Which private DNS to use?

This is a text automatically translated from Italian. If you appreciate our work and if you like reading it in your language, consider a donation to allow us to continue doing it and improving it.

After our article on alternatives to Google DNS we decided, thanks also to yours suggestion, to create an article about Private DNS advising you which ones to use. If you don't know what we're talking about, perhaps you'll remember having come across the acronyms every now and then DoT or DoH which respectively mean: DNS orver TLS e DNS orver HTTPS. You may also have heard of DoQ, a new and still experimental standard, which means DNS orver QUIC. Finally, there is also the protocol DNSCrypt, for use with programs such as Simple DNSCrypt.

They are all protocols that allow you to encrypt DNS requests and are often defined Private DNS.

Very brief explanation of what DNS are: let's take Wikileaks and we quote: “a DNS server is nothing more than a telephone directory that helps your computer find the address of the site you want to visit“. It seems clear enough to us, right? Thanks to DNS you know the street and house number of the site you want to visit, so from find it immediately without problems.

Private DNS

Well, now we can start by saying that among all these protocols to date there is no best method shared by anyone as a standard of excellence. They all do essentially the same thing but they do it differently:

• DoT uses port 883
• DoH uses 443, the same one used for HTTPS traffic.
• DoQ is a third method that uses a new network protocol called precisely HERE C and considered the successor of DoH ¹. It is a protocol presented by Google ² and aims to solve some problems of using the HTTPS port for DNS including: tracking with ETag and greater Fingerprinting ³.

On Android, from version 9, you can use it easily DoT (and from version 13 you can also use DoH ⁴), a configuration profile for the protocol is generally downloaded on Apple DoH. Come on Browsers instead you can use it with simplicity DoH.

The nickname which was given to him in Italian, that is Private DNS, can be misleading: the idea that a person can get when they hear the word “private” is that they are in some way invisible. In reality, private DNS does not exist for this reason.

Second madaidan, a security researcher, for example using private DNS does not give major security advantages. It will primarily help circumvent rudimentary censorship systems that rely entirely on DNS blocking.

Better to use encrypted DNS

We are not saying that they are useless, and it is certainly better to use them than not since they can be a decent prevention tool against attacks man in the middle ⁵.

However it is important to understand that private DNS Not they make you somehow invisible ⁶ and your provider, for example, can still know the sites you visit: the only way to avoid this is to use a VPN or Tor.

If you want to delve deeper into the topic we recommend some interesting links:

• why encrypted DNS is ineffective

• PrivacyGuides guide on DNS

• what are DNS over TLS, DNS over QUIC and DNS over HTTPS by NextDNS

• how DNS over QUIC works by AdGuard

How to use private DNS?

We don't want to make a step-by-step guide on how to use private DNS mainly because each provider always releases their own guides on how to best use their DNS. Let's try to simplify it a little by saying:

• Android: if you have Android 9 or higher, just go to settings/network and from there search for private DNS and enter the address DoT that you want. However, if you have a smartphone with an older version of Android you will have to use a dedicated app such as personalDNSfilter or even AdGuard. It also exists Nebula which however has not been updated for a long time. Finally, there is also Intra which is Open source ⁷ but it is developed by Google.

• Windows: on Windows you can use Stubby, YogaDNS or always AdGuard. Alternatively you can also use Portmaster (which we'll talk about later) which also lets you know what and how you're blocking.

• Apple: On Apple devices you will need to download a configuration profile. On macOS and iOS you can also use DNSecure. It exists on smartphones DNSCloak ⁸. Or always AdGuard, also for iOS.

• Linux: you can try the ones already mentioned Stubby And Portmaster.

Which private DNS to use?

After this small but necessary introduction, we would like to point out to you those which are the most interesting private DNS for us. Many of the ones we will propose can also be used to block advertising or as parental controls.

DNS to block ads and tracers

In fact, one of the characteristics of some DNS, which we have talked about little in the past, is the possibility of blocking statistics and advertising just like a AdBlock. Unlike software like uBlock Origin, which only work on Browsers, the block of tracers at the DNS level it works on the entire computer or smartphone.

