I've been looking for something like this for quite some time. I was hoping Cloudflare will offer it but they haven't
My main questions are
How do we know if we can trust them with our data?
How fast are they compared to Cloudflare ?
I wish there was something like Signal but for DNS. Similar in the way that you don't have to trust them to know they are not doing nefarious things with your dns queries.
I know I can install Pihole in my home network, but I want something that works on every network
This is really groundbreaking but it got less noise than I thought it would.
Adhell (an app that is capable of doing system wide ad blocking along with many other things thanks to Knox which is Samsung-only capability) was the main reason I stayed with Samsung for years. Now every phone with Android Pie will be to use dns based ad blocking in all networks without running an annoying app in the background.
For $5/month you can roll your own OpenVPN server with Digital Ocean and it will. [0] Bonus: your cellular ISP can't see your traffic and you're automatically protected at coffee shops.
Downside: Battery life takes a slight hit due to encryption.
Digital ocean has not nearly as much of an incentive in selling or tracking the huge amounts of traffic that goes over most of their B2B customers, while your ISP wants to up that ARPU number from every B2C customer in every way possible. And you can switch your cloud server provider easily, your local monopoly ISP not so much. Digital ocean has far more to lose by doing that, while ISPs have a captive audience.
DO will forward those torrent scare / spam server abuse emails ASAP, so they won't be good for that kind of stuff.
Sure. Someone can see my traffic. You're never anonymous on the Internet. But, as other commenters have said, it's a matter of aligning incentives: the likelihood that DigitalOcean will take any notice of my measly account is much lower than my ISP, which would love to know what I'm up to. If that incentive estimation changes, I'm off to a different solution.
It's true. You can reduce risk by using an ethical company. I recommend Prgmr.com over DO. Not just cuz they kindly host Lobste.rs for free. Ive watched one's comments for years plus how they discuss downtime or vulnerabilities kn their blog. They consistently seem like straight-forward, honest business. Low likelihood of nefarious stuff.
Good to know. I experienced the same when I set up algo on Scaleway recently. I considered Digital Ocean as an alternative, but ended up using Hetzner Cloud (which I now prefer, since it is cheaper and based in Germany). No access issues with appleid.apple.com anymore.
If many hosts get abused (usually due to people setting up a quick VM for a task and forgetting to update it manually and not setting up automatic security patching) even a reputable hosting service becomes a script-kiddie farm.
Perhaps this has happened with DO and Apple have blocked its host address ranges from the API due to unwitting past involvement in hack/DDoS attempts?
This is common with public VPN services that people I know have used. I have the luxury of fixed addressing and decent bandwidth at home, so I run my VPN there and have thus far not noticed any such issues. This also means that services that are location sensitive work as if I'm at home (not some random other place the VPN endpoint appears at).
You can run Pi-hole on a VPS and set that as your DNS provider on portable devices, or (depends on ISP and what ports they leave open) run it at home on a fixed IP and allow the traffic through your firewall. It can be done but is not that practical. I run Pi-hole in a LXC container on my home router (a Turris Omnia) and use ad-blocking software on portable devices that I use elsewhere. This works well enough.
I've recently installed Wireguard on one of my Pis to support this, so I can use my pihole while I've been away for the christmas break - has worked perfectly.
Admittedly not got it working on android yet but I'm under the impression that there is a way of getting Wireguard working on android
For 10$/year I am running a VPS server in Amsterdam with strongswan ([1] VPN server) and dnscrypt-proxy 2.0 ([2] DNS server which is dispersing queries to multiple DNSCrypt servers and also blocking various ads and bad agents) on it.
Finally it is incredibly simple to use nginx to serve DNS-over-TLS from your own machine (so from my dnscypt-proxy) for using on Android Pie. Works on mobile as well. [3]
The problem I have with this setup is when using networks that require you click through a captive portal. Often external DNS servers can't resolve their portals -- so you can't click through to open up to the wider internet and have to screw around flipping the DNS temp. After wondering what on earth is going on for a minute or two, as you've forgotten, again.
