DNS Security and Privacy — Choosing the right provider
There are many options for DNS security and privacy available right now. You do not need to use your ISP DNS or plain-text DNS anymore and open yourself to DNS hijacking, sniffing and abuse by third parties (looking at your Marriot).
However, with all great options out there (eg: 18.104.22.168, 22.214.171.124, 126.96.36.199), come great responsibilities. Which provider to choose? Which protocol to choose? DNSCrypt? DNS over HTTPS or TLS? What about DNSSEC? …
I compared the performance of some providers a few weeks ago, but performance is not the the primary metric you should be using when selecting your DNS provider. In reality, when you compare the performance difference between most of the providers we tested, the 10–15ms of difference won’t be noticed at all by the end user. Performance is good, but does not comes first.
If performance is not the most important metric, which one is it?
I think you need to look at these 3 key categories:
1- DNS Privacy and Security (data encryption, logging, 3rd party sharing)
2- DNS Response Integrity (DNSSEC support)
3- DNS Filtering needs (restricting malicious domains or parental control)
And select the one that fits your needs the most. For myself, I put privacy and security first, since it is so critical right now for me. So, I will start there and choose a provider that offers that. If it can do the additional features, it is just an icing on the cake.
This is an opinion piece, so please correct me if I am wrong or if you disagree. I love to change my mind when I am wrong.
DNS Privacy and Security
Everyone should be using encrypted DNS by now. But very few people do. I blame on the operating systems that do not make it any easy to switch and configure DNS. However, dnscrypt-proxy is probably the best tool out there to get started. It is open source, easy to install and supported pretty much anywhere. It is the best way to get started with DNS privacy (and it supports both DNSCrypt and DNS over HTTPS)
I even wrote a quick guide on how to get started with it here: Ending DNS Hijacking with DNSCrypt
Why I mention it? Because a protocol is only as useful as the support it gets from the community. So when choosing a protocol, we will pick one that we can use with it.
Running your own
Unpopular opinion now. If you care about privacy, do not run your own DNS resolver at home. Your ISP will be able to see all the requests between your resolver and the authoritative servers, as there is no way to encrypt that communication. For the most paranoid (and technical), I would recommend running a DNS resolver in the cloud with DNSCrypt or DOH and using that instead.
DNS Privacy with: DNS over HTTPS (DoH)
DNS over HTTPS is my first choice for DNS privacy. It is a pretty new protocol, but is getting wide support and in my view is the future for DNS. It is the most difficult protocol to block and track, since it also requires affecting HTTPS traffic. And it is also pretty simple to implement and test.
I expect all major providers to add support to it very soon (Firefox is shipping with DNS over HTTPS in their next version)
What choices you have:
- Google’s 188.8.131.52 — Anycast DNS, unfiltered. Used by 12% of the web, 184.108.40.206 is the leader in DNS.
- CloudFlare’s 220.127.116.11 — Anycast DNS, unfiltered. New player with good performance. I consider CloudFlare's and Google at the same level, with the same options and support.
- CleanBrowsing — Anycast DNS, restricts adult content — for parent control. Very good performance, but for a specific niche.
These 3 are the only providers supporting DoH right now that I could find. All 3 do not track your requests, support DNSSEC and have good privacy promises. Yes, even Google promises not to track your requests or store identifiable when using their DNS.
Depending on your needs, I would pick one of the three above.
DNS Privacy with: DNSCrypt
DNSCrypt comes second after DNS over HTTPS. The protocol has been around the longest and is supported by dnscrypt-proxy. Quite a few providers offer it and others are promising to add.
- OpenDNS — Anycast DNS, unfiltered or with a parental control option. OpenDNS was the first free and open DNS, but is losing ground to the new players (Google, Quad9, CloudFlare) and on the family filter (for CleanBrowsing). Con: Does not support DNSSEC.
- OpenNIC — OpenNIC is a distributed DNS being run by many privacy enthusiasts. Some of the servers support DNSCrypt, which is a great option. Con: You don't really know who is running those servers and if they are true to their promise not to log and track you.
- AdGuard — Ad blocking. Lacks in performance, but has a good community that likes what it offers. Niche specific.
- Comodo — Anycast DNS, blocks malicious domains. Con: How they handle logging and the DNS data is unclear. No support for DNSSEC.
- Yandex — Russia-only DNS, unfiltered, with an option to block malicious domains or with a parental control option. Con: very slow outside of Russia and unclear how they handle the DNS data.
There is a full list of providers here that support DNSCrypt.
DNS Privacy with: DNS Over TLS
The final option in my list is DNS over TLS. The protocol is great, in fact, it should be faster than DNS over HTTPS as it reduces the HTTPS burden from the protocol. However, it does not have a very good client support yet -so I put performance second. It might change soon with Android adding support for it. But so far, it is my last choice.
Options we have:
- Quad9: Quad9 is a provider that I have been using and liking it very much. It blocks access to malicious domains and they seem to have gotten pretty good at it. Supports DNSSEC and has some strong performance and goes toe to toe with CloudFlare and Google + has the benefits of blocking malicious domains. Con: It does not support DoH nor DNSCrypt, making it harder to use it securely.
And that's all folks. I hope I was able to provide some clarity on the providers and options available. Choose with care, do your own research and let me know via the comments if I made any mistake. If I forgot any provider, I am sorry, let me know I will add them later.