Battle Which DNS would you choose for Security and Content blocking?

alakazam

Level 7
Mar 25, 2014
335
No need to install anything, just set it up in your router, windows or a browser by entering 4 numbers, that is all. You can test various DNS services for effectiveness.


Or you can use this utility for a quick setup. Pick Family Safe DNS List, pick one DNS and Apply DNS.

How do I return to my original IP if I decide I no longer want to use the DNS?
 
  • Like
Reactions: Nevi

monkeylove

Level 6
Mar 9, 2014
249
How do I return to my original IP if I decide I no longer want to use the DNS?
At least for Windows PC, check out programs like DNS Jumper, which also comes with a tester:

 

Stopspying

Level 12
Verified
Jan 21, 2018
562
I've used DNSJumper a lot in the past but now I stick to AdGuard DNS.

I use NextDNS on all of my devices.

I used AdguardDNS on parents devices and advised friends to use it but they were annoyed by the fact it blocked the links Google gives you for "shopping" so I resorted to Quad9 in their cases.
AdGuard does make using commercial sites a bit of a pain to use for this reason, but I'd rather they did this than Google slurps up even more about my online activities, a bit of extra tweaking as and when i want to access certain sites isn't too much of a hassle.
 

valvaris

Level 4
Verified
Jul 26, 2015
190
Changed things up again - Went away from NextDNS to Commercial ones like 1.1.1.2 / 1.0.0.2 @853 DoT and Quad9 as fallback - For Content Control I build a OPNsense Firewall with Sensei from SunnyValley - Extension on the browser Ublock Origin for Edge Chromium.

Have to say the performance is nice and reporting with exclusions for lists is as easy as just clicking the Checkmark and go...

PC refers to Local DNS 192.168.100.254 -----> Firewall (OPNsense with Unbound Default) Uplink to <-----DoT----> Cloudflare / Quad9

Sincerely
Val.
 
Last edited:

valvaris

Level 4
Verified
Jul 26, 2015
190
Why not RPi with pi-hole and Unbound and the ISP´s DNS?
Why?

It would be another device in the network and since OPNsense has this feature build inside it will take care of the DNS requests very reliable. :)

Why not using the ISPs DNS here is a nice read from Cloudflare -> Introducing 1.1.1.1 for Families

So I do not need to take care of lists anymore and with Sensei (Sunny Valley) NGFW Lists for Application Protection / Web Protection and Control they work very reliable too. The Reports are very good and if something gets blocked its easy as 1-2-3 to troubleshoot including what Ports communicate with stats.
Here is a read for Sensei -> Sensei: Overview — OPNsense documentation

Pihole:
PC ----> PIhole ----> Router -----> DNS

OPNsense DNS:
PC -----> OPNsense ----> DNS

Long story short since OPNsense is your gateway communication is shorter and all under one console/webinterface. :)

Sincerely
Val.
 

SecurityNightmares

Level 36
Verified
Jan 9, 2020
2,545
The @Quad9DNS service was blocking our grapheneos.network connectivity check server for a period of time yesterday/today. It was unblocked after users reported it. It's very strange and I think it reflects quite badly on their processes for blocking supposed malware domains.
I'd really like to know why a domain using DNSSEC and running an HTTP / HTTPS server serving empty 204 responses for /generate_204 was blocked.

It doesn't serve anything else beyond redirects to GrapheneOS Frequently Asked Questions for /, a static MTA-STS configuration and 404 responses...

Maybe they accidentally block .network domains so more then just this domain was affected but who knows. At least nice to see a fast fix.
 
Top