Ask HN: Which DNS service do you use for your computer's network settings?

53 points by tikkun ↗ HN
And, do you recommend it?

I saw a comment recommending Mullvad's. I currently use the default DNS (my ISP's default).

116 comments

[ 7.1 ms ] story [ 192 ms ] thread
Full recursive DNS, that is, unbound.
What is "default DNS"?

I use Quad9 (9.9.9.9) and Freenom (80.80.80.80)

Added to OP: default DNS -> my ISP's default DNS.
Unbound DNS on my firewall in one of two modes. 99% of the time Unbound talks directly to the root servers and has multiple caches for records and infrastructure information. Defcon 4 or 5. I also keep several of my own DoT servers on the internet commented out in my configuration if I need to switch to local defense condition level 3. Those DoT servers then talk directly to the root servers and also cache all the things. Becomes redundant at dc1/2 as Tinc VPN's are used. I also have scripts to build Unbound zone overrides to act as /etc/hosts for some domains.
My PiHole resolves off to Quad9 and Cloudflare.

Never had any problems with either - I have both selected in case one has issues so that I don't need to immediately deal with "Daaaad the internet's not working!"

Unbound locally and forwarding to NextDNS for filtering
I use a DNS (over HTTPS) that allows me to spoof my geolocation for specific services.
NextDNS with either their app to set an DoH profile on devices or DHCP giving out their specific IPs for my config.
Google: 8.8.8.8 and 8.8.4.4. Fast. Problem free. Would recommend to anyone.
Why hand over your browsing data to Google?
I use Google DNS because it’s fast and reliable, and close to me. I’m not sure what else I’d use that’s more trustworthy. Certainly my ISP isn’t.

Their DNS privacy policy seems acceptable to me, as they’re not using it for ad data: https://developers.google.com/speed/public-dns/privacy

Google obviously has many concerns, but they’re trustworthy enough to follow their own privacy policy lest they get smited by governments.

You give data away, true, but I wouldn’t say DNS lookups == browsing data.

Example: They can see that I have visited Wikipedia, but not what articles I’ve read. (Other sites will leak more info due to the nature of their subdomains, but it doesn’t bother me personally.)

you're not wrong about the articles, but at the same time just looking at a domain is enough to allow for decent guesses to be made.

lots of hits on hackernews and jsoneditoronline.org and I can say with a reasonable degree of certainty that you're in IT or Dev. gonna start sending you ads that reflect that.

likewise, hits to missile-gayboy.jp -- a site that used to be hosted by my old employers -- also sends some pretty clear messages. I don't need to know what you're looking at specifically there but it's a japanese site that caters to a specific niche; I can sure make some assumptions.

hell, at work we don't even collect a lot of specifics on our endpoints -- domain queries are often enough to catch bad behavior

I trust Google more than I do my ISP or third-party DNS provider (I also use Chrome and Google's VPN). Google may use my activity data for their own purposes (which I'm OK with because I find their products very useful), but they will not sell my data and have demonstrated themselves to be resistant to government requests.
Devices -> Pi-Hole -> Unbound (running on Pi). My phone is connected to Pi-Hole via Wireguard, so it gets to take advantage of the ad-blocking as well.

Yes, I would recommend it. Running Unbound means you don't have to trust anyone's upstream DNS servers. Disadvantage is maybe slightly slower resolution, as you don't get to take advantage of the upstream server's caching.

Why don't you add an hosts blacklist to Unbound, thus removing the need for the Pi-Hole - which is mostly dnsmasq with same blacklists ?

https://wiki.alpinelinux.org/wiki/Using_Unbound_as_an_Ad-blo...

Because it has a nice UI, shows me what devices are making what DNS requests and which are being blocked, and is easy to add individual exceptions or disable entirely temporarily if something goes wrong.
They still need something to run Unbound+Wireguard on, what's the benefit of removing the PiHole software from the setup?
One less hop on the DNS resolution chain.
I use PowerDNS's dnsdist[1] which forwards to a blocky[2] server which then resolves from a local PowerDNS recursor. dnsdist is there mainly to provide a fallback if the local server is unavailable so I don't lose complete functionality.

I would generally recommend using anything other than your ISP's DNS servers.

AdGuard has a pretty good list of available providers: https://adguard-dns.io/kb/general/dns-providers/

[1] https://dnsdist.org/ [2] https://0xerr0r.github.io/blocky/

I proxy my ISP's DNS on my main server and all of my other machines use my proxy.
What's the point in doing so? Just use ISP's DNS directly.
Been really happy with NextDNS for my family.
Yep, I’ve also used NextDNS for several years.
The one the my DHCP gives me, that is my ISP's
127.0.0.1

Really, installing Unbound is piece of cake both on Windows and Linux.

Maybe for a network expert. I briefly tried to setup unbound and immediately got blocked by the installation documentation which assumed too much background info. I quit after I managed to break my internet. In the event of a failure, I would struggle to troubleshoot things.