Just curious: Wouldn't visiting sites like http://neverssl.com work? If it doesn't, then it's a good opportunity for someone to put a static-ip behind something like http://neverssl.com
No because often they redirect you to a DNS address that only exists in their internal DNS. And that internal DNS is often to an internal only IP, so you can't VPN all your traffic. e.g. you'll go to http://neverssl.com then get bounced to http://some.internal.net which resolves to 10.10.1.1 which finally serves the portal you have to click through.
update: They say they do not log anything, and pass no information upstream to the authoritative DNS server.
------
I didn't see anything in the announcement about logging or other privacy related questions. The FAQ also didn't list this information.
The only thing they mention about privacy is how a dns request to them is protected, but not what they do with the data.
Did I miss something?
-------
Reading their privacy policy:
>We do not collect anything for tracking purposes and take all necessary technical, administrative and physical measures to protect the information we get.
>When AdGuard DNS user tries to visit a page, our server receives following information:
User’s IP-address;
DNS request which contains domain name.
>The DNS request will be forwarded to a root or authoritative DNS server, but for the upstream server it looks as if this request is originated from AdGuard DNS server, there is absolutely no way for them to identify the original user. We, in our turn, do not log or save any of this information.
I suspect this really screws with the DNS tricks used by many CDNs to route requests to near-by servers. So I would not be surprised if, when using this, YouTube, Netflix, etc, get much slower.
I see the website loading speeds are affected, but I think it is worth it. This is a good stop-gap for anyone who have not setup a pi-hole just yet but at do not want to install an app or an extension in its stead.
Prior to this, I was running Intra [0] on my Android phone to route all DNS traffic to cloudflare-dns and had been pretty happy to use it in tandem with PrivacyBadger, uMatrix, and uBlockOrigin on Firefox.
Someone suggested using AdAway [1] on rooted devices and another app that does a similar trick of running a local VPN on Android through user supplied hosts file. Great alternative.
depends whether or not they're passing EDNS0 Client Subnet data to the authoritative DNS parties, and whether those parties are listening for it / trusting it.
We embed ECS data in our requests at DNSFilter to the authoritative upstreams, and we have a large global anycast network, so even if they're not accepting it, the answer is coming from a server 'nearby' the originating dns request, so CDN requests shouldn't be affected much.
I tried this a while ago, and it broke one of my sites. No idea how or why. There are no ads on the site or problems with any ad-blockers. Put a bad taste in my mouth.
They sell their AdGuard program on Android. Because the full version of the program isn't available on the PlayStore (it breaks rules by interfering with other apps) they depend a lot on marketing and word of mouth to get new customers.
The code for their DNS servers is actually open source, so if you want the functionality without relying on AdGuard you can run your own server.
It doesn't cost that much to run a DNS server, even with DoH/DoT. You can easily serve a few million users with a milisecond latency off a cheap instance with 2GB instance.
That's not to say the cost is zero, but with with multiple caching layers (O/S, browser, router, etc), and serving same results for everyone, server costs are not very high.
Don't know how AdGuard does this, but pihole returns 127.0.0.1 for ad-serving domains. I don't know enough about DNS to guess why it does that instead of returning a failure, though my guess is that maybe doing so prevents software from falling through to a user's secondary DNS server.
I’ve been using Pi-Hole on my home network and it’s amazing. Routinely 18-20%% of DNS requests are blocked. When my wife goes out onto another network she says she is shocked at how ugly her web browsing becomes (ads on nytimes, huffpo, etc). I highly recommend it. Am using it with cloudfare’s encrypted DNS just as one more middle finger to my ISP.
A way round this, of course, is a VPN. Which is also a handy way of using an ad-blocking DNS service everywhere. My setup is documented here: https://github.com/jawj/ikev2-setup
This is why I implemented WireGuard on top of it. All the traffic is encrypted through our home network (200/20 mbit) with DNS over TLS and adblocking due to Pi-Hole. LTE, open WLAN networks, all of these work. And roaming works very well with WireGuard. The downside is the 20 mbit upload.