Furthermore, the most interesting thing is that the two things are often compatible. You can therefore continue to use uBlock Origin, or Brave, and add a DNS that also blocks ei tracers for greater protection. This is because blocking ads via DNS may not work properly on some elements such as, for example, YouTube ads ^{9 10}.

Nothing stops you from adding a third type of blocking with local VPNs such as TrackerControl And DuckDuckGo for Android or AdGuard (multi-platform) e Portmaster for desktop. In this case you may have some incompatibility problems, but generally everything works fine.

The filter lists to use and some tests

As regards the DNS that allow you to choose the filtering lists, we suggest activating only these two:

• OISD (a sort of “perfect” list where its main purpose is to block tracers without breaking sites).
• as an alternative to OISD you can use the list HaGeZi where also in the PRO++ version it breaks almost nothing.
• 1Hosts (Lite)

With a bit of experimentation and testing we noticed that with these two lists many annoying things really block and above all almost no site breaks. Obviously you can try adding all the lists you prefer, always taking into account that the more things you block, the more likely it is that some sites/applications won't work properly.

Let's try to explain ourselves better with some examples: if we do the test d3ward online (one of the most interesting to understand how much our protections block) on Mozilla Firefox removing uBlock Origin, Firefox's anti-tracking protections and leaving only the AdGuard DNS personalized and the two lists above we get the 98%.

The moment we also activate the restrictive anti-tracking protection we arrive at 99%. Adding uBlock Origin we arrive at the 100%.

Even if these are just percentages that ultimately mean very little, they help us understand how useful and interesting it can be to use DNS with tracking filters.

A very last suggestion is to include, when possible, these two domains in the blacklist:

• graph.facebook.com (but only if you don't use the official Facebook application ¹¹)
• api2.branch.io (which should already be in the list anyway 1Hosts (Lite))

Which private DNS to use? Here are our suggestions

We will only insert the link to the official pages where you will find the instructions to correctly set the updated DNS. We will not write them here to avoid them becoming obsolete and risking giving inaccurate information.

NextDNS

Independent and American company ¹²
ability to customize DNS with lists, filters, whitelists and blacklists
possibility to block tracers and advertising
They do not keep any logs (unless asked by you)

Probably one of the best choices especially if you are also planning to use some of its features like ad blocking and tracers. NextDNS was founded by Romain Cointepas (Dailymotion) e Olivier Poitrey (Netflix and Dailymotion). It is a company that to date has stood out for its transparency and security. Protocols can be used DoH, DoT and also DoQ. You can create various profiles, each with its own unique ID (to then be set as a DNS server) and allows you to have dozens of pre-set and customized filters. You can also block websites, entire categories of sites or certain applications. You can track the logs (locating them in Europe or Switzerland) or decide not to track anything at all.

It is free up to 300,000 monthly requests, after which you pay around €20 per year.

At this link you will find a guide in English from Techlore: YouTube / Piped.

Among the negative notes there is definitely the interface far too simple and basic where some features are not possible such as blocking or unblocking domains directly from the logs.

AdGuard

Independent Cypriot company, founded in Moscow but currently without servers in Russia ¹³ and with registered office in Cyprus.
ability to customize DNS with lists, filters, whitelists and blacklists
possibility to block tracers and advertising

An excellent company that offers various blocking solutions tracers, advertising and various statistics. Among the various options it also offers private DNS versions simple and public or with pre-set filters that you can find at this address.

Alternatively you can try the beta version of their custom DNS, NextDNS style, a this address.

To set them you can also try using the their application, a local VPN that allows blocking tracers and statistics and also allows you to block connections of individual applications (such as Netguard). Some analytics logs are always logged ¹⁴ and unlike NextDNS it is not possible to decide in which region they are located.

Although the custom DNS version is still in beta, the management panel is truly complete (although not free from bugs) and decidedly well built and intuitive.

