Skip to content

Instantly share code, notes, and snippets.

@InAnimaTe

InAnimaTe/dns.md Secret

Last active May 29, 2023 16:19
Show Gist options
  • Save InAnimaTe/2ed9250d126c5282371ec9b4d37da8ae to your computer and use it in GitHub Desktop.
Save InAnimaTe/2ed9250d126c5282371ec9b4d37da8ae to your computer and use it in GitHub Desktop.
Best DNS Servers

Public DNS Resolvers

Breakdown of the top Public DNS Resolvers and their features, especially as it relates to security.

Cloudflare - "Malware Blocking"

Malware blocking, EDNS, DNSoTLS, DNSSEC

  • 1.1.1.2
  • 1.0.0.2

Quad9 - "EDNS Enabled"

Malicious blocking, EDNS, DNSoTLS+DNSCrypt, DNSSEC

  • 9.9.9.11
  • 149.112.112.11

OpenDNS - Main Resolvers

EDNS, DNSCrypt, DNSSEC, SmartCache (last known good)

  • 208.67.222.222 (resolver1.opendns.com)
  • 208.67.220.220 (resolver2.opendns.com)

EDNS, DNSoTLS, DNSSEC

  • 8.8.8.8
  • 8.8.4.4

Family DNS - Blocking Malware + Adult Content

  • 1.1.1.3
  • 1.0.0.3

DoH - https://family.cloudflare-dns.com/dns-query

OpenDNS FamilyShield

  • 208.67.222.123
  • 208.67.220.123

DoH - https://doh.familyshield.opendns.com/dns-query

  • 94.140.14.15
  • 94.140.15.16

DoH - https://family.adguard-dns.com/dns-query

Two Encryption Technologies

DNS over TLS

DNSCrypt

For Android

I've recently started using AdGuard on my Android device. It supports DNS over TLS/HTTPS servers with parallelization.

Here's the servers I use via their Custom Server option:

sdns://AQAAAAAAAAAADjIwOC42Ny4yMjAuMjIwILc1EUAgbyJdPivYItf9aR6hwzzI1maNDL4Ev6vKQ_t5GzIuZG5zY3J5cHQtY2VydC5vcGVuZG5zLmNvbQ
tls://1.1.1.2
tls://dns11.quad9.net
tls://dns.google

In order, these are:

  1. OpenDNS w/DNSCrypt (see Adguard Known Servers List)
  2. Cloudflare "Block Malicious" DNS-over-TLS
  3. Quad9 Block Malicious, DNSSEC, EDNS DNS-over-TLS
  4. Google DNS-over-TLS
@InAnimaTe
Copy link
Author

@InAnimaTe
Copy link
Author

See these for information on setting up more secure resolving on Mac:

@InAnimaTe
Copy link
Author

For performance information, see https://www.dnsperf.com/

@StevenACoffman
Copy link

Nice! I always get tangled up trying to pick between dnsmasq, knot-resolver, etc. Any thoughts?

@InAnimaTe
Copy link
Author

I've got pretty deep experience with dnsmasq which has always been incredibly simple and reliable. I've only just recently heard of knot-resolver and hear its the goto when doing DNSoTLS on Mac. I'll share more when I actually get that working but for now I'm just more focused on ensuring I'm using multiple strong resolvers on my gateways (and possibly finding a way to append/tail on Mac just like resolveconf offers on linux).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment