Some DNS questions - eviltoast

I already know that private DNS is important for privacy. I’m using Quad9 btw.

But recently I hear a lot about NextDNS and similar providers that give more advanced features such as custom filters and domain blocking. I’m getting interested in that topic now as I have to use some proprietary apps with a lot of trackers in them.

However I’m really struggling to find useful information about what domains to block, what settings to use in one or another use case etc. I don’t have much experience with firewalls and server stuff either which makes it even harder.

So, could anyone share some good resources on this so I can get started? Or should I just not worry about it and use a whole other system such as firewall?

  • yak@lmy.brx.io
    link
    fedilink
    English
    arrow-up
    1
    ·
    2 months ago

    I’ve used this list generating package for years now with great results: https://github.com/opencoff/unbound-adblock/tree/master

    It is designed to generate blocking lists that can be used with unbound, the DNS resolver. There are even instructions for how to configure unbound so if you are new to it all you can follow along.

    I use the resulting lists in my two local DNS name servers, running unbound.

    The way it works is that if a query for a blocked address comes in to one of thenlocal DNS servers it returns a domain not found result. If the address is not on the block list then it forwards the query on to an internet DNS resolver securely using DoT.

    You can gain further control over your DNS results by choosing those upstream resolvers carefully. Quad9 and Cloudflare etc all offer DoT resolving, along with some further filtering (eg. for malware), or completely unfiltered DNS if that’s what you want.

    Services like cleanbrowsing.org offer more fine grained filtering, useful if you want a family-friendly set of DNS results, based off categorify.org. You can pay for really fine tuned results, or there is a free layer which provides still very useful basic categories.

    Combining the two forms of filtering, local advert and tracking blocking, along with open internet content categorisation, seems to be very effective.

    I get complaints about too many adverts when my kids are on WiFi away from home. I take it as a compliment.

  • masterofn001@lemmy.ca
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    3 months ago

    Dnscrypt-proxy supports DNS over https (doh), oblivious DNS over https (odoh), DNS over TLS (dot), and dnscrypt (encrypted and anonymous DNS).

    IP and domain blacklist. IP whitelist.

    End to end encrypted.

    You can use quad9, cloudflare, etc, or any provider you like.

    I use https://dnscrypt.ca/about.shtml for my doh and as one of my dnscrypt servers.

    Depending on your os it’s pretty simple to setup.

  • geography082@lemm.ee
    link
    fedilink
    arrow-up
    1
    ·
    edit-2
    3 months ago

    Been using Nexdns and is great . It adds the part of adblocking and maybe more agresive and granular filtering . Tried controlid but looks like a fancy version and less customized of it.

  • bokherif@lemmy.world
    link
    fedilink
    arrow-up
    1
    ·
    3 months ago

    Look into DNS over HTTPS. Otherwise no matter what provider you use, DNS is just unencrypted.

  • Cheradenine@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    0
    ·
    3 months ago

    Have a look at RethinkDNS, https://docs.rethinkdns.com/dns/ their wiki is pretty good. They have recommended block lists, and also have a feature that let’s you search inside block lists to see what they actually cover.

    If you are on Android they have a companion app, you do not need to use it though. The app adds a good firewall (capture and redirect port 53 for example) and detailed logs if you want. You can block domains and specific IP addresses.

    It’s all FOSS too

    • f4f4f4f4f4f4f4f4@sopuli.xyz
      link
      fedilink
      English
      arrow-up
      1
      ·
      2 months ago

      I was recommended by a well-known privacy guide to use Rethink with AhaDNS Blitz, but it seems to fail often; nothing resolves until the VPN is stopped and restarted. Any ideas or advice?

      • Cheradenine@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        1
        ·
        2 months ago

        I don’t have any experience with AhaDNS Blitz.

        With RethinkDNS I have had occasional failures on their Max resolver, changing to Sky then works. That has only happened two times though, and was fixed with a few hours.

        Sorry I can’t be more help.