DNS Providers - Who to trust?

[RMerlin]

I’ve read somewhere though, that only 10% or so of domains are DNSSEC enabled.

I don't know the latest numbers, but it's indeed quite a small percentage unfortunately. Even a major tech giant domain such as google.com is not DNSSEC-signed.

merlin@ubuntu-dev:~$ dig +dnssec google.com @192.168.10.1

; <<>> DiG 9.18.30-0ubuntu0.20.04.2-Ubuntu <<>> +dnssec google.com @192.168.10.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59510
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;google.com.            IN    A

;; ANSWER SECTION:
google.com.        49    IN    A    142.250.69.142

;; Query time: 3 msec
;; SERVER: 192.168.10.1#53(192.168.10.1) (UDP)
;; WHEN: Sat Sep 06 13:10:04 EDT 2025
;; MSG SIZE  rcvd: 55

merlin@ubuntu-dev:~$ dig +dnssec asuswrt-merlin.net @192.168.10.1

; <<>> DiG 9.18.30-0ubuntu0.20.04.2-Ubuntu <<>> +dnssec asuswrt-merlin.net @192.168.10.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63171
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
;; QUESTION SECTION:
;asuswrt-merlin.net.        IN    A

;; ANSWER SECTION:
asuswrt-merlin.net.    166    IN    A    172.64.80.1
asuswrt-merlin.net.    166    IN    RRSIG    A 13 2 282 20250907180800 20250905160800 34505 asuswrt-merlin.net. C6lnlVAMqyfJNk+DDTl0xHLagg/i0+Qd+OWUdajA/CzDB62M1SQb2WWw knp6pSkp5IReTvmDWd3fKCfNFOl3Jw==

;; Query time: 7 msec
;; SERVER: 192.168.10.1#53(192.168.10.1) (UDP)
;; WHEN: Sat Sep 06 13:09:55 EDT 2025
;; MSG SIZE  rcvd: 177

asuswrt-merlin.net returns an RRSIG, and also gets the "ad" flag in its reply (Authenticated Domain).

Cloudflare.com is DNSSEC-signed.

 

[Treadler]

Quad9 look to be a non signer too.

Edit: more specifically,
quad9.net
Doesn’t appear to be signed.

 

[NoLight]

Quad9 look to be a non signer too.

Quad9 supports DNSSEC

Quad9 | A public and free DNS service for a better security and privacy

A public and free DNS service for a better security and privacy

quad9.net

 

[Crimliar]

You know, I've just accepted that no matter what DNS setup I use, someone's going to see at least a little bit of my data. That hasn't made me give up on privacy, but it has made me change how I do things over the years.
Right now, I've got uBlock and the Origin variant running in my browser. My broadband provider (BT UK) also has a filter that's supposed to be just for malware.
This next part might be a bit of a hot take, but I recently switched from Cloudflare (1.1.1.2) to Quad9. Cloudflare's malware filtering has gotten way too restrictive lately. When it starts blocking things like package tracking, you know it's gone too far. It's been seriously overzealous in the last couple of months.
I've also got "Diversion" set up on my router, with a really minimal blocking list. For the most part, it seems to work well. The only exception is a few devices that I just send straight to Google DNS. They're going to look there anyway, and trying to stop them just makes them act up.

 

[Tech9]

Cloudflare's malware filtering has gotten way too restrictive lately.

The reason I don't use "best rating" upstream filtering. It's similar to local Pi-hole with large community generated block lists, but without the visibility and ability to troubleshoot. Cisco Umbrella basics in OpenDNS filters just the well known and obvious, no annoyances. The free OpenDNS Home option with user categories has good feature to tell what was blocked on access attempt. Another no annoyance upstream DNS service is CleanBrowsing with their free Family, Adult and Security options.

 

[bluzfanmr1]

I use AGH on the router which feeds Unbound on the router. I'm not trying to hide and I know they will get you one way or another. For me it's all about network performance. I've tried every option but this setup works best. The difference is very minimal when you are talking milliseconds but it's a noticeable difference in the overall network experience in my house.