I use WireGuard on my router (ER-L) and Pi-Hole on the router as well, with a primary DNS on my Synology which uses Pi-Hole's Docker image [1]. Docker runs on Raspberry Pi, so I recommend you look into that route. Jessfraz wrote a howto on running WireGuard in Docker [2]
I never liked the idea of using DNS services for filtering web content.
For one, it seems like the wrong tool for the job. Filtered content can simply switch to identifying content by IP address instead of DNS, correct? Or change DNS constantly.
And for two, of course there are concerns with handing someone your DNS queries in return for filtering...
Privacy is one major reason you might want to switch to a dns provider you trust. Not to mention security as well as it isn't uncommon for ISPs or rouge actors to 'take over' domains solely using attacks via DNS.
If you're not using DNS over TLS or HTTPS, I suggest you start right now.
This particular arms race happened in the world of WWW pornography back in the 1990s. I'll leave finding examples to you.
People have been blocking stuff for decades now, and we know what the responses to some of the initial moves will be, because the world has already gone through the dance.
Depends on what your goal is. If you have children and you want to avoid accidentally seeing porn or being delivered a malicious ad, DNS based blocking can be a great tool. Also if you just want to improve the general security and performance of your home network.
On one hand, it looks pretty cool and convenient. On the other, using a DNS server requires a lot of trust.
Giving some unknown company the ability to trivially man-in-the-middle your connection or sell your browsing history is pretty scary. The fact that their code is open source helps a bit, but there's no way to tell whether the code running on their servers is the same as on github.
I believe Cisco umbrella(opendns) public resolver does similar filtering,although not sure if they have one for AD filtering.
Some mentioned trust,for me support for dns ovet https is much more important since I'd be using it over a VPN anyways. And for those thst dont,NAT and inability to correlate DNS lookups with actual (especially encrypted) traffic makes privacy a less significant concern for me.
The instructions to use adguard DNS on their website doesn't contain how to use adguard DNS over TLS with Android.
For anyone running on Android 9 (edit) or later, navigate to
Settings -> WiFi and Internet -> Private DNS
Select Private DNS provider hostname
Add dns.adguard.org (DNS over TLS)
Click save.
Visit https://googleads.g.doubleclick.net/ and you should see browser's 'Server not found' instead of Google's (disable existing ad-blockers or they might jump in and block the URL anyway)
---
For anyone on Android 4.0 or later, consider using Google's Intra [0] to use adguard DNS over HTTPS, if you prefer it over cloudflare's or google's.
OP was actually somewhat inaccurate when he said "Google's". Intra is actually by Jigsaw, a separate Alphabet subsidiary. The difference is significant as Alphabet companies, though closely tied to Google (e.g. Jigsaw's website is a Google subdomain), are run independently.
Run "independently" but financed by ad revenue, since that's where 90% of Google revenue comes from. "You can't make a person understand something if his salary depends on not understanding it".
I already use Ad Blocking on my personal phone (LineageOS + AdAway) but my wife's phone is still stock Android and without an Ad Blocker. Intra + AdGuard just fixed that. Goodbye pervasive tracking
Cloudflare should really make an address like dns.cloudflare.com, too.
1dot1dot1dot1.cloudflare-dns.com is cute as an "inside joke" of sorts, but to most people who don't know about IPs and such it would be easier to use the former.
Misleading claim: any external DNS server is not private. Your requests are directed to a third-party. I suspect data-mining you is how they pay their server bills.
The correct technical solution for privacy is running your own DNS server locally.
How is it being monetized? I have become more and more suspicious of “free” privacy services. Unless there is an exchange of money for a service, it is highly likely that eventually the company will either fold, or decide to sell the previously private information.
You can use hololo DNS changer on the Play store to point to a permanent DNS server. I did this and built my own version of pi hole... The stats are at opens3.net and so is the DNS service. Blocks 140000 domains
There's lots of "privacy" improving DNS servers, but none of them mention trying to remove unintentional DNS queries.
