DNS Providers - Who to trust?

[bbunge]

I know that network security is a moving target and it is important to feel comfortable with the services offered by providers. But, when I read the article about Cloudflare and the mis-issued certificates, I began to question the faith I had put in their DNS service. There are a couple of DNS providers I will not use because of their country associations or their questionable business practice. I also feel it is a good idea to use a DNS provider that filters malware sites and etc.
But what provider to use? Is it better to do my own filtering with a self hosted DNS sink hole? Is it better to use my own recursive DNS server?
The questions keep coming and it gets no easier!

 

[dave14305]

It seems the only answer is to trust none of them and run a local Pi-Hole or AdguardHome instance forwarding to Unbound as a recursive resolver. Then you’re only trusting the curators of the blocking lists used.

EDIT: That said, I gave up on fancy DNS ideas a few years ago. I use a minimal blocking list (Hagezi Multi-light) and forward plain DNS to my ISP DNS servers (Comcast/Xfinity).

 

[OzarkEdge]

I know that network security is a moving target and it is important to feel comfortable with the services offered by providers. But, when I read the article about Cloudflare and the mis-issued certificates, I began to question the faith I had put in their DNS service. There are a couple of DNS providers I will not use because of their country associations or their questionable business practice. I also feel it is a good idea to use a DNS provider that filters malware sites and etc.
But what provider to use? Is it better to do my own filtering with a self hosted DNS sink hole? Is it better to use my own recursive DNS server?
The questions keep coming and it gets no easier!

Me, too.

I want a free, reputable/regulated, public DNS/DoT solution (no account required) that filter ads and malware... I'm not worried about adult content unless it becomes an issue with young guests, so I also want the option to filter adult content.

I want plug and play... like you say, network security is a moving target so I don't want the overhead of maintaining a local solution... plus I want a non-technical solution that can be easily implemented on related home networks that have the typical network admin skill set (not capable and/or not interested/too busy).

There are a couple of DNS providers I will not use because of their country associations or their questionable business practice.

Which ones?

AdGuard has the Russia background... I notice ASUSWRT offers AdGuard as a DNS option, but it doesn't mention malware filtering, just ads. The AdGuard docs are a bit similarly unclear but do imply that their DNS filters malicious sites. So, I remain unsure if AdGuard Public DNS is also filtering malware, and if so, how does it compare.

Given the US is poor about regulating the Internet, particularly big data (now fast becoming big AI), and the EU is at least trying to protect users, I'm not opposed to using non-US providers/software, especially when it is subject to EU oversight. Because of this point, I tend to trust Quad9 DNS the most but I'm not currently using it since it does not block ads. Given that ads are out of control, imo, I tend to view them as also being a malware threat.

I currently use AdGuard Public DNS (94.140.14.14, 94.140.15.15, dns.adguard-dns.com) and ASUSWRT AiProtection. AiProtection has not had any hits here for quite awhile... maybe because of ad blocking!

Perhaps paying for a reputable DNS provider (account required) that does it all will be our ultimate destination.

OE

 

[bbunge]

Which ones?

I am currently using Quad9 and a Pi-Hole with the Steven Black block listfor the DHCP clients. Client with static IP addresses use the router which uses Quad9. That block list may change later in the day depending upon my mood and continually being told to disable the block list.

I have use Cloudflare Security for quite a while. Tested ControlD. Will not use AdGuard, Comodo, Google, Comcast or Level3.

 

[NoLight]

Public DNS malware filters to be tested in 2025

How well do the largest public DNS resolvers that protect you against malware domains perform in June 2025? We put them to the test!

techblog.nexxwave.eu

I use 1.1.1.2 with DoT strict profile, rebind protection, and validate unsigned DNSSEC.

 

[Tech9]

The questions keep coming and it gets no easier!

No fancy DNS here either. Forward to OpenDNS, no global filtering, no false positives tracking.

and validate unsigned DNSSEC.

Not needed. You trust someone upstream and have encrypted channel. They do the validation already.

 

[Ripshod]

Interesting and relevant article just popped up on my feed:

Please stop using your ISP's DNS

Your ISP is not your friend; don't use their DNS servers.

www.xda-developers.com

I personally use quad9 over DoT via a pi-hole with Steven Black's list.

