What's new

WAN DNS Servers - which offers the best security?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

TheLyppardMan

Very Senior Member
I'm trying to decide between three different DNS servers to use on my RT-AX88U-based network, but I'm not sure which is best in terms of security (e.g., from hackers). Can anyone advise me please?
My short list at the moment is CleanBrowsing (currently in use without any filtering), AdGuard and Avast Real Site, which overrides any DNS settings on the router when using a PC or laptop with Avast Premium installed (I currently have that feature disabled).
 
I'm trying to decide between three different DNS servers to use on my RT-AX88U-based network, but I'm not sure which is best in terms of security (e.g., from hackers). Can anyone advise me please?
My short list at the moment is CleanBrowsing (currently in use without any filtering), AdGuard and Avast Real Site, which overrides any DNS settings on the router when using a PC or laptop with Avast Premium installed (I currently have that feature disabled).
IMHO,
https://www.quad9.net/

:)
 
I'm trying to decide between three different DNS servers to use on my RT-AX88U-based network, but I'm not sure which is best in terms of security (e.g., from hackers). Can anyone advise me please?
My short list at the moment is CleanBrowsing (currently in use without any filtering), AdGuard and Avast Real Site, which overrides any DNS settings on the router when using a PC or laptop with Avast Premium installed (I currently have that feature disabled).
If you set up AdGuard Home on the router via AMTM, you could choose a range of DNS services then apply AdGuard’s ad blocking filters on top in the app (their dedicated DNS blocks too much for me, but this approach lets you tailor).

I’m using the DoH servers for Quad9, Cloudflare Secure, OpenDNS and CleanBrowsing. These can all tick along together with AdGuard’s load-balancing algorithm choosing the fastest.

I went a step further and subscribed to Oracle Cloud free tier, then set up AdGuard Home as above on a Ubuntu VM. This works a treat, especially as you can also plug the TLS/DoH addresses into mobile devices for when you’re not home.
 
Objectively, the best solution is one that secures your DNS (e.g., DoT), irrespective of the specific DNS server(s). Subjectively, take your pick. For the latter, everyone has to draw their own conclusions based on actual experience and what meets their needs.
 
1. Quad9
2. Cloudflare Security (1.1.1.2 and 1.0.0.2)
3. Cleanbrowsing.

Any of the above using DoT and DNSSEC with the DNS Filter set to Router. You may have to check which is the closest resolver which should give the best service. All use the Anycast system so your ISP may route you to a server that is far away as what happens to me when I use Quad9. Both Cloudflare and Quad9 have servers in a data center less than 100 miles from me but my ISP routes Quad9 to resolvers 1,000 miles away.
 
1. Quad9
2. Cloudflare Security (1.1.1.2 and 1.0.0.2)
3. Cleanbrowsing.

Any of the above using DoT and DNSSEC with the DNS Filter set to Router. You may have to check which is the closest resolver which should give the best service. All use the Anycast system so your ISP may route you to a server that is far away as what happens to me when I use Quad9. Both Cloudflare and Quad9 have servers in a data center less than 100 miles from me but my ISP routes Quad9 to resolvers 1,000 miles away.
My Quad9 is ~1700 kms from me.

I was getting a number of freezes/blank pages, all fixed when I opted for Quad9 ECS servers, 9.9.9.11 instead of the 9.9.9.9 group.
 
It doesn't really matter which DNS you use if you have lax practices on the LAN.

Layering things is how you achieve better security.

My DIY box picks up the DNS from Nord but, internally I'm running pihole for DNS to the clients. I can use the curated list or set them manually. I can pick a single DNS server or I can use all of them. DNS is just the 411 for IP conversion from name to number anyway. If you're looking for reputational blocking you'll need more than just a DNS server as most don't block malicious sites they just translate and send you on your way. With pihole you can add frequently updates lists that block domains which have been reported. Sometimes though tings get blocked and you have to override them by hitting permit.

1656110507780.png
 
Just an update on this. I've just set up my WAN settings as in the screenshot. Is this a sensible way to configure it for good security? If not, what changes would you recommend? I also have AiProtection switched on and I've just reinstalled Skynet, as I have one Port Forwarding rule set, for the Plex Media Server which is installed on my Synology NAS (it seems to work better for remote access when set up that way, rather than trying to access the server via OpenVPN). I have changed the external port from the default as I thought that might provide an additional layer of security.
 

Attachments

  • Screenshot - 02_01_2023 , 19_24_50.jpg
    Screenshot - 02_01_2023 , 19_24_50.jpg
    70.9 KB · Views: 204
Enable Rebind Protection and DNSSEC.

You can also add the secondary Quad9 server to your DoT list, or another DNS provider altogether.
 
Enable Rebind Protection and DNSSEC.

You can also add the secondary Quad9 server to your DoT list, or another DNS provider altogether.
Thanks Gary. I did try adding the second Quad9 server when I initially set this up, but whether it was coincidence or not, I couldn't get my Gigaset VOIP base station to reconnect to the Sipgate servers (it can be a bit tricky at times if changes have been made to the router, so I may have another go at setting a second server to see if I can get it to work).
 
Thanks Gary. I did try adding the second Quad9 server when I initially set this up, but whether it was coincidence or not, I couldn't get my Gigaset VOIP base station to reconnect to the Sipgate servers (it can be a bit tricky at times if changes have been made to the router, so I may have another go at setting a second server to see if I can get it to work).
It's working now. For some reason, the last time I tried adding the second Quad9 server, it was adding the IPv6 version.
 

Attachments

  • Screenshot - 03_01_2023 , 10_49_19.jpg
    Screenshot - 03_01_2023 , 10_49_19.jpg
    37.4 KB · Views: 141

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top