I will be giving a presentation on Defensive Computing at the HOPE conference
in New York City in July 2022.
The talk is based on my
Defensive Computing Checklist
website. The conference runs from July 22nd through the 24th, I am scheduled
for the 23rd at 1PM ET. Attending in person costs $200
for all three days.
You can also stream the entire conference live for $99
More about the talk here
There are many choices for DNS providers and the default, using DNS servers from an ISP, is the worst option. Some options are below, the list is far from complete. DNS can be a great way to get ad blocking, tracker blocking and/or malware blocking without having to install software.
Old insecure DNS is specified with IP addresses (normally two of them). New Secure DNS is specified with a server name. Typically a company offers one server for DoH and another for DoT. That said, the two secure DNS flavors use different TCP ports, so they could both be available on a single server.
To test which DNS system/servers your computer is using, see the many available tester pages on the Test Your DNS page.
- The main Quad9 service offers malware protection. More here.
IP addresses: 18.104.22.168 and 22.214.171.124 | DoH: https://dns.quad9.net/dns-query | DoT: tls://dns.quad9.net
- Cloudflare offers three different DNS services. The original service does no filtering. In April 2020, Cloudflare introduced two filtering DNS services. See an overview.
No filtering: 126.96.36.199 and 188.8.131.52 | DoH: https://cloudflare-dns.com/dns-query
Block malware: 184.108.40.206 and 220.127.116.11 | DoH: https://security.cloudflare-dns.com/dns-query
Block malware and porn: 18.104.22.168 and 22.214.171.124 | DoH: https://family.cloudflare-dns.com/dns-query
- My personal preference is NextDNS which blocks ads and trackers. It is a free service, up to a point. You do not need an account to use NextDNS but there are advantages to creating one such as using Secure DNS and configuring block/allow lists. NextDNS allows you to create customized DNS profiles for a group of your devices, for a single device or even just for a single browser on one device. These customized profiles can have their own block/allow lists. NextDNS can also do logging, of both allowed and blocked DNS requests. Setup instructions for all supported operating systems are available on their website after you click on the blue Try it now button on the home page. This generates a free temporary account good for 7 days. The setup instructions will include IP v4 addresses for old insecure DNS. Unlike other DNS providers, these IP addresses seem to vary, but expect them to start with 45.90.
In the below, xxxxxx is the NextDNS profile ID. A NextDNS account can have one or more profile IDs. Generic refers to all devices/browsers that share a profile ID. Customized refers to naming a specific device/browser within a given profile. Customization is very useful when logging DNS requests.
DoT Generic: xxxxxx.dns.nextdns.io | Customized:
DoH Generic: https://dns.nextdns.io/xxxxxx | Customized: https://dns.nextdns.io/xxxxxx/MichaelsLaptop
Chrome browser -> Use Secure DNS with Custom: same as DoH above
Firefox browser -> Enable DNS over HTTPS with Custom: same as DoH above
Android Private DNS Generic: xxxxxx.dns.nextdns.io | Customized: MichaelsFone-xxxxxx.dns.nextdns.io
- VPN company Mullvad offers two free DNS services to the public, as well as to their customers. One service is unfiltered, the other blocks ads. Each service is offered either by IP address, DoH or DoT.
Note that their Secure DNS server names are the same for both DoH and DoT (despite "doh" being in the name). This is possible because DoT uses port 853, while DoH uses port 443. More
No filtering: 126.96.36.199 and 188.8.131.52 | DoH and DoT: https://doh.mullvad.net/dns-query
Block ads: 184.108.40.206 and 220.127.116.11 | DoH and DoT: https://adblock.doh.mullvad.net/dns-query
Android Private DNS: specify without "HTTPS ://" in front and without "/dns-query" at the end.
- OpenDNS offers some malware protection by not resolving/translating known bad website names. Their standard service IP addresses are: 18.104.22.168 and 22.214.171.124
- AdGuard offers both free and commercial services and the line between them is confusing to me. They offer three DNS services, the main one blocks ads, tracking and phishing. Their Family Protection service does this too and adds the blocking of adult websites and a Safe search. They also have a non-filtering DNS service. They also offer installable ad-blocking software for Windows, Mac, Android and iOS. Their AdGuard DNS is in beta as of March 2022. For more see Connecting to a public AdGuard DNS server.
Blocks ads, tracking, phishing:
IPv4: 126.96.36.199 and 188.8.131.52
IPv4: 184.108.40.206 and 220.127.116.11
- Control D is a new service (released in 2021) from the developers of Windscribe. There are free and paid services and good luck drawing the line between them. There are about six standard configurations plus you can create a custom configuration. Quoting: "CONTROL D is a fully customizable DNS service, similar to Pi-Hole, AdGuard or NextDNS, but with proxy capabilities. This means it not only blocks things (ads, porn, etc), but can also unblock websites and services." More here. Their standard configurations include: no filtering, filtering malware, filtering malware, ads and tracking, filtering malware, ads, tracking and social, filtering malware, ads, tracking, Adult Content and Drugs. See too their blog Why You Should (and Shouldn't) Use Control D (June 2022). This may well be a
fine service with many features (I have not used it), but I don't think they can explain it to non techies.
- For a longer list of DNS providers, see Known DNS Providers from AdGuard
AD BLOCKING TESTER
If your DNS provider offers ad/tracking blocking, then you can see how well it is working at this tester page d3ward.github.io/toolz/adblock.html by Eduard Ursu. Note that it is possible your web browser is also doing some ad or tracker blocking of its own. For example, ad blocking is built into the Brave browser and its available from many browser plug-ins.
Page Created: March 13, 2022
Last Updated: June 27, 2022 10PM CT
Viewed 3,917 times
(35/day over 111 days)
Copyright 2015 - 2022