My ISP is AT&T (located in the U.S.) and I have issues loading random websites. Currently have Google DNS set in my router, which works great. But I’m guessing there’s a better, more private, option?
I recently switched to NextDNS. I used to run my own AdGuard Home with multiple DNS provider as upstream.
NextDNS is the move, the clients are open sourced and they encrypt everything. Plus their free option covers all my devices, no problem. Highly recommended!
If you need a traditional, unencrypted DNS service, check out Quad9 and AdGuard’s Public DNS. If you can use DoT or DoH, use LibreDNS or Mullvad DNS. If you want more customization, check out NextDNS.
Regular DNS can be monitored, intercepted, and modified however your ISP decides, even with you specifying custom DNS servers.
I run pihole on my LAN, with cloudflared as its upstream DNS. Cloudflared translates regular DNS into DOH using cloudflare and quad9 as the upstream DOH providers (configurable).
Finally I block all port 53 (dns) traffic at the router so it cannot leave my LAN. All LAN devices that want regular DNS are forced to use the LAN DNS server which wraps their requests in DOH for them. (as well as blocking ads, tracking/telemetry, and known malware sites)
What ISP do you use that makes you trust Cloudflare more than your ISP? You must really be between a rock and a hard place.
I’m not all that concerned about either tbh; I was just already capturing DNS traffic and funneling it through pihole for the customizable blocking, and figured I may as well add DOH while I’m at it.
Just sharing the knowledge for those that are interested. You can use any DOH provider you like.
Check out PrivacyGuides. They have recommendations for DNS including what others have commented
Light + TIF https://sky.rethinkdns.com/1:AAkACAQA Normal + TIF https://sky.rethinkdns.com/1:AAkACAgA Pro + TIF https://sky.rethinkdns.com/1:AAoACBAA Pro plus + TIF https://sky.rethinkdns.com/1:AAoACAgA Ultimate + TIF https://sky.rethinkdns.com/1:gAgACABA Light + TIF https://dns.dnswarden.com/00000000000000000000048 Normal + TIF https://dns.dnswarden.com/00000000000000000000028 Pro + TIF https://dns.dnswarden.com/00000000000000000000018 Pro plus + TIF https://dns.dnswarden.com/0000000000000000000000o Ultimate + TIF https://dns.dnswarden.com/0000000000000000000000804 Light https://freedns.controld.com/x-hagezi-light Normal https://freedns.controld.com/x-hagezi-normal Pro https://freedns.controld.com/x-hagezi-pro Pro plus https://freedns.controld.com/x-hagezi-proplus Ultimate https://freedns.controld.com/x-hagezi-ultimate TIF https://freedns.controld.com/x-hagezi-tifRethink DNS, DNS Warden, and ControlD with Hagezi blocklists via DoH/3. I highly recommend the ‘+ TIF’ as they are threat intelligence feeds which are up to date lists of bad actors/malware.
NextDNS has the ability to change the logging region to one that’s outside your governments jurisdiction
Quad9 (9.9.9.9) is my go to.
This tool is great for figuring out which one is the fastest for you: https://www.grc.com/dns/benchmark.htm
I use the cloudflare dns, but there are all kinds of adguard ones too. The Adguard app itself has a big list of options for the fallback.
If you’ve never used adguard, check it out, it can run as a container or on a pi, you just point your router dns at it
Adguard DNS, so I can block ads in my entire house without having to invest in a PiHole. dns.adguard-dns.com More IPs
In regards to all the answers in this thread, consider: If you’re not paying for it with money, then what are you paying for it with?
The most private DNS is a recursive resolver.
Go directly to the root.
