DNS determines where my devices go asking for directions on their way about the internet. My DNS setup thus has impacts upon my security, safety and convenience. My default DNS from my ISP is subject to AFAICT the highly criticised within which your local council gets to know where you are browsing.
- I would like a DNS services that does not record where I browse, so that I am less easily tracked and profiled by corporate interest or nascent police states etc. One way to fix this is with a VPN, but if I don’t want that overhead, I can also encrypt my DNS queries with the right DNS server.
- I would like a DNS server that does not spoof sites. For example, when I work in Indonesia if I try to visit videos from vimeo, I cannot do so without DNS hacks because otherwise I am redirected to a site which tells me that vimeo is pornographic (!). In China I understand this is one way they enforce the great firewall. One way around this is DNSSEC, which is a verified DNS standard which is somewhat painful to set up.
- I would like a DNS service that is deliberately broken and will simply not work for malevolent sites such as malware distributors and advertisers, because filtering this myself is becoming difficult with some browsers. Some people maintain their own blocklists, but I am sometimes happy to entrust a third party DNS provider with this power if they seem trustworthy.
Alternate DNS servers
There are fancy DNS servers operated by e.g. Cloudflare and Adguard which offer value added features such as censoring advertisers (and optionally “family unfriendly” content) by simply not resolving them and DNS-over-TLS.
Cloudflare is American and has enabled Nazi speech. Adguard operate in a Russian jurisdiction. What the risk and benefit profiles of these organisations I will leave you to decide for yourself.
Cisco’s opendns will do ad blocking, but not TLS-comaptible.
Whirlpool’s list of DNS Servers to use in Australia. AFAICT only my ISP is required to log my DNS usage, so presumably I improve privacy somewhat by using any DNS server that is not my ISP’s.
CCC’s recommended DNS servers globally:
- 126.96.36.199 (FoeBud)
- 188.8.131.52 (f.6to4-servers.net, ISC, USA)
- 2001:4f8:0:2::14 (f.6to4-servers.net, IPv6, ISC)
- 184.108.40.206 (dns.as250.net; Berlin/Frankfurt)
- 220.127.116.11 (dnscache.berlin.ccc.de)
The Google Public DNS IP addresses (IPv4) are as follows:
The Google Public DNS IPv6 addresses are as follows:
Blocking some DNS records
I could do this myself with dnsmasq plus much love and attention and OCD, but I’m not quite anal retentive enough to get around to it. More comfortable might be to run a single board computer or vm as a net filter via pi-hole, which gives a nice GUI and monitoring system
Encrypting DNS for privacy
This, de facto, means a standard called DNS-over-TLS.
The encrypted and verified DNS option is
Presumably we should all be using this, but it still looks
painful, at least on macOS.
The server app of choice seems to be
However, this doesn’t seem convenient for any platform I’m using,
so DNS-over-TLS is a good stopgap I guess, which means using
So I’m going to reconfigure my DNS to be more secure. To do this I will update DNS servers to be some DNS-over-TLS servers. and flush out the old poisoned records.
The OS can benefit from a DNS flush; but also the browser can keep stinky stale records around. Clearing browser DNS caches is also advised.
tl;dr you can and should use fancy encrypted DNS servers,
but you can make life somewhat better by simply putting a new DNS service in your
If I want to encrypt,
see Linuxbabe on DNS-over-TLS for Ubuntu
using some app called
I presume it is doing something to improve my confidentiality.
In practice installing it is easy. On e.g. Ubuntu, this is as simple as
sudo apt install stubby
Settings go in a text file
/etc/stubby/stubby.yml; there is no
The default settings work, but are slow.
Then I am running your own DNS thingy on
127.0.0.1 (IPv4) or
0::1 (IPv6) on port 53 which will in turn forward queries to the DNS-over-TLS servers I configured.
Now! We have an easy-to-remember secure DNS server to put into the ‘dns server’ box of the wifi settings window.
Shortcoming: the GUI config for network settings in Ubuntu seems to want me to
configure it anew for every
different Wifi network, for both IPv4 and IPv6. Needs a universal workaround.
