Do you change DNS?

RS6 said:
I did some research into this and it seems pointing your DNS towards a third party DNS resolver (such as Quad9, Cloudflare) encrypts the DNS queries, but after you acquire the IP, you immediately ask for the IP and name of the site in clear text through your ISP. So the ISP can determine where you are visiting anyway.

On the other hand, running your own recursive resolver in Unbound, you eliminate your data going to a third party DNS resolver, however all your queries are sent in plaint text to authoritative nameservers, which your ISP can see. Repeat queries though will then come from the Unbound cache.

So in both scenarios the ISP can determine where you are visiting, so while there is no true privacy, hosting your own recursive resolver would be the better option as you eliminate sending your data to a 3rd party company.

Other factors would be the speed of resolving queries and if you require some type of filtering, either through third party DNS resolvers or using pihole/adguard.

Have I understood this correctly?
Click to expand...

thanks for this posting, I asked something similar a while back but the answers I got from another board made it sound like an almost yes and no answer... I always felt there was something still popping up on the ISP side.

If you trust your VPN provider they usually offer a DNS server which is what I do anyhow, for rest of devices that require access to clear net I tend to use quad9/cloudflare but now at least I know even that is not safe for data leakage.

Think ill switch to Cloudflare for now and check into other DNS options later on, maybe quad9 is just minus one 9 and all data goes to City of London Police and the Manhattan District Attorney's Office.
 
R3X said:
thanks for this posting, I asked something similar a while back but the answers I got from another board made it sound like an almost yes and no answer... I always felt there was something still popping up on the ISP side.

If you trust your VPN provider they usually offer a DNS server which is what I do anyhow, for rest of devices that require access to clear net I tend to use quad9/cloudflare but now at least I know even that is not safe for data leakage.

Think ill switch to Cloudflare for now and check into other DNS options later on, maybe quad9 is just minus one 9 and all data goes to City of London Police and the Manhattan District Attorney's Office.
Click to expand...
Quad9 is a non-profit and sponsored by those agencies and more with a view to reducing cybercrime. That's why they ended up by far the best anti-malware/anti-botnet/anti-everything-bad DNS provider by far, even significantly in excess of Cloudflare's malware blocking service. They're not actually affiliated (in the sense you mean) with LEA.

If you're that concerned (and it's legitimate to be, I'm not deriding you), you might like Mullvad DNS. It's blazing fast, has unfiltered and ad/malware blocking variants, and is run by one of the most audited and trusted VPN companies. Run a proxying forwarder on your LAN and set it to forward all your traffic over DoH or DoT to whomever you choose. Then set your browsers to enable ECH and - short of using Tor or VPN - you've done all you can for now.
 
lmfy2k said:
Ive settled on Technitium for now, created 2 instances on my proxmox cluster, works really well and i like to give the under dog a chance. the persistent cache is a killer feature, can reboot at will and not have to start buiding cache again.
Click to expand...
been using Techitium since 28th Jan (in recursive mode) and I can already tell the difference in browsing speeds compared to AGH, it is blazing fast.

Usage:



I can highly recommend it!
 
Last edited:
I would have to agree with what you both said, Technitium is very fast and easy to implement on various systems. the instructions are well written and clear.
You have to hand it to them though, it would take me quite a while to re-rebuild my current deployment with Unbound/Pihole vs Technitium in just a few minutes to deploy the same features more or less.
 
Ad_Augendae said:
I would have to agree with what you both said, Technitium is very fast and easy to implement on various systems. the instructions are well written and clear.
You have to hand it to them though, it would take me quite a while to re-rebuild my current deployment with Unbound/Pihole vs Technitium in just a few minutes to deploy the same features more or less.
Click to expand...
My main issue is their syntax for the advanced blocking app. The regular blocking doesn't allow per-client list choices, and the advanced blocking app doesn't accept plain text IP ranges. I have no problem with manual config (see: Blocky), but for the Technitium advanced blocking app everything has to be done the 'long way'. My network is just a regular /24, but there's six of us - me, my wife, and four kids. We all have iPhones/iPads/laptops/PCs/smart watch etc, then there's smart devices and FireTV Sticks, plus CCTV cameras, plus IoT devices, plus multiple physical servers, and so on. Because of client config requirements in AGH, running DHCP was no good - I needed each client to stay recognisable over the long term. I ended up just basically dumping DHCP for resident devices, and assigning everyone 10 IP addresses:

Code: 
--- Core networking equipment
10.100.0.1 - border router running VyOS 1.3 LTS, CLI only
10.100.0.2 - core managed/L3 switch
--- Personal device ranges
10.100.0.10 to 10.100.0.19 - My devices
10.100.0.20 to 10.100.0.29 - Wife's devices
10.100.0.30 to 10.100.0.39 - Eldest's devices
10.100.0.40 to 10.100.0.49 - Child 2's devices
10.100.0.50 to 10.100.0.59 - Child 3's devices
10.100.0.60 to 10.100.0.69 - Child 4's devices
10.100.0.70 to 10.100.0.79 - Old/random/inherited devices
----------
Legacy server IP assignments from before the re-segment, carried up 100 IPs out of the' family' range, but kept memorable.
That is, 10.100.0.5 became 10.100.0.150, 10.100.0.12 became 10.100.0.152 etc:
--- Printers ---
10.100.0.111 - HP LaserJet printer
10.100.0.112 - Epson sublimation printer (wife's projects)
10.100.0.115 - Ruckus R710 enterprise WiFi AP
--- CCTV and servers ---
10.100.0.142 - Hikvision 4K CCTV camera (front of house)
10.100.0.143 - Hikvision 4k CCTV camera (side of house)
10.100.0.144 - Hikvision 4k CCTV camera (rear of house)
10.100.0.150 - DiskStation NAS (CCTV surveillance station / NVR, primary Docker host fronting domain services, downloaders, *arrs. Vaultwarden etc)
10.100.0.152 - Raspberry Pi 3B (secondary LAN DNS, running DietPi)
10.100.0.153 - Radxa Rock 5 model B (primary LAN DNS, reverse proxy for my domain, Docker host etc)
--- Media devices ---
10.100.0.180 - TiVO v6 Virgin box (downstairs)
10.100.0.181 - TiVO v6 Virgin box (upstairs)
10.100.0.190 - FireTV Stick 4K (upstairs)
10.100.0.191 - FireTV Stick 4K (downstairs)
10.100.0.192 - Ring doorbell (front door)
10.100.0.193 - Echo Show 5 (freebie)
10.100.0.199 - Google Nest Mini (freebie)
--- DHCP range for visitors and guests, on segregated guest AP with captive portal
10.100.0.200 to 10.100.0.254

As you can see it's a bit of a spread, but it made the most logical sense at the time versus completely gutting all my configs and years of muscle memory to completely rebase everything. It has an odd layout, but it makes sense to me. Everyone has their own small range with some room to grow, and although there's some 'wasted' space in the middle it can always be used in future if needs must. I'll certainly never need more than 50 DHCP addresses for guests, so all's well that ends well. You can see how it's a bit of a pain to set up DNS blocking per-client in an app that doesn't support explicit ranges, though!

In Blocky I can just say (paraphrased) Eldest child: 10.100.0.30-10.100.0.39; ads/malware/gambling. However, Technitium's Advanced Blocking app demands explicit IPs or CIDR networks, not plain text IP ranges. The closest I can come to what is a few intuitive lines in Blocky is to either list every IP between 10.100.0.10 and 10.100.0.70 and name them repeatedly into 'network groups' (me, me, me, me, wife, wife, wife etc) or convert the ranges to awkward CIDR blocks... And yes, I got around to it today after all - because posting here that I was putting it off irked me enough to actually do it haha!

Code: 
{
  "enableBlocking": true,
  "blockListUrlUpdateIntervalHours": 12,
  "networkGroupMap": {
    "0.0.0.0/0": "default",
    "10.100.0.30/31": "eldest",
    "10.100.0.32/29": "eldest",
    "10.100.0.40/29": "kids",
    "10.100.0.48/28": "kids",
    "10.100.0.64/30": "kids",
    "10.100.0.68/31": "kids"
  },
  "groups": [
    {
      "name": "default",
      "enableBlocking": true,
      "allowTxtBlockingReport": true,
      "blockAsNxDomain": false,
      "blockingAddresses": [
        "0.0.0.0",
        "::"
      ],
      "allowed": [],
      "blocked": ["dns.google", "dns.google.com", "dns.opendns.com", "dns.cloudflare-dns.com"],
      "allowListUrls": [],
      "blockListUrls": [],
      "allowedRegex": [],
      "blockedRegex": [],
      "regexAllowListUrls": [],
      "regexBlockListUrls": [],
      "adblockListUrls": ["https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/pro.plus.txt", "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/tif.txt"]
    },
    {
      "name": "eldest",
      "enableBlocking": true,
      "allowTxtBlockingReport": true,
      "blockAsNxDomain": false,
      "blockingAddresses": [
        "0.0.0.0",
        "::"
      ],
      "allowed": [],
      "blocked": ["dns.google", "dns.google.com", "dns.opendns.com", "dns.cloudflare-dns.com"],
      "allowListUrls": [],
      "blockListUrls": [],
      "allowedRegex": [],
      "blockedRegex": [],
      "regexAllowListUrls": [],
      "regexBlockListUrls": [],
      "adblockListUrls": ["https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/pro.plus.txt", "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/tif.txt", "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/anti.piracy.txt", "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/gambling.txt"]
    },
    {
      "name": "kids",
      "enableBlocking": true,
      "allowTxtBlockingReport": true,
      "blockAsNxDomain": false,
      "blockingAddresses": [
        "0.0.0.0",
        "::"
      ],
      "allowed": [],
      "blocked": ["dns.google", "dns.google.com", "dns.opendns.com", "dns.cloudflare-dns.com"],
      "allowListUrls": [],
      "blockListUrls": [],
      "allowedRegex": [],
      "blockedRegex": [],
      "regexAllowListUrls": [],
      "regexBlockListUrls": [],
      "adblockListUrls": ["https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/pro.plus.txt", "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/tif.txt", "https://nsfw.oisd.nl", "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/anti.piracy.txt", "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/gambling.txt", "https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/nosafesearch.txt"]
    }
  ]
}