It turns out lots of things will resolve anything that looks vaguely like a hostname to see if, in fact, they are a hostname. eg, "untitled.pdf". These queries get passed to your ISP, and then on towards the root name servers. So if you run a large nameserver, you quickly find that most of your DNS queries are very obviously rubbish.
With DNSSEC there are two new records (NSEC, NSEC3), that let you say "between these two names, I guarantee there is no valid records". Thus if your nameserver supports this, it can say "there are no valid names between .pccw and .pe, and thus anything that ends with .pdf is invalid". NSEC and NSEC3 records can both be cached and your resolver can synthesise NXDOMAIN records for them. (See RFC8198 for details).
So, instead of spraying queries for "untitled.pdf" across the internet, you can quickly, and efficiently return NXDOMAIN.
Another cause of these is search paths, when you look up "news.ycombinator.net", if that resolution fails, it will try adding the search path, eg: "news.ycombinator.net.example.org", again, leaking typos, and filenames to everyone in your search path.
If you actually value your privacy, this is the first step that you should take.
The easiest solution to that, that has been known for many years, and the actual first step that one has been able to take for quite some time now, is running one's own root content DNS server on the LAN. DNS traffic for queries that use invalid top-level domains never escapes the LAN and never even reaches an ISP.
It's a fairly simple exercise in content DNS service. I actually set my machines up with a root content DNS server each.
At DNSFilter we solve for this by loading the list of valid TLDs from official sources every few hours and immediately rejecting invalid TLD requests. Works great for those who have mis-configured their LAN DNS and are sending us all their companydomain.lan traffic.
Doesn't solve for cases where it's a valid TLD, but the domain doesn't have a valid DNS record. Guess it would depend if the TLD in question is publishing said dnssec record.
I'm not sure this works the way you say it works. NSEC records are provided by authority servers; they're a way for the delegated owner of "." to say that there aren't zones between .PCCW and .PE. They work because they have chained signatures. A recursive server can't generate NSEC records for the DNS root, and, obviously, wouldn't have to; any DNS server, DNSSEC or not, can accomplish what you're talking about with a simple "if" statement.
Slightly out-of-topic: I am running an own bind9 internally on a bananapi. I'd like to combine this with the functionality of a pi-hole, ideally without needing to set-up a new raspberry for it. I tried several searches on how to combine the exclusion lists of pi-hole with bind9, to no avail. Does anbody know a simple solution for this (I know I could run bind9 in a different port and install the pi-hole binary on the same machine, but this is beside the point).
110 comments
[ 4.4 ms ] story [ 181 ms ] threadMy main questions are How do we know if we can trust them with our data? How fast are they compared to Cloudflare ?
I wish there was something like Signal but for DNS. Similar in the way that you don't have to trust them to know they are not doing nefarious things with your dns queries.
I know I can install Pihole in my home network, but I want something that works on every network
That would not be in their best interest, I'd imagine, as CF probably hosts loads of sites you'd want to filter.
I found that pihole did too much so wrote my own. I dont think it has any users, except in my house but it seems to work
https://github.com/time4tea-net/py-hole/blob/master/README.m...
Downside: Battery life takes a slight hit due to encryption.
[0] https://www.digitalocean.com/community/tutorials/how-to-bloc...
The thought is, Who do you trust more with your traffic data? Your ISP or a VPN provider? (In this case DigitalOcean)
DO will forward those torrent scare / spam server abuse emails ASAP, so they won't be good for that kind of stuff.
Perhaps this has happened with DO and Apple have blocked its host address ranges from the API due to unwitting past involvement in hack/DDoS attempts?
This is common with public VPN services that people I know have used. I have the luxury of fixed addressing and decent bandwidth at home, so I run my VPN there and have thus far not noticed any such issues. This also means that services that are location sensitive work as if I'm at home (not some random other place the VPN endpoint appears at).
Admittedly not got it working on android yet but I'm under the impression that there is a way of getting Wireguard working on android
Disclosure. I work at ba.net
I also keep nginx to avoid pinging Apple or Google for checking if internet works (captive.apple.com, http://connectivitycheck.gstatic.com/generate_204 are re-routed to my own server).