I think this is achievable via
Having done that, I also needed to flush out the bad old records. stackoverflow
sudo systemd-resolve --flush-cache sudo systemd-resolve --statistics
Changing the default DNS is plain obvious (system settings).
DNS flush command keeps changing, eh? I think this is the latest:
sudo dscacheutil -flushcache sudo killall -HUP mDNSResponder
One simple way seems to be the app dnscloak?
Fancy stubby config
Pro-tip if you use stubby and you want faster DNS, don’t rotate through the default long list of slow servers settle on a short list of fast servers and rotate through them, disabling the others. e.g. Adguard and cloudflare:
upstream_recursive_servers: # Adguard servers - address_data: 18.104.22.168 tls_auth_name: "dns.adguard.com" - address_data: 22.214.171.124 tls_auth_name: "dns.adguard.comcloudflare-dns.com" #CloudFlare servers - address_data: 126.96.36.199 tls_auth_name: "cloudflare-dns.com" - address_data: 188.8.131.52 tls_auth_name: "cloudflare-dns.com"
You can choose whether to rotate though them constantly or not with the following parameter:
There is a (more) fully secure version of DNS-over-TLS where you verify the
server’s keys, presumably over a trusted network, to ensure you are connecting
to the correct server.
To find the encryptey verify key whatsit for
184.108.40.206 I am told you do this:
echo | openssl s_client -connect '220.127.116.11:853' 2>/dev/null | \ openssl x509 -pubkey -noout | \ openssl pkey -pubin -outform der |\ openssl dgst -sha256 -binary | \ openssl enc -base64
Surely this step is in itself vulnerable to spoofing, because I need to trust some set of intermediate certificates? Anyway, this should at least detect server identity changes hereafter? Probably?
If we do that, we get the following config. (You can copy this from me, but obviously it would be wiser to verify for yourself because if our identifiers differed it would mean we were being messed with).
upstream_recursive_servers: # Adguard servers - address_data: 18.104.22.168 tls_auth_name: "dns.adguard.com" tls_pubkey_pinset: - digest: "sha256" value: ybDpit7lTjHwhKRdnqfDxfyg+SDCnCafOtmZJAb9Foc= - address_data: 22.214.171.124 tls_auth_name: "dns.adguard.com" tls_pubkey_pinset: - digest: "sha256" value: ybDpit7lTjHwhKRdnqfDxfyg+SDCnCafOtmZJAb9Foc= # The Cloudflare servers - address_data: 126.96.36.199 tls_auth_name: "cloudflare-dns.com" tls_pubkey_pinset: - digest: "sha256" value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU= - address_data: 188.8.131.52 tls_auth_name: "cloudflare-dns.com" tls_pubkey_pinset: - digest: "sha256" value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU= #You probably also want to avoid little accidents by configuring IPv6 also? # Adguard servers - address_data: 2a00:5a60::ad1:0ff tls_auth_name: "dns.adguard.com" tls_pubkey_pinset: - digest: "sha256" value: ybDpit7lTjHwhKRdnqfDxfyg+SDCnCafOtmZJAb9Foc= - address_data: 2a00:5a60::ad2:0ff tls_auth_name: "dns.adguard.com" tls_pubkey_pinset: - digest: "sha256" value: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
For bog standard purposes, a cheap registrar is fine. I use GANDI (and that is my affiliate link, use it to give me 5 Euros please).
For privacy-enhanced tinfoil-hat business, one might wish to anonymously own a domain. I am not sure about all the mechanics of this, but here are some recommendations I was given when I was curious about it:
We’re not actually a domain name registration service, we’re a customer to these. We sit in between the domain name registration service and you, acting as a privacy shield.
When you purchase a domain name through Njalla, we own it for you. However, the agreement between us grants you full usage rights to the domain. Whenever you want to, you can transfer the ownership to yourself or some other party.
PRQ is a 1337-lookin’s swedish domain registrar that host weird hacker stuff.
Vindo offers anonymous domain registration as part of its hosting.