers.
  Good enough write-up about it here: https://docs.pi-hole.net/guides/dns/unbound/
- Use your own.
  That may not always be the best way to go, as it'll make fingerprinting also much easier. The more custom your setup is, the less there are like you, the easier your tracked by fingerprinting techniques.
  Not saying it's bad per se, but the idea that trusting no one and setting everything up yourself is always more private isn't true either. Both providers and do-it-yourself have negative sides one should stay critical about.
  
  How using selfhosted DNS makes you easier to be tracked?
I use Quad9 for my upstream.
- This!
Using NextDNS for quite long time
I'm using dnscrypt combined with a firewall app. RethinkDNS on android and postmaster on pc.
I use cloudflare dns
There's OpenNIC, which is run by a community.
Check out this guide on How to configure NextDNS
I'm not an expert on what makes a "good DNS", but I have been using a pi-hole for about 5 years and it has been super stable the whole time, despite my best efforts.
The one from your ISP. Your ISP can see your traffic anyway, so you gain nothing by using a third-party DNS server.
- Okay, maybe I got the question wrong. If you care about content blocking, then you are right (though I'd prefer self-hosted resolvers like pi-hole or AdGuard Home over third party resolvers).
- As far as I read (I'm no expert!) they could check the SNI of the TLS handshake if they want. But using the DNS of the ISP is handing them the data right in a way they can analyze/use them very easily afaik?
  Still learning about this topic!
  
  They route your traffic, hence they can see all IP addresses you communicate with. With a reverse lookup you can then usually find out the address too.
- Even if you use DOH for upstream servers?
  
  In the end it comes down to what your goals is. DOH indeed hides DNS queries from sniffers and your ISP, but the traffic between you and your destination is still visible for the ISP (unless you use a VPN or TOR).
  If you only care about the content blocking aspect a third party resolver may make sense as @CrazyClown@lemmy.ca explained below.
- HA! My ISP injects ads into search results with their DNS. No thanks!
- Mt ISP can't see my traffic or my DNS lookups lol
  
  Congrats but then you are using more than just another DNS resolver/different DNS technology.
Want something that works fast? NextDNS, Adguard or DNSwatch
Want something a bit more complicated but better for privacy? Setup PiHole + DNSCrypt proxy with anonymized DNS
I use NextDNS, but also use Cloudflare sometimes.
I use DNS from Applied Privacy i don't know if it good or not and Intra app for android.
There is never one that is the "best". You just have to choose one based on what fits you and your view point.
There are many places that list DNS providers: DNSCrypt, Privacy Guides, and Privacy Raccoon are just some.
/etc/hosts
Quad9 is decent, but there's some weird legislative issues (they can be court ordered to not resolve certain sites) BC weird reasons.
If you have a raspberry pi or similar sitting somewhere, you can set up a pihole DNS with unbound as upstream. Then you've got a DNS that's as private as you want, locally cached and with additional ad/malware/... blocking capabilities.

47 comments