WAN DNS Servers - which offers the best security?

TheLyppardMan

Very Senior Member
I'm trying to decide between three different DNS servers to use on my RT-AX88U-based network, but I'm not sure which is best in terms of security (e.g., from hackers). Can anyone advise me please?
My short list at the moment is CleanBrowsing (currently in use without any filtering), AdGuard and Avast Real Site, which overrides any DNS settings on the router when using a PC or laptop with Avast Premium installed (I currently have that feature disabled).
 

Treadler

Very Senior Member
I'm trying to decide between three different DNS servers to use on my RT-AX88U-based network, but I'm not sure which is best in terms of security (e.g., from hackers). Can anyone advise me please?
My short list at the moment is CleanBrowsing (currently in use without any filtering), AdGuard and Avast Real Site, which overrides any DNS settings on the router when using a PC or laptop with Avast Premium installed (I currently have that feature disabled).
IMHO,
https://www.quad9.net/

:)
 

Spud

Occasional Visitor
I'm trying to decide between three different DNS servers to use on my RT-AX88U-based network, but I'm not sure which is best in terms of security (e.g., from hackers). Can anyone advise me please?
My short list at the moment is CleanBrowsing (currently in use without any filtering), AdGuard and Avast Real Site, which overrides any DNS settings on the router when using a PC or laptop with Avast Premium installed (I currently have that feature disabled).
If you set up AdGuard Home on the router via AMTM, you could choose a range of DNS services then apply AdGuard’s ad blocking filters on top in the app (their dedicated DNS blocks too much for me, but this approach lets you tailor).

I’m using the DoH servers for Quad9, Cloudflare Secure, OpenDNS and CleanBrowsing. These can all tick along together with AdGuard’s load-balancing algorithm choosing the fastest.

I went a step further and subscribed to Oracle Cloud free tier, then set up AdGuard Home as above on a Ubuntu VM. This works a treat, especially as you can also plug the TLS/DoH addresses into mobile devices for when you’re not home.
 

eibgrad

Part of the Furniture
Objectively, the best solution is one that secures your DNS (e.g., DoT), irrespective of the specific DNS server(s). Subjectively, take your pick. For the latter, everyone has to draw their own conclusions based on actual experience and what meets their needs.
 

bbunge

Part of the Furniture
1. Quad9
2. Cloudflare Security (1.1.1.2 and 1.0.0.2)
3. Cleanbrowsing.

Any of the above using DoT and DNSSEC with the DNS Filter set to Router. You may have to check which is the closest resolver which should give the best service. All use the Anycast system so your ISP may route you to a server that is far away as what happens to me when I use Quad9. Both Cloudflare and Quad9 have servers in a data center less than 100 miles from me but my ISP routes Quad9 to resolvers 1,000 miles away.
 

Treadler

Very Senior Member
1. Quad9
2. Cloudflare Security (1.1.1.2 and 1.0.0.2)
3. Cleanbrowsing.

Any of the above using DoT and DNSSEC with the DNS Filter set to Router. You may have to check which is the closest resolver which should give the best service. All use the Anycast system so your ISP may route you to a server that is far away as what happens to me when I use Quad9. Both Cloudflare and Quad9 have servers in a data center less than 100 miles from me but my ISP routes Quad9 to resolvers 1,000 miles away.
My Quad9 is ~1700 kms from me.

I was getting a number of freezes/blank pages, all fixed when I opted for Quad9 ECS servers, 9.9.9.11 instead of the 9.9.9.9 group.
 

Tech Junky

Very Senior Member
It doesn't really matter which DNS you use if you have lax practices on the LAN.

Layering things is how you achieve better security.

My DIY box picks up the DNS from Nord but, internally I'm running pihole for DNS to the clients. I can use the curated list or set them manually. I can pick a single DNS server or I can use all of them. DNS is just the 411 for IP conversion from name to number anyway. If you're looking for reputational blocking you'll need more than just a DNS server as most don't block malicious sites they just translate and send you on your way. With pihole you can add frequently updates lists that block domains which have been reported. Sometimes though tings get blocked and you have to override them by hitting permit.

1656110507780.png
 

Tech9

Part of the Furniture

Treadler

Very Senior Member

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top