DNS Providers - Who to trust?

[Tech9]

It's funny how people talk about "privacy" and voluntarily install microphones and cameras in their homes, use vacuum cleaners making detailed maps of their homes and light switches recording when bathroom light comes on and off, door bells reporting when they come or leave home or go on a vacation and uploading pictures of the entire family, cars connected to the mothership at all times recording trips... with information stored on some unknown servers including in "unfriendly" countries overseas.

 

[Untried3868]

And?
Your statement makes zero sense to me.
So what if they get this or that info about me?
I have a Google, Apple and Microsoft accounts, pay for storage with each of them. Buy products from all you listed. What more could they get from my DNS lookups? My IP address?

I was referring to your comment about chasing privacy being a foolish pursuit. Sorry, I thought that was clear when I only quoted that statement.

All of the companies I mentioned gobble up any and all information they can grab from your internet activities. And would be happy if you did nothing at all to protect your privacy.

Am I wrong in the belief that each step you take towards protecting privacy is a layer (think onion) and more layers is better than none at all?

I don't understand your confusion.

 

[Tech9]

Am I wrong in the belief that each step you take towards protecting privacy is a layer (think onion) and more layers is better than none at all?

You didn't tell what exactly makes it better though. What is the noticeable improvement in your life for example since you started protecting your privacy this way through DNS filtering? Because this thread is for "DNS providers". In my experience chasing "privacy" with major global service providers is hurting own user experience only. They provide free of charge services in exchange of monetizable data.

 

[Untried3868]

You didn't tell what exactly makes it better though. What is the noticeable improvement in your life for example since you started protecting your privacy this way through DNS filtering? Because this thread is for "DNS providers". In my experience chasing "privacy" with major global service providers is hurting own user experience only. They provide free of charge services in exchange of monetizable data.

Private DNS would be a single layer of protection (of many hopefully). Would this not prevent (or at least impede) your ISP from harvesting and selling user data? Would using ad-blocker, malicious content, etc. lists be another layer of protection by reducing potential attack vectors?

I realize "chasing privacy" is a daunting, never ending task. But I figure why make things easy for user data harvesters? I do what I can to protect what I can. And honestly I've not noticed any issue with my user experience in doing so.

 

[Tech9]

Would this not prevent (or at least impede) your ISP from harvesting and selling user data?

No, they connect you to the outside world and can recreate quite accurately browsing history by IP address including quite accurate device recognition on your network. Global service providers still get the data they need by other means totally unrelated to DNS. This also includes linking your actual name and location to the data collected. You have to unplug your home Internet and stop using any communication devices to prevent it. Stop using any bank accounts and cards, wear a mask at all times against face recognition. Cabin in the woods works best, we have discussed the option in the past.

Would using ad-blocker, malicious content, etc. lists be another layer of protection by reducing potential attack vectors?

Highly unlikely to provide any real protection. It will more likely cause false positives negatively impacting user experience. If you go too aggressive and with own filtering based on community blocklists - even worse. What you have against potential attack as DNS/IP filtering is visible to the potential attacker as well, makes it easier. Sorry, Quad9 or CleanBrowsing upstream are doing better job than your Unbound with Pi-hole in both performance and protection. Your Skynet is from minimally useful for self-limiting to totally useless for protection. Many folks just deploy additional complications to get false sense of privacy and security.

 

[Tech9]

But I figure why make things easy for user data harvesters?

You have no chance. Fast data processing centers link the information in seconds no matter what you do. Your measures to make it harder may slow down the process to minutes. I have worked on projects for "the other side" in the past. If I'm providing ISP services and mobile data services to you my servers will contain all your personal information in details, accurate browsing habits, the number and model devices you have in use and even separate browsing habits for each one including when behind your own router. On top I'll have your current exact location and movements history, very likely including family members as well. I can tell you your work place address, how many times you shop at Walmart on your way back home and refuel your car at Esso for specific period of time and eventually send you compliments about your new hairstyling. I may monetize the information through my so called "affiliate network" because it's written in the service contracts and you have agreed to it. This advertisement you receive from Walmart or Esso for sales events may not be linked to Microsoft, Google or Apple at all. Your filtering may hide the advertisement only. Everything else remains unchanged, business as usual. I may exchange information with your bank, they do the same on their end. The government may require specific information about you (and they often do) and I may have to comply in order to renew my business related licenses. This is valid even if I provide "no data retaining" public VPN service in this same jurisdiction. In this case I don't retain the data, someone else does.

Feel better? The electricity company thanks you for the extra power used by your Pi-holes with Unbound. They have % profit in every kW/h delivered to you. Little by little, it adds up.

 

[GHammer]

I was referring to your comment about chasing privacy being a foolish pursuit. Sorry, I thought that was clear when I only quoted that statement.

All of the companies I mentioned gobble up any and all information they can grab from your internet activities. And would be happy if you did nothing at all to protect your privacy.

Am I wrong in the belief that each step you take towards protecting privacy is a layer (think onion) and more layers is better than none at all?

I don't understand your confusion.

Well, @Tech9 summed it up nicely.
What I don't understand is the 'value' you seem to attach to your browsing data.
I really don't care about it. In fact, when I'm searching to buy something, I welcome lucid suggestions.
To each their own, but you aren't the first to think they are 'protecting' something valuable that if a company gets, they lose.
So, yes, I'm confused in that respect.