As you can see, that's a real mouthful compared to the short, snappy and easy to grasp way Blocky does it - and it's *still* less flexible and powerful. The rest of the package helps make up for it, though, with the raw speed and easy logging to database, webUI etc. I'll give it a spin on one of the LAN DNS and see how I get on with it.

Edit: Syntax (irony!), because Technitium/JSON requires all URLS in quotes or it won't work.
 
Last edited:
My needs are as fast as I can get vs power usage, it would appear Technitium wins in that context. Lets hope they add better functionality/features soon!
Cache wins everytime in this test at least vs pihole.
dns-Copy.png
 
Currently checking out the alternative DNS services mentioned in this thread and thought I'd switch to Quad9 and spin up a pihole container on a spare Intel i3 NUC.

This might be a pihole question, but think it's a DNS related. With just the default master block list, and the four Quad9 DNS boxes ticked I get plenty of ‘DNS_PROBE_POSSIBLE’ browser messages and failed loading of pages. Refreshing or waiting then the page will eventually load. No blocked domains in pihole log.

The NUC doesn't seem to be choking, resource wise.

What's a common cause of pages not loading first attempt, then being allowed through?
 
Some initial testing on a Beelink SER5 (Ryzen 5500u, 16GB RAM, 512GB NVMe) show that per 10,000 queries AdGuard Home is fastest at resolving at around 400 queries per second and 2ms response time, with 3% CPU usage. Blocky was much slower at 60qps (I suspect the number of goroutines needs tweaking up) and still 2ms response time with 7% CPU usage. Technitium managed the same 400qps as AGH, with 2ms response times but 25% CPU usage(!). I suspect a combination of dotnet rearing its head, advanced blocking app (three sets of custom filtering) and logging queries to SQL there.

All upstreams and filter lists were the same across tests. Overall I still prefer Technitium objectively, mostly because of the fact it can also be authoritative DNS for your domain(s) while staying recursive for regular DNS queries. AGH is ingrained in me now (I've used it since the first alpha launch), so it's hard to ditch it completely - especially with such good performance in recent versions. I figured some of you may find these limited results interesting.
 
Cyber-Mav said:
How does this actually block malware? I'm sure you can still download dodgy apps and get viruses. Does it just stop people going to torrent sites etc by pointing them back to local host or error 404?
Click to expand...
It returns null replies for queries that would result in known bad addresses (C&C servers, phishing, malware delivery etc). As previously noted, however, its efficacy is woeful compared to Quad9 (9.9.9.9, 2620:fe::fe).
 
I’ve been using ControlD for about a year now after switching over from NextDNS. Handy for the redirect stuff and it’s now officially integrated with Tailscale similar to NextDNS, too.
 
I've used NextDNS for the past year now and its amazing, anonymous ECS for better privacy while still getting that performance of ECS and ISP caches, it's incredibly fast, faster than both cloudflare and google and tied with quad9 for me. Great malware blocking, you can customize what lists you want, for me I'm using OISD, Adguard DNS and Hagezi Pro++. I also have a docker compose file setup (although not currently using, just for testing purposes) with Unbound + Redis Cache in recursive mode and PiHole, which works great but it's a hassle to use when outside the home, doesn't support ECS ootb and is a pain to setup (which I'm also sure doesn't matter if at home but if I'm out and about I'd like to have the performance benefits). NextDNS is a great company with a 'you see what we log' policy, meaning that everything that they log is accessible to you on their website. You also don't have to set anything up locally with the pain of installing things on your linux box, you just go to their website and create an account, choose what blocklists you need and what options you'd like and then it's set and forget. Some people don't want to manage their own DNS as things can break, it takes time to setup and repair, and also unbound can be a bit slow at times, but with something like NextDNS you are benefitting from global cache, incredibly fast response times and basically no advanced technical knowledge needed.
 
Last edited:
You must log in or register to reply here.
Back
Top Bottom