Finally it is incredibly simple to use nginx to serve DNS-over-TLS from your own machine (so from my dnscypt-proxy) for using on Android Pie. Works on mobile as well. [3]
[1] https://strongswan.org/ [2] https://github.com/jedisct1/dnscrypt-proxy [3] https://github.com/jedisct1/dnscrypt-proxy/wiki/Connecting-t...
------
I didn't see anything in the announcement about logging or other privacy related questions. The FAQ also didn't list this information.
The only thing they mention about privacy is how a dns request to them is protected, but not what they do with the data.
Did I miss something?
-------
Reading their privacy policy:
>We do not collect anything for tracking purposes and take all necessary technical, administrative and physical measures to protect the information we get.
>When AdGuard DNS user tries to visit a page, our server receives following information: User’s IP-address; DNS request which contains domain name.
>The DNS request will be forwarded to a root or authoritative DNS server, but for the upstream server it looks as if this request is originated from AdGuard DNS server, there is absolutely no way for them to identify the original user. We, in our turn, do not log or save any of this information.
https://adguard.com/en/privacy/dns.html
Prior to this, I was running Intra [0] on my Android phone to route all DNS traffic to cloudflare-dns and had been pretty happy to use it in tandem with PrivacyBadger, uMatrix, and uBlockOrigin on Firefox.
Someone suggested using AdAway [1] on rooted devices and another app that does a similar trick of running a local VPN on Android through user supplied hosts file. Great alternative.
[0] https://getintra.org/
[1] https://adaway.org/
We embed ECS data in our requests at DNSFilter to the authoritative upstreams, and we have a large global anycast network, so even if they're not accepting it, the answer is coming from a server 'nearby' the originating dns request, so CDN requests shouldn't be affected much.
Edited to add: But I like the idea.
The code for their DNS servers is actually open source, so if you want the functionality without relying on AdGuard you can run your own server.
https://github.com/AdguardTeam/AdguardDNS
That's not to say the cost is zero, but with with multiple caching layers (O/S, browser, router, etc), and serving same results for everyone, server costs are not very high.
Edit: Apparently it is. https://pi-hole.net/2018/05/18/nxdomain-and-null-blocking-wi...
Curious how you set this up? I see cloudflare as an option in the pihole settings but doesn't appear to be encrypted? (at least as a default)
https://docs.pi-hole.net/guides/dns-over-https/
https://dnscrypt.info/
https://github.com/pi-hole/pi-hole/wiki/DNSCrypt-2.0
Encrypted SNI is a thing on the horizon that'll let us give the dual middle finger to our ISPs. As far as I know, it is not here now though.
This is why I implemented WireGuard on top of it. All the traffic is encrypted through our home network (200/20 mbit) with DNS over TLS and adblocking due to Pi-Hole. LTE, open WLAN networks, all of these work. And roaming works very well with WireGuard. The downside is the 20 mbit upload.
[1] https://github.com/pi-hole/docker-pi-hole
[2] https://blog.jessfraz.com/post/installing-and-using-wireguar...
So this is not for everybody.
Local solution. I remember this url from memory, "install" on every device/router I touch.
Notable differences between it and Pi-Hole:
1. Easy to set up and use. It's just a single binary, everything you need is inside.
2. Supports every DNS encryption protocol out-of-the-box: DNS-over-HTTPS, DNS-over-TLS, DNSCrypt.
3. Can run on any platform (even on Windows since today).
For one, it seems like the wrong tool for the job. Filtered content can simply switch to identifying content by IP address instead of DNS, correct? Or change DNS constantly.
And for two, of course there are concerns with handing someone your DNS queries in return for filtering...
If you're not using DNS over TLS or HTTPS, I suggest you start right now.
If you're undecided abt DNS based adblock, consider reading this blog post: https://www.troyhunt.com/mmm-pi-hole/
The NYT could serve their ads from NYT servers instead of nagging you to turn off adblock and continue with their 3rd party ad providers.
So they are not doing that, so I doubt cirumventing DNS adblock will be something that they will care much about either.
