this post was submitted on 20 Mar 2024
27 points (96.6% liked)

Privacy

32142 readers
857 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Hello!

My knowledge about DNS resolvers is somewhat limited. So, in an effort to expand my knowledge and find a DNS resolver that works for me, I've come for help here.

Here is a list of terminology that I either know too little about, don't know anything about, or want to make sure my understanding is correct about:

Cleartext (What does this mean in the context of protocols? Is it inherently bad?)

DoH (I somewhat understand this, but is it less secure than DoT?)

DoH/3 (How is this different from DoH?)

DoT (Is this more private than DoH?)

DoQ (I don't know enough about this, how does it compare to DoH and DoT?)

DNSCrypt (I'm not sure what this is.)

Do53 (I'm not sure what this is. Is it a replacement for DoH/DoT/DoQ, or does it work alongside it?)

DNSSEC (I don't know what this is.)

EDNS padding (I'm pretty sure I know what this is, it just pads DNS queries. What happens if "Cleartext" is used, does it still pad it?)

As for what I'm looking for in a DNS resolver: I don't plan to self host it, I would like support for iOS, Linux, and Android, I would like it to be free, I would like EDNS padding, DoH is preferred (although I don't quite understand the alternatives). I am aware that the DNS resolver will usually be the same as my VPN. Note: I'm not looking for a beginner DNS resolver, I've been using NextDNS for a while now, I'm looking for one with strict privacy and security.

I've tried looking at Privacy Guides and Wikipedia, but I don't know enough to make an educated decision.

Any suggestions?

Thank you all!

all 19 comments
sorted by: hot top controversial new old
[–] eya@lemmy.dbzer0.com 14 points 8 months ago* (last edited 8 months ago) (2 children)

Mullvad has a public DNS service, would recommend checking that out. Supports DoH, DoT, and is encrypted.

[–] Sunny@slrpnk.net 6 points 8 months ago

I second Mullvad as a service.

[–] randomperson 2 points 8 months ago

I tried Mullvad's DNS service and found that it messed up sites that rely on geography based DNS routing. For example, I'd get sent to a service's servers in Singapore instead of the US. This caused some noticeable lag.

[–] politicalcustard@beehaw.org 11 points 8 months ago* (last edited 8 months ago) (3 children)

NextDNS would be my suggestion.

https://my.nextdns.io/

The video linked below is excellent, and runs you through the entire process of setting it up and explaining things as you go along. This process will give you a great deal of control over what filter lists you want to use and what settings will be right for you. And afterwards you can use their web interface to check that you have set up everything correctly and that you are using their service. Free until you hit a certain number of requests per month but I think an individual user will never reach that point, I certainly haven't and I'm online far too much. Techlore, the producer of the video also comes highly recommended for privacy related information.

The ULTIMATE Guide to Mastering NextDNS! by Techlore

[–] PipedLinkBot@feddit.rocks 2 points 8 months ago

Here is an alternative Piped link(s):

The ULTIMATE Guide to Mastering

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I'm open-source; check me out at GitHub.

[–] randomperson 1 points 8 months ago (1 children)

How does NextDNS compare with controld.com?

[–] politicalcustard@beehaw.org 1 points 8 months ago

I cannot really comment; I've never used controld... the only thing I would say is that it does look like it has a clean and simple interface, which for some people might be good but it might reduce customisability.

[–] slazer2au@lemmy.world 7 points 8 months ago (1 children)

Cleartext (What does this mean in the context of protocols? Is it inherently bad?)

It's like sending a postcard. Anyone can see who it is from, who it is to and what you are sending.

Install Wireshark and filter for DNS them open your web browser to see where you are calling to.

DoH an DoT are essentially the same thing encrypt the DNS request in a TLS session so others can't see what you are requesting. The main difference is DOT uses port 853 so at a glance it is DNS traffic and the port may be closed. While DoH works over port 443, the same port as regular encrypted web traffic so the port is likely open.

DoQ and DoH/3 uses UDP 443 compared to TCP 443 but still encrypt the traffic.

DNSCrypt is a DNS proxy.

Do53 is yet another implementation of DNS over TLS but using port UDP 53 the regular DNS port.

[–] Charger8232@lemmy.ml 3 points 8 months ago (1 children)

That is very helpful, thank you! Is there any benefit to using UDP over TCP? I know TCP is more easily detectable with a port scan, and TCP uses ACK to make sure the data gets sent (and for that reason UDP is usually faster but lossy). How does that fit in with the context of DNS queries?

[–] slazer2au@lemmy.world 3 points 8 months ago

TCP 443 is more likely to be open than UDP 443 so using a technology that uses TCP 443 is more likely to work.

[–] shortwavesurfer@monero.town 5 points 8 months ago* (last edited 8 months ago) (1 children)

I use controld.com. it has DoT and DoH. They have an unfiltered, malware, malware + ads & tracking, or malware + ads & tracking + big social like spybook, instaspy and china-tok.

[–] randomperson 2 points 8 months ago (1 children)

How are you liking Controld vs NextDNS?

[–] shortwavesurfer@monero.town 1 points 8 months ago

Ive never tried NextDNS but controld works really well.

[–] American_Jesus@lemm.ee 4 points 8 months ago* (last edited 8 months ago)

Dnscrypt site explains some of the different DNS protocol types
https://dnscrypt.info/faq

PS: There isn't Do53, that's just plain (unencrypted) DNS

[–] Cwilliams@beehaw.org 1 points 8 months ago

systemd-resolved

[–] some_guy@lemmy.sdf.org 1 points 8 months ago

Pfsense uses unbound

[–] TCB13@lemmy.world 0 points 8 months ago

Cloudflare does cleartext, DoH and DoT. Can be supported natively in iOS using DNS profiles the rest of the platforms are easier to deal with. And yes, iOS supported DoH natively, no need to install anything.