Probably asking too much, but I want to ‘apt install unbound-quickstart’ and know sane defaults are configured. If anything goes wrong, I can delete a single config file or uninstall the package to go back to system defaults.

> Maybe for a network expert

I'm literally just did this:

    dnf install unbound
    systemctl enable --now unbound
    nmtui (because I'm lazy) to point DNS to 127.0.0.1
After reboot (again I'm lazy) I got:

    $ dig news.ycombinator.com

    ; <<>> DiG 9.16.23-RH <<>> news.ycombinator.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29106
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 1232
    ;; QUESTION SECTION:
    ;news.ycombinator.com.          IN      A

    ;; ANSWER SECTION:
    news.ycombinator.com.   1       IN      A       209.216.230.240

    ;; Query time: 74 msec
    ;; SERVER: 127.0.0.1#53(127.0.0.1)
    ;; WHEN: Tue Oct 24 16:07:11 GMT 2023
    ;; MSG SIZE  rcvd: 65
I think you... just misunderstood something years ago. You don't need 'quickstart' for this

On Windows it's the same - download package, install it, configure 127.0.0.1 as primary DNS

I use the one from my ISP, unless they're having issues (hardly ever happens). The reason for this, is that in my country, my ISP is tied to strict regulations on (for example) resale of data. Switching to another DNS provider opens me up to all kinds of shenanigans that my ISP would be held responsible for.

This is the same reason I don't use a VPN by default at home.

I use dnscrypt-proxy in the default configuration and let it choose what's best for my current network.
One reason why I choose to use dnscrypt-proxy too.

@jedisct1, it would be great if there was an option to default to a ODoH/anonymized DNS setup mostly out the box.

Running my own doh-proxy, so I use it for my android phone, and firefox browser.
In this order...

- Google 8.8.8.8

- Cloudflare 1.1.1.1

Why this and in this order?
Better than my ISP’s; and the order isn’t that important to me. I’d be fine switching them.
I use unbound, with a bunch of local IP/hostnames, then forward to mullavad dns for adblock.
~Once a year, I run DNS Benchmark by Gibson Research https://www.grc.com/dns/benchmark.htm and do a local performance benchmark and use the results to pick a top 3 which usually ends up to be a mix of my upstream Internet provider, Cloudflare and/or OpenDNS
Same, I keep meaning to run under wine again as I don’t have a windows box for this anymore. For a long time I’ve used cloudflare but my ISP (Detroit) had a persistent routing issue to ORD so my dns queries were always failing. On Level3 now as they are the quickest near me.
Surprised to see any links to a site run by a charlatan like Gibson here on HN.
I've used the linked tool (on Windows) and it worked fine. I guess from your comment there's some drama I'm not aware of. Can you elaborate what's wrong with it and what alternative you'd recommend?
Not talking about the tool you referenced specifically, but Steve Gibson of GRC is known to be a charlatan, making claims that are easily disproven (he was the guy screaming the world would end when XP included raw sockets) and sometimes selling software based on false claims, like his SpinRite software.
Sounds like you don't know what SpinRite is for/does

Or that you haven't ever actually listened to him

I've been listening to him for far too long, and joining in others to warn people off him.

But hey, you want to cheerlead for him with his track record, go right ahead.

LOL

Ok - I've listened to him off and on for about a decade

If you want to be upset over him ... go ahead

I guess the issue here is you don't have enough knowledge to understand why he's a charlatan.

And that's fine, many don't. Which is why it's important those of us that do continue to speak up.

Take care.

How many mistakes/bad predictions does it take to make someone a charlatan in your opinion?
Gibson didn't just make a few mistakes. He consistently made ignorant and false claims to sell software and boost his own profile, which apparently worked on quite a few gullible people.
You really have it out for this guy, don't you?

Let it go

Buddy you just replied to every single comment I made in this thread to other people.

I don't really have it out for this guy, I'm just pointing out that he is a charlatan.

You seem to be really offended by that and are cheerleading for him even harder. Bizarre. I'm sorry the truth hurts you so.

>You seem to be really offended by that and are cheerleading for him even harder. Bizarre. I'm sorry the truth hurts you so.

Hahahaha

Well, "buddy", you seem to have it out for someone with zero evidence you can provide for why you are upset beyond, "if you know, you know"

That is not a reason, it is a claim to secret knowledge

Which...since you will not share, we have to assume does not exist

You're too lazy to google yourself lol.

You're really one of those 'need to have the last word' types, huh.

Well, it's all yours. I have no more time to debate you than a Taylor Swift fan pissed off at me because I said one of her songs wasn't great.

Guess you can't let people correct their mistakes

That's fine - if you want to hold a grudge irrationally... you do you

Not holding a grudge irrationally, and when people tell you you make mistakes or you're full of BS and you double down on your claims to make money, that's malice, not incompetence.

Honestly, I find it hilarious you are defending this guy. He must have a real comforting voice or something.

> I guess the issue here is you don't have enough knowledge to understand why he's a charlatan.

Enlighten us, then, oh wise one!

What "knowledge" do you think I do not have that you somehow secretly do?

You seem to lack at a minimum decent security knowledge, perhaps even basic IT knowledge outside of using a browser on windows.
Ahh, so instead of providing actual sources and data, you prefer to impugn my decades of experience based on your magic knowledge?

Cool

You are a mind reader!

SO glad you came out to tell me I do not know what I have been doing for years on end!

/s

From your comment history, when you comment on anything technical, you seem to be downvoted and not really know what you're talking about.

There are lots of people in IT. It's a low barrier to entry. Plenty of people are like you and think they know what they are talking about while even managing to get paid for it.

Congratulations!

LOL

Apparently you never read my comment history ... or went through and downvoted me out spite

Keep your secret knowledge to yourself if you want - since you seem so averse to sharing why you think something

>known to be a charlatan, making claims that are easily disproven

Such as ...?

Read the thread buddy. Not repeating claims just so you can keep this argument going on yet another front.
You've yet to source anything

But keep thinking you have

There is a small vocal cult of secbros on HN and Reddit that have some kind of beef with Gibson because he gets things wrong once in a while and make predictions that don't pan out. You know, like literally all of us.

And also he sells ONE product that in 2023 has admittedly dubious value (SpinRite), and I will also admit that the website oversells it quite a bit. But all of the complaints I've seen about it basically boil down to those people not really understanding what it's for or what it does. It's not for "undeleting" data, it's not for fixing your broken filesystem, it can't recover data off a disk with a bullet-hole in it. It only works on spinning rust with _some_ bad physical sectors, if the damage is not severe enough that the data can't be recovered with many, many, repeat readings.

I listened to his podcast Security Now for the better part of a decade while commuting and found that he really enjoys getting to the root of whatever he's talking about and _usually_ (not always) does a pretty good job of explaining complex technical subjects verbally. He has always come across as quite humble to me, and _every_ episode began with a list of corrections from the previous episode. When he does make mistakes, at least he admits them.

lol, it's not a small vocal cult, what a bizarre description. It's simple people in the know who can recognize a charlatan and call him out as such.

Maybe you are not old enough to remember or be aware of how ridiculous he used to be. He's been pretty quiet the last decade, likely due to getting batted down every time he would pop up with some nonsense.

Not sure what you mean by pretty quiet, his podcast is still going strong and is quite popular. I don't know what your personal grudge against him is, but it doesn't sound like it's doing you any good.
His podcast is but a blip in a giant sea of podcasts, and only listened to by people who don't know enough to know how little he knows.

No personal grudge, just the advantage of experience. I'm hardly alone in holding this view. If you did some research, and listened to some actual security podcasts, you might learn a little bit more regarding all this.

>No personal grudge, just the advantage of experience. I'm hardly alone in holding this view. If you did some research, and listened to some actual security podcasts, you might learn a little bit more regarding all this.

Such as... what? Who do you think knows more than he does and/or what has he said that is incorrect?

You don't need to ask the same question 3 different times in reply to my comments to other people. What's wrong with you? Just keep it to one thread. Jesus.
This is the third dubious comment you’ve made so I’ll ask you directly (once again) to explain why you feel that way.
I haven't made a single dubious comment. I'm kind of tired of pointing out the truth with all these, I assume gen z kids, who don't know any better and think he's worth listening to. Just do some googling and read up on his history, see what actual security experts think of him.

But hey, you do you.

And here I was, a random passerby to your argument, hoping for you to finally tell what's wrong with Gibson Research, yet I only heard a lot of moaning with no substance.

From outside, it looks like you have a grudge against them, but brought no actual reason. Thanks for your input I guess.

Before you shut me down as well, I learned of Gibson Research in this very thread. I'm no paid actor.

I actually did point out two examples of the issues, so no, it's not just moaning, I'm just not interested in getting in to a debate with his cheerleaders.

I also suggested people can google if they want to learn more.

Next time you're a random passerby to an argument you see me involved in, please just keep passing by.

I am another passerby, and you just look like a childish prick who for some reason really doesn't like a guy making software. We have learn nothing else from you, so it is hard to give you the benefit of the doubt. From my experience you are probably a narcissist who insist on his opinions being the truth without having the burden of proof. Your tentative order is a pretty good tell.
Thanks for violating the HN guidelines to pass on your emotional insult. Hope you found it satisfying and that it made up for whatever you needed it to.
This guy's definitely got some kind of [apparently] irrational grudge going on against Gibson

Can't elaborate on anything except some kind of claimed secret knowledge that the rest of us plebes must obviously not have

Sad, really

Your obsession with someone calling out one of your favorite podcasters, that you need to be so defensive, is honestly bizarre.

Stop.

LOL

He's not a "favorite podcaster"

But nice try at casting aspersions instead of answering the question

[flagged]
Still no sources!

Keep your irrational opinions then

(comment deleted)
Run your own.

It's not hard. It uses minimal resources. It can be enhanced with ad-block lists similar to pi-hole so your whole network benefits.