Finally, AdGuard uses Cloudflare's CDN for most of its services ¹⁵. Using its DNS you can see that Cloudflare and Google DNS are also contacted ¹⁶. We asked support for clarification and they responded like this:

AdGuard DNS servers are recursive ones; they're trying to resolve requests from the cache, and when they can't do so, they reach out to other trusted public DNS servers, which are Google and Cloudflare, and cache the response for further use. We communicate with upstream servers on behalf of AdGuard DNS, not the actual user, so this is 100% safe.

That is, AdGuard's DNS servers are recursive: they try to resolve requests from the cache, and when they can't, they turn to Cloudflare and Google, caching the response for next use. We communicate with upstream servers on behalf of AdGuard DNS, not on behalf of the actual user. So theoretically no problem regarding privacy or security but if for ethical reasons you don't want to use it in any way Cloudflare it is right that you are aware of it.

Attention: if you want to download the AdGuard application Not you have to look for it neither on the Play Store nor on F-Droid. Download only the APK application that you find on their site in the links below!

dns0.eu

servers in Europe

The two founders of NextDNS have started with another exciting new project. They founded dns.0eu, a French non-profit foundation and offer a new public DNS that is completely free and free to use. It is available in three versions: open, where nothing is blocked. simple, where dangerous sites are blocked thanks to a system artificial intelligence. Zero, where mainly only malware and spyware are blocked. Finally they are available in the version Kids, with blocking of porn, piracy, dating sites or applications and with the blocking of explicit results in searches as well as advertising blocking (because children should NOT be the target of advertising campaigns).

They're very fast, they are Europeans and the NextDNS experience does everything else.

LibreDNS

Independent collective
possibility to block tracers and advertising with different DNS
they don't keep any logs

Another interesting alternative that works well is LibreDNS managed by the collective that manages it LibreOps (which offers other services besides private DNS). You can use basic DNS, without any blocking, or use DNS with blocking tracers that he uses these lists.

They can be used in DoH and DoT, they are completely free (they live on donations) and they don't hold no logs.

AhaDNS

European non-profit
possibility to block tracers and advertising with predefined and configurable lists only in DoH
they don't keep any logs

Unlike the previous ones, this one is one European non-profit who lives exclusively thanks to donations. You can use a predefined list and configurable (just for DoH) to block tracers and statistics based on your preferences. However, you cannot further customize connections as with NextDNS.

If you don't need/need to have logs and statistics and don't want to rely on companies then this is the best option for you. Also keep in mind what AhaDNS is managed by a single person ¹⁷ and the uptime of the various servers is very high: 99.9786% Overall Uptime.

Quad9

Swiss non-profit
their DNS only blocks malware and not ads

Also Quad9 it is a non-profit, in this case Swiss, serious and very reliable. In fact, let's remember that when it comes to DNS providers, trust is an absolutely essential condition. They also live through donations and giving DoT, DoH or DNSCrypt public that you can use freely.

Their DNS automatically blocks malware with no customization options. They keep some logs to improve the service ¹⁸.

CONTROL D

Independent Canadian company, already creators of the Windscribe VPN
ability to customize DNS with lists, filters, whitelists and blacklists
possibility to block tracers and advertising

If you like the idea of customizing DNS and using them to block tracers and advertising then you might also be interested in CONTROL D. They offer good service and do not keep any logs. The customizations are a bit lacking when compared to those of NextDNS And AdGuard DNS, However they offer an interesting service similar to VPNs for pretending to be in other locations.

The customized version is paid, alternatively you can use their free DNS servers with pre-set blocking "packages" to protect you from malware, advertising and tracers.

Mullvad DNS

Independent Swedish company
possibility to block tracers and advertising with predefined lists
they don't keep any logs

Not everyone knows about it but Mullvad, one of the best and most reliable VPNs ever, offers free DNS servers for you to use. They do not keep any logs and exist in different versions:

– without any blockage
– with advertising block
– with ad blocker and malware
– with ad blocker, malware and social media
– with ad blocking, malware, social media, porn and betting sites

RethinkDNS

Independent Indian company and funded by Mozilla's MVP program
ability to customize DNS with lists, filters, whitelists and blacklists
They do not keep any logs (unless asked by you)

Once known as BraveDNS (they later changed names and have nothing to do with the Browsers Brave) are a good DNS provider with the ability to create custom DNS by choosing your own lists. It is currently free but paid plans will begin in August 2022. It's part of the program MVP by Mozilla ¹⁹.

