Best DNS Servers

dns.md

Public DNS Resolvers

Breakdown of the top Public DNS Resolvers and their features, especially as it relates to security.

Cloudflare - "Malware Blocking"

Malware blocking, EDNS, DNSoTLS, DNSSEC

• 1.1.1.2
• 1.0.0.2

Quad9 - "EDNS Enabled"

Malicious blocking, EDNS, DNSoTLS+DNSCrypt, DNSSEC

• 9.9.9.11
• 149.112.112.11

OpenDNS - Main Resolvers

EDNS, DNSCrypt, DNSSEC, SmartCache (last known good)

• 208.67.222.222 (resolver1.opendns.com)
• 208.67.220.220 (resolver2.opendns.com)

Google

EDNS, DNSoTLS, DNSSEC

• 8.8.8.8
• 8.8.4.4

Two Encryption Technologies

DNS over TLS

• https://en.wikipedia.org/wiki/DNS_over_TLS
• https://tools.ietf.org/html/rfc7858

DNSCrypt

• https://www.dnscrypt.org/
• https://en.wikipedia.org/wiki/DNSCrypt

For Android

I've recently started using AdGuard on my Android device. It supports DNS over TLS/HTTPS servers with parallelization.

Here's the servers I use via their Custom Server option:

sdns://AQAAAAAAAAAADjIwOC42Ny4yMjAuMjIwILc1EUAgbyJdPivYItf9aR6hwzzI1maNDL4Ev6vKQ_t5GzIuZG5zY3J5cHQtY2VydC5vcGVuZG5zLmNvbQ
tls://1.1.1.2
tls://dns11.quad9.net
tls://dns.google

In order, these are:

1. OpenDNS w/DNSCrypt (see Adguard Known Servers List)
2. Cloudflare "Block Malicious" DNS-over-TLS
3. Quad9 Block Malicious, DNSSEC, EDNS DNS-over-TLS
4. Google DNS-over-TLS

See also, https://techsmix.net/dnscrypt-on-the-edgerouter-lite/

See these for information on setting up more secure resolving on Mac:

• https://zerotoroot.me/dns-security-post/
• https://phiffer.org/2018/04/02/dns-over-tls-on-macos

For performance information, see https://www.dnsperf.com/

Nice! I always get tangled up trying to pick between dnsmasq, knot-resolver, etc. Any thoughts?

I've got pretty deep experience with dnsmasq which has always been incredibly simple and reliable. I've only just recently heard of knot-resolver and hear its the goto when doing DNSoTLS on Mac. I'll share more when I actually get that working but for now I'm just more focused on ensuring I'm using multiple strong resolvers on my gateways (and possibly finding a way to append/tail on Mac just like resolveconf offers on linux).