 

[Tech9]

You can't beat popular upstream DNS servers with local resolver. Since forwarders also maintain cache as well as browsers - overall resolver performance will be always lower. If the query is cached - 1ms in both cases. If it isn't - your resolver may need 500ms, Google will do it in 10ms. So if you are truly about performance - forwarder and filtering software on another device, not the router.

 

[Rajjco]

Here is a balanced approach between privacy,performance and reliability.

 

[RMerlin]

Recent video doing a great job at explaining how to protect your privacy, covering topics like DNS, SNI and VPN providers.

[Youtube] Video from Dave Plummer on online privacy, mainly DNS

Dave Plummer (former Microsoft engineer who worked on components such as the original Task Manager) posted a very good video talking about online privacy, mostly on how to secure your privacy at the DNS level. It's one of the best video I have seen on the topic, where he even explains things...

www.snbforums.com

 

[anotherengineer]

Why bother with the infrastructure required to run a recursive resolver that can properly handle 50,000 customers (with both the capacity and the redundancy) if you can offload that to a third party. It makes sense to me, at least for home users.

Interesting. I have ran DNS bench full paid version and it said (below) which was odd because I did. I was using open DNS with family filter for adult stuff cause kids in the house. The fastest DNS servers that came back for me were all of the CIRA ones. (using only the UDP scan and not DOT DOH scans) Wish I knew more about this stuff and how to set things up to be secure.

So contemplating using the CIRA family DNS now.......................

 

[ColinTaylor]

Interesting. I have ran DNS bench full paid version and it said (below) which was odd because I did. I was using open DNS with family filter for adult stuff cause kids in the house. The fastest DNS servers that came back for me were all of the CIRA ones. (using only the UDP scan and not DOT DOH scans) Wish I knew more about this stuff and how to set things up to be secure.
View attachment 69879
So contemplating using the CIRA family DNS now.......................

That "recommendation" is decades out of date and no longer correct (arguably it never was correct).

 

[Tech9]

So contemplating using the CIRA family DNS now...

Before you do this read the history of CIRA, the CEO caught with inappropriate content on work PC, who controls it, etc. and then decide who you want to send your entire browsing history to.

 

[anotherengineer]

Before you do this read the history of CIRA, the CEO caught with inappropriate content on work PC, who controls it, etc. and then decide who you want to send your entire browsing history to.

I'm assuming he is long gone though?

Which DNS do you use and do you use DoT and or DoH?

 

[Tech9]

Perhaps not what you want to hear. I use Google and Cloudflare unfiltered with DoH, the default in UniFi. No need of parental controls filtering, it's disabled. IDS/IPS is enabled and filters domains and IPs as well. Signatures are updated daily. I prefer local filtering so I can see what was blocked in case it happens.

 

[Viktor Jaep]

Which DNS do you use and do you use DoT and or DoH?

Unbound over Wireguard FTW.

 

[EmeraldDeer]

I use Diversion DNS on my router and paid Control D DNS.

Diversion is configured with the following blocklists.

https://big.oisd.nl/dnsmasq2
https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/dnsmasq/anti.piracy.txt
https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/dnsmasq/gambling.txt
https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/dnsmasq/pro.txt
https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/dnsmasq/tif.txt

As my router boots, it uses the default Comcast Xfinity DNS servers. I do this for reliability.
When DoT comes online, I use paid Control D with the following filters.

Ads & Trackers (Strict)
Artificial Intelligence
Crypto
File Hosting
Gambling
IoT Telemetry
Malware (Balanced)
New Domains (Last Month)
Phishing
Torrents & Piracy

I use DNSSEC as a bit returned through dnsmasq.
I return NXDOMAIN from Control D.
I use EDNS Client Subnet to get closest CDN results.
Diversion blocks about 10% of queries and Control D blocks about 0.5%.

 

[New2This]

I have been using Technitium upstream DoH or QUIC- testing to Control D & Cloudflare