DNS Providers - Who to trust?

[RMerlin]

I’ve read somewhere though, that only 10% or so of domains are DNSSEC enabled.

I don't know the latest numbers, but it's indeed quite a small percentage unfortunately. Even a major tech giant domain such as google.com is not DNSSEC-signed.

merlin@ubuntu-dev:~$ dig +dnssec google.com @192.168.10.1

; <<>> DiG 9.18.30-0ubuntu0.20.04.2-Ubuntu <<>> +dnssec google.com @192.168.10.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59510
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;google.com.            IN    A

;; ANSWER SECTION:
google.com.        49    IN    A    142.250.69.142

;; Query time: 3 msec
;; SERVER: 192.168.10.1#53(192.168.10.1) (UDP)
;; WHEN: Sat Sep 06 13:10:04 EDT 2025
;; MSG SIZE  rcvd: 55

merlin@ubuntu-dev:~$ dig +dnssec asuswrt-merlin.net @192.168.10.1

; <<>> DiG 9.18.30-0ubuntu0.20.04.2-Ubuntu <<>> +dnssec asuswrt-merlin.net @192.168.10.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63171
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;asuswrt-merlin.net.        IN    A

;; ANSWER SECTION:
asuswrt-merlin.net.    166    IN    A    172.64.80.1
asuswrt-merlin.net.    166    IN    RRSIG    A 13 2 282 20250907180800 20250905160800 34505 asuswrt-merlin.net. C6lnlVAMqyfJNk+DDTl0xHLagg/i0+Qd+OWUdajA/CzDB62M1SQb2WWw knp6pSkp5IReTvmDWd3fKCfNFOl3Jw==

;; Query time: 7 msec
;; SERVER: 192.168.10.1#53(192.168.10.1) (UDP)
;; WHEN: Sat Sep 06 13:09:55 EDT 2025
;; MSG SIZE  rcvd: 177

asuswrt-merlin.net returns an RRSIG, and also gets the "ad" flag in its reply (Authenticated Domain).

Cloudflare.com is DNSSEC-signed.

 

[Treadler]

Quad9 look to be a non signer too.

Edit: more specifically,
quad9.net
Doesn’t appear to be signed.

 

[NoLight]

Quad9 look to be a non signer too.

Quad9 supports DNSSEC

Quad9 | A public and free DNS service for a better security and privacy

A public and free DNS service for a better security and privacy

quad9.net

 

[Crimliar]

You know, I've just accepted that no matter what DNS setup I use, someone's going to see at least a little bit of my data. That hasn't made me give up on privacy, but it has made me change how I do things over the years.
Right now, I've got uBlock and the Origin variant running in my browser. My broadband provider (BT UK) also has a filter that's supposed to be just for malware.
This next part might be a bit of a hot take, but I recently switched from Cloudflare (1.1.1.2) to Quad9. Cloudflare's malware filtering has gotten way too restrictive lately. When it starts blocking things like package tracking, you know it's gone too far. It's been seriously overzealous in the last couple of months.
I've also got "Diversion" set up on my router, with a really minimal blocking list. For the most part, it seems to work well. The only exception is a few devices that I just send straight to Google DNS. They're going to look there anyway, and trying to stop them just makes them act up.

 

[Tech9]

Cloudflare's malware filtering has gotten way too restrictive lately.

The reason I don't use "best rating" upstream filtering. It's similar to local Pi-hole with large community generated block lists, but without the visibility and ability to troubleshoot. Cisco Umbrella basics in OpenDNS filters just the well known and obvious, no annoyances. The free OpenDNS Home option with user categories has good feature to tell what was blocked on access attempt. Another no annoyance upstream DNS service is CleanBrowsing with their free Family, Adult and Security options.

 

[bluzfanmr1]

I use AGH on the router which feeds Unbound on the router. I'm not trying to hide and I know they will get you one way or another. For me it's all about network performance. I've tried every option but this setup works best. The difference is very minimal when you are talking milliseconds but it's a noticeable difference in the overall network experience in my house.

 

[Tech9]

You can't beat popular upstream DNS servers with local resolver. Since forwarders also maintain cache as well as browsers - overall resolver performance will be always lower. If the query is cached - 1ms in both cases. If it isn't - your resolver may need 500ms, Google will do it in 10ms. So if you are truly about performance - forwarder and filtering software on another device, not the router.