The logs are encrypted on AWS (Amazon) servers in the United States and there is no way, as of yet, to change this ²⁰. Logs are only kept for paid users who request them, otherwise nothing is kept.

DeCloudUs

Non-profit with European servers
ability to customize DNS with lists, filters, whitelists and blacklists
they don't keep any logs

If your goal is to completely eliminate Google and company from your browsing, DeClousUS it is definitely the service for you. In their free version in fact any connection to Google and other Big Tech is blockedSo be careful because, unfortunately, many sites will break!

Alternatively you can use the premium version to customize the DNS as you prefer. To register, all you need is an email address and it is also possible to pay with cryptocurrencies.

We tried the Premium version and found that unfortunately it does not allow you to apply famous lists (such as OISD) therefore it is unfortunately a little less suitable for daily use because its filters are all excessively restrictive.

Applied Privacy

Austrian non-profit
DNS only, no ad blocking

Another non-profit that promotes free software and allows you to use it DNS over TLS or DNS over HTTPS.

OpenNIC

Historic non-profit alternative toICANN
DNS only, no ad blocking

Even the historic OpenNIC offers Also Private DNS. To check what the servers are DoH, DoT used This Page. It also has a few (few) servers DNSCrypt. You can also select only European servers.

UncensoredDNS

Danish non-profit
DNS only, no ad blocking

DNS servers managed by a single person who allows their use at no cost. It offers two DNS servers without any setting options or site censorship.

Cloudflare

American company
ability to use DNS to block only malware and adult sites

Cloudflare it is certainly fast and reliable but it is by all accounts a gigantic company with enormous power. It has obtained funding from Google, Microsoft and Baidu ²¹ and in our opinion it is not exactly what can be considered an ethical alternative. We include it mainly because it's too big to ignore.

The solutions Self-hosting

No less important are the solutions in Self-hosting. As always, we won't dwell on these whys Le Alternative is not intended to be a technical blog but within everyone's reach. If you want to read and discover new things you can create "your own home DNS server" where you can put the lists you want. They are used locally so they are also and above all useful for accessories that always remain at home such as Smart TVs or some IoT.

• Pi-hole, probably the most famous alternative of all. Easily installed on a Raspberry Pi and easily configurable.

• AdGuard Home it's the version Open source ²² of AdGuard to install yourself. This too is possible install it on your Raspberry Pi.

1. DNS-over-QUIC, what it is and how the successor to DoH works[↩]
2. QUIC on Wikipedia[↩]
3. Why not DNS-over-HTTPS[↩]
4. Native support for DNS over HTTPS will finally be added on Android 13[↩]
5. https://steemit.com/introduceyourself/@zero-day/google-public-dns-currently-add-support-to-dns-over-tls[↩]
6. Encrypted DNS does prevent someone monitoring your traffic from seeing what domain you looked up via DNS, but this doesn't really matter since there are so many other ways to get that exact same information anyway[↩]
7. source code of Intra[↩]
8. source code of DNSCloak[↩]
9. How to block ads on YouTube: quick insight and things to know[↩]
10. How do I block ads on YouTube?[↩]
11. GoodbyeAds – W🌎rld of Ads Free Internet[↩]
12. Who is behind NextDNS?[↩]
13. Official response from AdGuard to SetApp complaints[↩]
14. AdGuard Privacy Policy[↩]
15. AdGuard | Cloudflare[↩]
16. Screenshot using AdGuard DNS[↩]
17. Who is behind AhaDNS?[↩]
18. Data and Privacy Policy[↩]
19. Mozilla Builders Fix The Internet Showcase[↩]
20. Where are user DNS logs stored?[↩]
21. CloudFlare Locks Down $110M From Fidelity, Microsoft, Google, Baidu And Qualcomm[↩]
22. source code of AdGuard Home[↩]

Join communities