 

[Tech9]

In fact, when I'm searching to buy something, I welcome lucid suggestions.

Exactly one of the reasons I don't enforce DNS-blockers network-wide on my home networks. You get a link in Google Search with quite relevant suggestion and can't open it because it's an advertisement.

 

[Untried3868]

You have no chance.

Well that's downright depressing. It seems I have a lot to unpack here, and an internet strategy to rethink.

 

[Tech9]

internet strategy

It's not Internet only. Big companies have head start and technological advantages. The world is connected and the number of connections grow exponentially. When you go to a retail store you may notice devices like oversized access points on the ceiling. They are LiDAR/RFID sensors used mainly for inventory systems, but also collect customer behavior data. They track you and know where you stop to look, what you pick. On your way out you pay with credit card, your name is on it. A camera links your name to your face. Even if you don't go online ever a very accurate profile about you may be already present. And not customer X profile, but exactly John Smith profile, 42y.o., Caucasian, phone number A, address B, workplace C, car model D... wife Jane Doe, 40y.o., Caucasian... you get where it is going. You may think Google is serving you ads about the products you are interested in because they analyze your Internet activities, but the information about you may be coming from multiple different sources.

 

[New2This]

just to add..
Beacon technology in retail has been generating buzz since Apple introduced Bluetooth beacons to the market in 2013. By 2016, beacon technology in the retail industry was worth $280.6 million, and it’s projected to reach more than $26 billion by 2026.

 

[Untried3868]

Which is why my phone has Wi-Fi and bluetooth disabled when I leave the house, use no "courtesy" cards, and pay with cash as much as possible.

Small steps to take, layers if you will. But convenience is winning out over privacy. Don't even get me started on Flock.

Apologies to the OP for derailing the thread.

 

[jarip]

Best to leave your phone at home, or turn the airplane mode on:

Your Phone Silently Sends GPS to Your Carrier

• Your carrier can silently request your GPS coordinates via RRLP (2G/3G) and LPP (4G/5G) protocols
• This happens at the baseband level — below the OS, invisible to apps, immune to location permission toggles
• No authentication required — the phone just responds to any properly formatted request
• Used by law enforcement (DEA, 2006+), intelligence agencies (Shin Bet), and carriers selling data to third parties
• Apple's iOS 26 + C1 modem is the first real fix — but only on iPhone 16e, and Android has nothing equivalent
• You can't opt out at the software level. Location permissions don't touch the control plane. The only reliable defense is physical (airplane mode, Faraday bags)

 

[Tech9]

Cell phone carriers can determine location quite accurately by triangulation. This positioning method was available long before the devices had built-in GPS receivers and used by emergency services even today.

 

[degrub]

Best to leave your phone at home, or turn the airplane mode on:

Your Phone Silently Sends GPS to Your Carrier

Just having the phone powered on is enough.

 

[Untried3868]

Best to leave your phone at home, or turn the airplane mode on:

Your Phone Silently Sends GPS to Your Carrier

Unfortunately I have to have the phone with me due to caring for aging parents that might need to reach out in an emergency. Otherwise the cell phone would remain at home.

 

[Tech9]

But convenience is winning out over privacy.

This is where our conversation started. Find the balance.

 

[Centrifuge]

Unfortunately I have to have the phone with me due to caring for aging parents that might need to reach out in an emergency. Otherwise the cell phone would remain at home.

I mean, it's all about balance and knowing where you are on the privacy and security spectrums. Absolutes may not exist. I just want to access the internet without being measured or establishing some kind of profile for marketing or otherwise. If I connect to a public wifi I want it routed through my own Self-hosted DNS which is authoritative for local zones, fully recursive for everything else, no upstream resolver. I want to be able to tunnel through that airport or hotel wifi that won't resolve anything if I use a vpn, so I use tailscale. Fark them. I'm not hiding anything but if folks like us don't try, then the speed at which we are losing our liberties will accelerate even more.

 

[Zastoff]

My approach on DNS trust "privacy" is confusion
Personally i prefer DNSCrypt-proxy v2.1.15
A Anonymized DNSCrypt, ODoH setup with around 10 good/fast dns servers in my region with 3 relays for each server (automatically randomized by dnscrypt-proxy installer) ,
Load-balancing set to "random" also dnscrypt ephemeral keys (unique key for every single DNS query)
& Disable TLS session tickets for DoH (ODoH)
And some devices on my network is set not to use this setup via DNS Director (Chomecast device and some kids school device and work related phones/computers)
Connect to WG or OpenVPN server (randomly) when not a home and InviZible Pro app if home network is unreachable
A bit boring/time-consuming to setup but when it`s done it just work & rarely needs any reconfiguring.
(l change some servers/relays anyway when bored, even have different tomls (dnscrypt-proxy settings file) for fast switching setups.

Can probably map the dns traffic anyway if they want but think it would be confusing/time consuming since sessions/keys/relays & servers change randomly.

 

[XIII]

My approach on DNS trust "privacy" is confusion

Maybe you're confusing me, but don't those ~10 DNS servers need your IP address to send answers for your queries?

If so, it should be rather easy for them to profile you (like any other user/customer).