 

[RMerlin]

It seems the only answer is to trust none of them and run a local Pi-Hole or AdguardHome instance forwarding to Unbound as a recursive resolver. Then you’re only trusting the curators of the blocking lists used.

Running a recursive resolver means that potentially, every single domain owner for which you resolve a hostname will get your IP address as your resolver hits their authoritative nameservers.

 

[RMerlin]

These articles need to address the various downsides of doing what they suggest, because there are some. If suddenly your Steam downloads get slower or you start getting streaming buffering, that's the kind of potential issues that can happen if you start using a random third party DNS, ending up with sub-optimal CDN connectivity, or bypassing caches implemented at the ISP's border.

 

[dave14305]

Running a recursive resolver means that potentially, every single domain owner for which you resolve a hostname will get your IP address as your resolver hits their authoritative nameservers.

The domain owner or the registrar who runs the authoritative server that hosts the domain? The domain owner will get my IP address when I make my HTTPS request to their IP anyway.

Is it better to consolidate all your DNS queries with Cloudflare or Cisco, or spread it out on a need-to-know basis with each authoritative server? I obviously am lazy now and just use my ISP, but have no trouble running Unbound when it's available.

sub-optimal CDN connectivity, or bypassing caches implemented at the ISP's border.

I've never figured out how to determine if I'm benefiting from CDN or caches by using my ISP's DNS. How would I know if Comcast treats YouTube differently than Quad9 might without ECS? Which DNS query would redirect to a local CDN? I suppose I will be able to figure it out now that I've asked the question.

 

[Tech9]

Some ISPs don't have their own DNS servers, actually. I've seen Google and Cloudflare as ISP DHCP provided DNS servers.

 

[RMerlin]

The domain owner or the registrar who runs the authoritative server that hosts the domain? The domain owner will get my IP address when I make my HTTPS request to their IP anyway.

Whoever runs the nameservers. Can be Cloudflare (which I use with asuswrt-merlin.net for example), can be a cPanel where you host your website, or can be a bind9 server that you host in a VPS.

The resolution allows them to get your IP even if you don't actively connect to a web service at that IP. All they need to do is trick you into resolving a hostname within their domain. Which can be done in a number of ways.

This is all within the context of someone claiming they want to run their own resolver "for privacy reasons". Just pointing out that the resolver then is throwing away all of that.

There are really not many good reasons to run your own recursive resolver. It will generally lack the cache depth that would improve resolution performance with a more widely used resolver.

I've never figured out how to determine if I'm benefiting from CDN or caches by using my ISP's DNS. How would I know if Comcast treats YouTube differently than Quad9 might without ECS? Which DNS query would redirect to a local CDN? I suppose I will be able to figure it out now that I've asked the question.

For some general services like Google you can simply do a name resolve using their DNS then a different DNS, and look at the difference in routing. Granted, this is less of an issue in 2025 as DNS providers like Quad9 and Cloudflare offer local POP in most regions, but it might be more apparent if someone lives in a more remote location. It will also provide different results based on whether your DNS supports EDNS Client Subnet or not.

In my case when I tested with www.google.com I got a different IP when using Quad9/Cloudflare versus my ISP, but at least the route was nearly identical between both endpoints. And both Google servers were in their "YUL" park, which means they both are meant to serve the Montreal area. (Google endpoints tend to put the International airport code in the endpoint reverse name, it helps identify where you are getting routed to).

But being in a fairly major location, every large company has a nearby POP anyway. Results may vary if I were located in a village that's 200 km away from the closest large city.

 

[RMerlin]

Some ISPs don't have their own DNS servers, actually. I've seen Google and Cloudflare as ISP DHCP provided DNS servers.

Why bother with the infrastructure required to run a recursive resolver that can properly handle 50,000 customers (with both the capacity and the redundancy) if you can offload that to a third party. It makes sense to me, at least for home users.

 

[Justinh]

I would prefer to use Quad9 but kept getting short-lived, random outages. I now use base.dns.mullvad.net, which has ad and malware blocking.