People have been blocking stuff for decades now, and we know what the responses to some of the initial moves will be, because the world has already gone through the dance.
I wouldn't use a third party service for that, preferring instead to use pihole.
Correct, but probabaly better then to give it to Google or your ISP for free!
Giving some unknown company the ability to trivially man-in-the-middle your connection or sell your browsing history is pretty scary. The fact that their code is open source helps a bit, but there's no way to tell whether the code running on their servers is the same as on github.
I'll stick with my pihole/hostsman [0]
[0]: http://www.abelhadigital.com/hostsman/
https://github.com/AdguardTeam/AdGuardHome
Some mentioned trust,for me support for dns ovet https is much more important since I'd be using it over a VPN anyways. And for those thst dont,NAT and inability to correlate DNS lookups with actual (especially encrypted) traffic makes privacy a less significant concern for me.
For anyone running on Android 9 (edit) or later, navigate to
Settings -> WiFi and Internet -> Private DNS
Select Private DNS provider hostname
Add dns.adguard.org (DNS over TLS)
Click save.
Visit https://googleads.g.doubleclick.net/ and you should see browser's 'Server not found' instead of Google's (disable existing ad-blockers or they might jump in and block the URL anyway)
---
For anyone on Android 4.0 or later, consider using Google's Intra [0] to use adguard DNS over HTTPS, if you prefer it over cloudflare's or google's.
Install Intra.
Open the app, click on Settings.
Choose customer URL and paste: https://dns.adguard.com/dns-query
Be sure to 'lock the app' to prevent it from being killed in the background.
[0] https://getintra.org
Perhaps more important is that the project is also open source: https://github.com/Jigsaw-Code/intra
I already use Ad Blocking on my personal phone (LineageOS + AdAway) but my wife's phone is still stock Android and without an Ad Blocker. Intra + AdGuard just fixed that. Goodbye pervasive tracking
The correct technical solution for privacy is running your own DNS server locally.
> We will never sell your data or use it to target ads. Period.
> We’ve retained KPMG to audit our systems annually
The ISP can still see requests the local DNS server sends to the Internet
As mentioned in some other replies here, you can use vanilla DNScrypt [0] or cloudflared [1], or Pi-Hole with either one enabled, etc.
[0] https://dnscrypt.info/implementations/ [1] https://developers.cloudflare.com/1.1.1.1/dns-over-https/clo...
It turns out lots of things will resolve anything that looks vaguely like a hostname to see if, in fact, they are a hostname. eg, "untitled.pdf". These queries get passed to your ISP, and then on towards the root name servers. So if you run a large nameserver, you quickly find that most of your DNS queries are very obviously rubbish.
With DNSSEC there are two new records (NSEC, NSEC3), that let you say "between these two names, I guarantee there is no valid records". Thus if your nameserver supports this, it can say "there are no valid names between .pccw and .pe, and thus anything that ends with .pdf is invalid". NSEC and NSEC3 records can both be cached and your resolver can synthesise NXDOMAIN records for them. (See RFC8198 for details).
So, instead of spraying queries for "untitled.pdf" across the internet, you can quickly, and efficiently return NXDOMAIN.
Another cause of these is search paths, when you look up "news.ycombinator.net", if that resolution fails, it will try adding the search path, eg: "news.ycombinator.net.example.org", again, leaking typos, and filenames to everyone in your search path.
If you actually value your privacy, this is the first step that you should take.
It's a fairly simple exercise in content DNS service. I actually set my machines up with a root content DNS server each.
* http://jdebp.eu./Softwares/nosh/guide/services/djbdns.html#D...
* http://cr.yp.to/dnsroot.html
Search paths are a subject in their own rights.
* http://jdebp.eu./FGA/web-fully-qualified-domain-name.html
Doesn't solve for cases where it's a valid TLD, but the domain doesn't have a valid DNS record. Guess it would depend if the TLD in question is publishing said dnssec record.
Private infrastructure for the win.
It does not just protects your privacy, but improves your bandwidth too.
Troy Hunt wrote about it a couple of months ago: https://www.troyhunt.com/mmm-pi-hole/