DNS Providers - Who to trust?

Tech9 · 2026-03-27T17:20:04-0400

PaddraighOS said:
For anything business critical I would run a local resolver (unbound or pi-hole) as a cache in front of your upstream provider

What is a "local resolver" when you have "upstream provider"?

Centrifuge · 2026-03-28T01:45:09-0400

This is how much Cloudflare, Quad9, or any other third-party resolver I like involved in my DNS:

Code:

[user@hostname ~]$ dig +trace bbc.com @192.168.xx.xxx

; <<>> DiG 9.20.21 <<>> +trace bbc.com @192.168.xx.xxx
;; global options: +cmd
.                       500549  IN      NS      a.root-servers.net.
.                       500549  IN      NS      b.root-servers.net.
.                       500549  IN      NS      c.root-servers.net.
.                       500549  IN      NS      d.root-servers.net.
.                       500549  IN      NS      e.root-servers.net.
.                       500549  IN      NS      f.root-servers.net.
.                       500549  IN      NS      g.root-servers.net.
.                       500549  IN      NS      h.root-servers.net.
.                       500549  IN      NS      i.root-servers.net.
.                       500549  IN      NS      j.root-servers.net.
.                       500549  IN      NS      k.root-servers.net.
.                       500549  IN      NS      l.root-servers.net.
.                       500549  IN      NS      m.root-servers.net.
;; Received 761 bytes from 192.168.xx.xxx#53(192.168.xx.xxx) in 9 ms

com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    86400   IN      DS      19718 13 2 8ACBB0CD28F41250A80A491389424D341522D946B0DA0C0291F2D3D7 71D7805A
;; Received 1195 bytes from 192.112.36.4#53(g.root-servers.net) in 76 ms

bbc.com.                172800  IN      NS      dns0.bbc.co.uk.
bbc.com.                172800  IN      NS      dns1.bbc.co.uk.
bbc.com.                172800  IN      NS      ddns0.bbc.co.uk.
bbc.com.                172800  IN      NS      ddns1.bbc.co.uk.
bbc.com.                172800  IN      NS      dns0.bbc.com.
bbc.com.                172800  IN      NS      dns1.bbc.com.
bbc.com.                172800  IN      NS      ddns0.bbc.com.
bbc.com.                172800  IN      NS      ddns1.bbc.com.
;; Received 734 bytes from 192.26.92.30#53(c.gtld-servers.net) in 75 ms

bbc.com.                300     IN      A       151.101.0.81
bbc.com.                300     IN      A       151.101.64.81
bbc.com.                300     IN      A       151.101.128.81
bbc.com.                300     IN      A       151.101.192.81
;; Received 100 bytes from 198.51.45.9#53(dns1.bbc.co.uk) in 25 ms

[user@hostname ~]$

##crypto noise redacted C.

table45 · 2026-03-28T04:06:34-0400

PaddraighOS said:
Cloudflare 1.1.1.1 is solid on privacy and very fast. Quad9 (9.9.9.9) gives you built in malware filtering

Don't forget Cloudflare has 1.1.1.2 for malware filtering, or 1.1.1.3 for malware+adult site filtering. It's what I would use if I wasn't using using nextdns probably, but I prefer the extra control, ad blocking, and logging.

Zastoff · 2026-03-28T09:35:46-0400

At the moment i use Anonymized Quad9 DNSCrypt servers & Oblivious DoH Cloudflare wih relays on DNSCrypt-proxy (Asuswrt-merlin) and some parental control/work related devices configs via dns-director with nextdns/cleanbrowsing-family with cron jobs for school schedule.
Diversion for adblock/malware
Brave/cromite browsers

lcalamar · 2026-03-28T13:23:46-0400

bbunge said:
I know that network security is a moving target and it is important to feel comfortable with the services offered by providers. But, when I read the article about Cloudflare and the mis-issued certificates, I began to question the faith I had put in their DNS service. There are a couple of DNS providers I will not use because of their country associations or their questionable business practice. I also feel it is a good idea to use a DNS provider that filters malware sites and etc.
But what provider to use? Is it better to do my own filtering with a self hosted DNS sink hole? Is it better to use my own recursive DNS server?
The questions keep coming and it gets no easier!

I am a big fan of NextDNS.... paid service but inexpensive and well worth it.

Thread starter	Title	Forum	Replies	Date
	News BASE64 Over DNS ... RFC 1035 appears to be ignored. [From SANS article]	General Network Security	0	Sep 13, 2025
	[Youtube] Video from Dave Plummer on online privacy, mainly DNS	General Network Security	15	Sep 10, 2025
A	Solved [solved] dnscrypt/merlin - sometimes slow dns for cdn domains?	General Network Security	0	Jun 22, 2025

Search

Search

DNS Providers - Who to trust?

Tech9

Part of the Furniture

Centrifuge

Senior Member

table45

Occasional Visitor

Zastoff

Very Senior Member

lcalamar

Occasional Visitor

Similar threads

Similar threads

Latest threads

Support SNBForums w/ Amazon

Sign Up For SNBForums Daily Digest

Members online

We value your privacy